Skip to main content

WannaCry:All about WannaCry


Malicious software or "ransomware" has been used in a massive hacking attack, affecting tens of thousands of computers worldwide.

Software security companies said a ransomware worm called "WannaCry" infected about 57,000 computer systems in 99 countries on Friday, with Russia, Ukraine, and Taiwan being the top targets.
The hack forced British hospitals to turn away patients, affected Spanish companies such as Telefonica, and threw other government agencies and businesses into chaos.
How it works:
WannaCry is a form of ransomware that locks up files on your computer and encrypts them in a way that you cannot access them anymore.
It targets Microsoft's widely used Windows operating system.
When a system is infected, a pop-up window appears with instructions on how to pay a ransom amount of $300.
The pop-up also features two countdown clocks; one showing a three-day deadline before the ransom amount doubles to $600; another showing a deadline of when the target will lose its data forever.
Payment is only accepted in bitcoin.
The ransomware's name is WCry, but analysts are also using variants such as WannaCry.
A hacking group called Shadow Brokers released the malware in April claiming to have discovered the flaw from the US' National Security Agency (NSA), according cyber-security providers.
How it spreads:
Ransomware is a programme that gets into your computer, either by clicking or downloading malicious files. It then holds your data as ransom.
Some security researchers say the infections in the case of WannaCry seem to be deployed via a worm, spreading by itself within a network rather than relying on humans to spread it by clicking on an infected attachment.
The programme encrypts your files and demands payment in order to regain access.
Security experts warn there is no guarantee that access will be granted after payment.
Some forms of ransomware execute programmes that can lock your computer entirely, only showing a message to make payment in order to log in again.
Others create pop-ups that are difficult or impossible to close, rendering the machine difficult or impossible to use.
WannaCry 'kill switch'
On Saturday, a cybersecurity researcher told AFP news agency that he had discovered a "kill switch" that can prevent the spread of WannaCry.
The researcher, tweeting as @MalwareTechBlog, said the discovery was accidental, but that registering a domain name used by the malware stops it from spreading.
Unfortunately computers already affected will not be helped by the solution.
@MalwareTechBlog warned that the "crisis isn't over" as those behind it "can always change the code and try again".
"I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental," @MalwareTechBlog tweeted.
"So long as the domain isn't revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again."
Protection of your data from WannaCry:
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2
Identify and terminate files detected as RANSOM_WANA.A

Windows Task Managermay not display all running processes.
In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said toolhere.If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to thislinkfor the complete steps.If the detected file isnotdisplayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 3
Delete this registry key

Important:Editing theWindows Registryincorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check thisMicrosoft articlefirst before modifying your computer's registry.InHKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWAREWanaCrypt0r

Step 4
Delete this registry value

Important:Editing theWindows Registryincorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check thisMicrosoft articlefirst before modifying your computer's registry.
InHKEY_CURRENT_USER\Software\WanaCrypt0r
wd = "%ProgramData%\{random}"
InHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
{random} = "%ProgramData%\{random}\tasksche.exe"

Step 5
Search and delete these folders

Please make sure you check theSearch Hidden Files and Folderscheckbox in the More advanced options option to include all hidden folders in the search result.%ProgramData%\{random}
%ProgramData%\{random}\msg
%ProgramData%\{random}\TaskData
%ProgramData%\{random}\TaskData\Data
%ProgramData%\{random}\TaskData\Data\Tor
%ProgramData%\{random}\TaskData\Tor
%All User Profile%\{random}\msg
%All User Profile%\{random}\TaskData
%All User Profile%\{random}\TaskData\Data
%All User Profile%\{random}\TaskData\Data\Tor
%All User Profile%\{random}\TaskData\Tor

Step 6
Search and delete these files

There may be some files that are hidden. Please make sure you check theSearch Hidden Files and Folderscheckbox in the "More advanced options" option to include all hidden files and folders in the search result.{folder of encrypted files}\@WanaDecryptor@.exe.lnk
{folder of encrypted files}\@Please_Read_Me@.txt
{folder of encrypted files}\@WanaDecryptor@.exe
%User Temp%\{number}.WNCRYT temporary files
%Desktop%\@Please_Read_Me@.txt
%Desktop%\@WanaDecryptor@.bmp
%Desktop%\@WanaDecryptor@.exe

Step 7
Restart in normal mode and scan your computer with your Trend Micro product for files detected as RANSOM_WANA.A.

Step 8
Reset your Desktop properties

Step 9
Restore encrypted files from backup.

Step 10
Scan your computer with AV to delete files detected as RANSOM_WANA.A.



Comments

Post a Comment

Popular posts from this blog

How to Unlock (and Play) Hidden Chess Game Inside Facebook Messenger

What can you do with Facebook Messenger? Chat with your friends Send GIFs, stickers, and photos Make video calls Send people money in Messenger Have you ever wondered to Play a game while you chat with friends? Yes, it is possible. Facebook had made it to the reality by building a hidden built-in functionality in Facebook Messenger that lets you play Chess with your friends without having to install a third-party app. It just takes one simple step to unlock this hidden game. All you need to do is: type " @fbchess play " and hit Enter, during a conversation, and a small square box would appear in the chat box. Here's how to play: The person who initiated the game would be assigned "White" side, to make the first movement. Although there is some standard algebraic notation like:- B for “Bishop” R for “Rook” Q for “Queen” K for “King” N for “Knight” P for “Pawn” Pawns could b
1 comment
Read more

How to Build a Successful Incident Response Plan

The fight to protect your company’s data isn’t for the faint of heart. As an embattled IT warrior, with more systems, apps, and users to support than ever before, keeping everything up and running is a battle in itself. When it comes to preventing the worst-case scenario from happening, you need all the help you can get, despite your super-hero status. According to SANS, there are 6 key phases of an incident response plan. Preparation -  Preparing users and IT to handle potential incidents in case they happen Identification -  Figuring out what we mean by a “security incident” (which events can we ignore vs. which we must act on right now?) Containment -  Isolating affected systems to prevent further damage Eradication -  Finding and eliminating the root cause (removing affected systems from production) Recovery -  Permitting affected systems back into the production environment (and watching them closely) Lessons Learned -  Writing everything down and reviewing
1 comment
Read more

Internet of Threats!

T he Internet of Things (IoT) is continuing to gain traction with an ever-increasing number of connected devices coming to market. But as tech-savvy consumers begin investing in their first devices for a connected home, what is to stop them becoming a cyber attacker's next target? While still uncommon, we know that cyber attackers are going after connected consumer devices, demonstrated on a massive scale by the group of Russian hackers who published thousands of live-streaming webcam footage from over 250 countries. Unless the manufacturers of connected devices take a holistic approach to bolstering their cyber security efforts, these types of attacks will increase in number. To gain a greater understanding of the cyber security risks that consumers could be exposing themselves to, research was conducted into the cyber security posture of six ‘always-on’ consumer IoT devices. The results were unsettling. Veracode carried out a set of uniform tests across all the
Post a Comment
Read more