After a late night watching of “Bahubali2”, I woke up to see Twitter world filled with the buzz surrounding new WannaCry ransomware. Being new in web application security, I wasn’t too familiar with malwares but as few friends and Poojara sir reached out asking to check if their PCs were infected, I dove into research mode and ended up putting together this FAQ-style write-up. My intention is to spread awareness about its potential dangers.

What is Wannacry? Which system infected by this?

WannaCry is a malicious software (malware) that infected computers running Microsoft Windows operating systems and encrypted users’ files, making them inaccessible. The malware then demanded payment in the form of Bitcoin in exchange for the decryption of the files.

Who are infected by WannaCry till date?

spread

List of affected countries (May 14, 2017)

What is a worm and ransomware?

A computer worm is a self-replicating computer program that penetrates an operating system with the intent of spreading malicious code.

Ransomware is a sophisticated piece of worm that blocks the victim’s access to victim’s files and the only way to regain access to the files is to pay a ransom. Technically, it encrypt your files and folders with strong encryption methods which are mathematically impossible to decrypt.

Is WannaCry is first ransomware attack? Are there any past experiences faced by industry?

WannaCry is not the first ransomware to have appeared, as the first instances of this type of malware were observed in mid-2005. Since then, encryption schemes have become more sophisticated and widespread. Prior to WannaCry in May 2017, the Cerber ransomware caused damage to millions of systems through the direct installation and execution of files. This attack also affected many people in my college RIT.

cerber

Who are the creator of WannaCry ransomware?

In April 20, Whistleblower group Shadow Broker leaked NSA’s zero day exploit for Server Message Block (SMB) called EternalBlue. The Sever Message Block provides shared access to files systems, printers and serial ports to carry out communications. For example, your nearest ATM is having shared access among other ATMs via this SMB protocol. This main exploit was about remote code execution in SMB which give access to victims system without password or special software installation. Many researchers asserted that WannaCry uses same exploit with some offensive additions.

None of the hacking groups claimed attack yet thus the creators of WannaCry are still anonymous and there is no way to find them as they are getting paid from bitcoins and having data node through TOR networks.

How much ransom they want?

$300. There is a warning that the price will double if the amount isn’t paid within 24 hours. Law enforcement officials have discouraged people from paying these ransoms although $60,000 already been paid till I’m writing this blog.

Why attackers use bitcoin as payment method?

The creators of WannaCry chose to use Bitcoin as the method of payment for the ransom because it offers a level of anonymity. Bitcoin is a cryptocurrency and digital payment system that operates like a stock market, with daily trades. All Bitcoin transactions are publicly recorded on the network, but the identity of the person behind an address remains undisclosed. This makes Bitcoin a favored payment option for those who wish to conceal their identity.

bitcoin

How many versions WannaCry have currently?

There are two version of WannaCry spreading over internet

  • Wannacrypt 1.0 (With killswitch)
  • Wannacrypt 2.0 (Without killswitch)

What is killswitch in system security?

A killswitch in system security is a mechanism designed to halt the spread of malware or viruses. When activated, a killswitch terminates the malware’s malicious activity, preventing it from propagating to other systems or compromising additional data. The purpose of a killswitch is to mitigate the damage caused by a security breach and to give security experts time to analyze and neutralize the threat. The implementation of a killswitch can vary, but it is typically triggered by specific code or by a change in a specific system variable. By deploying a killswitch, organizations can minimize the impact of a security breach and reduce the risk of widespread damage.

In WannaCry 1.0, kill swich was a domain name hardcoded into the malware code that, when registered, prevented the malware from propagating and encrypting files on infected computers.

IDA

22-Year old security researcher from Britain found kill switch while he was on vacation. He claimed this domain name with $10 and “accidentally” stopped WannaCry 1.0. But next day, anonymous creator came up with another version 2.0 with no kill switch (so far), hence it is spending desperately.

How this WannaCry propagating?

Generally through two ways:

  • Through human interaction: such as, you download binary execution file (.exe) and allow permission to installing it. In common cases, many among us download computer game cracks, software activator from internet. In this cases you might get ransomware instead of crack and on installation it may get triggered. Another ways with phishing mails, many email providers block .exe files so propagators usually send you .doc file contain CSV injection vulnerability or .js file which execute JavaScript to download .exe file on your system.

  • Through open ports (without interaction): as mentioned above, this exploit is based on remote code execution, it is also a self-replicating worm that spread from one infected computer to others on the same network. If you are have any of this (445/137/138/139) open ports, you are likely to be in danger!

command_line

How does I know I’m affected or not?

There are several ways to detect but in short, if your Windows wallpaper hasn’t changed to something like this, then you are probably not yet affected. ;) Common behavior of WannaCry change wallapaper to this as a first stage.

command_line

What should I do to prevent my system from WannaCry?

There are several preventive measures you can take:

  • Stop installing untrusted execution files

  • Install antivirus and scan your PC for virus

  • Close open ports

    • Open command line (WIN+R) type “optionalfeatures” and hit return
    • In Window feature, uncheck “SMB 1.0/CIFS File Sharing Support” command_line

  • Update your Windows operating system: You can also download and install latest SMB patch from Microsoft MS17-010 update. Microsoft had already closed XP/VISTA support so if you are still using those versions then make sure to update operating system.

  • Leave Windows, start using Linux, no kidding!

Why this only attacks on window? Why not Mac or Linux?

Because of strong technical functions:

  • Privileges: Windows operating system is based on direct execution with equal privileges. On other hand, Linux and Mac (based on UNIX) can have user types for each executions and hence you can probably say these operating systems are safer than Windows.
  • Package Managers and Software Repositories: When you want to install a new program on your Windows desktop, you head to Google and search for the program. When you want to install most programs on Linux, you open your package manager and download it from your Linux distribution’s software repositories. These repositories contain trusted software that has been vetted by your Linux distribution – users aren’t in the habit of downloading and running arbitrary software.

In conclusion, with new attacks, loopholes, and zero-day vulnerabilities emerging every day, it is becoming increasingly important to secure your Windows system. The open source community is here to help, and we encourage you to join the RIT Linux Academy to learn about Linux and enhance your cybersecurity knowledge. Take control of your own security and protect your valuable data. Join us and become a part of the open source movement!

We are happy to help you, change your OS to Linux, contact any member of our academy!

Linux is safer, Linux is future!