2017-05-18

Wannacry Ransomware Interesting Facts

Ransom (( Huge money )) + Ware => Ransomeware

As it spells, Its a software written with the motive to make huge sum of money(ransom) from the victim.

The way it works is very simple, The moment it is executed either accidentally or automatically it encrypts the certain kinds of file like word docs, excel files read on for complete list of the filetypes. The brilliant part of this wannacry is it looks for an uninfected computer and gets copied to that computer and immediately it activate itself on the computer. It then demands the user a huge sum of money from $ 300 to 600 to be deposited to a bitcoin account ( BitCoin is a form of currency which is not regulated by govt, of any country it works entirely by the individuals on the internet). Sidenote please don't compare this with your paytm wallet or any other airtel money. Its no where compared to it.

The worst part of this mess is The hacker or the wannacry team is not obliged to send the decryption key to the individual even after the victim paying the ransom.

As of this writing 18th May 2017 the hackers are reported to have made $ 26,000

Current value of 1 bitcoin as of 18th May 2017: $ 1808.20

What files / filetypes are encrypted ?

These are primarily data files that includes private keys, open office documents, pdf documents

    .der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw,

    .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif,

    .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql,

    .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd,

    .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3,

    .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf,

    .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg,

    .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso,

    .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm,

    .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt,

    .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx,

    .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb,

    .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc,

Where it originated

National Security Agency (NSA) creates lots of special programs called exploits targeting various vulnerabilities. They build it in the name of Defensive Security measure, To defend America. During the late 2016 there were a group of hackers called Shadow Brokers hacked to these kinds of tools and other security tools owned by Equation Group closely associated with NSA Team. Read here for more details and released this wannacry.

Exploits are special computer program or system designed to take advantage of a particular error or security vulnerability in computers or networks. These are written by super genius programmers around the world.

This wannacry program is also one such exploit targeting on the SMB vulnerability.

Will it affect my computer ?

It will affect only

  • Windows Computer which has SMB ( Samba Service ) enabled.
  • Also it should have a particular vulnerability called MS17-010 or ETERNALBLUE or it is not updated with a security patch provided by the microsoft.

It will not affect

  • Linux based computers.
  • Mac Os X based computers.

How to protect your computer from these havocs ?

  • Do not download any attachments that you receive from unknown people.
  • Do not download files or software from websites that you don't rely.
  • Please update your computer with the security patch provided by Microsoft
  • Disable the SMB or Samba Service on your windows computer.

SMB or Samba Service Vulnerability

There is a flaw in the Samba Service Implementation that allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

How to Disable Windows SMB Service (SMBv1)

For customers running Windows 8.1 or Windows Server 2012 R2 and later

For client operating systems: Open Control Panel, click Programs, and then click Turn Windows features on or off. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window. Restart the system.

For customers using Windows server Edition or Windows operating system as their Servers :

Open Server Manager and then click the Manage menu and select Remove Roles and Features. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window. Restart the system.

To Enable back SMB Service

select the SMB1.0/CIFS File Sharing Support check box to restore the SMB1.0/CIFS File Sharing Support feature to an active state.

Till when i should be worrying about this Ransomware attack ?

This ransomware (wannacry) started on Friday 12th May 2017 and was spreading with the following brilliant technique.

It was looking for a particular strange and peculiar domain name (website name) iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com if that domain name is found it stops spreading.

This was accidentally found by a security expert and he registered the domain name without great awareness it would really stop the spreading of the ransomware. To his own surprize there was a massive dns query (domain name lookup for that particular domain name) and the spread of the ransomware also got stopped. After this incident the spreading of this ransomware is stopped. But what I don't understand is lots of false messages are floating around whatsapp

domainname

So spreading of Ransomware was deactivated by 12th May 2017

But who knows, hackers may even reincarnate this wannacry and spread it in different form. So far there is no incident about the same.

Luckily Indian Govt. Organisation computers are prehistoric in nature running Jurassic Age Operating Systems, so none of them were infected or atleast reported.

Side Note:

After a long time i am writing this post, because there were so many fake news are being spread on whatsapp, internet, email about the fear of ransomware, Most often these are false news spreading for so mean reasons which i can't digets. Hence I thought why don't i share with you guys what I knew.

Citation / Reference.

Wannacry Detailed video from computerphile

Talos detailed writeup

Blog from MalwareTech

Disable SMBv1 Service on Windows & Windows Server

Security Patches for MS17-010 ETERNALBLUE vulnerability