If you take a moment to think about the big cyber-attacks of the recent time, you will definitely come up with the term “WannaCry Ransomware”; only if you have heard of this outbreak. But if you are not already acquainted with this malware, here is a short introduction to the event.
One Friday, this biggest ransomware attack hit organizations everywhere, impacting more than 150 countries. It shuted down a good number of Britain’s National Health Service and has earned the attackers $55,000 in bitcoin. As a result the wave of attacks rank as one of the most prominent cyber events in history.WannaCry is one of the most important malware events seen to-date but it will not be the last to pose a systemic risk to the global economy. For instance: once infected, the encrypted files contain the file extension .WNCRYT. Victims’ computers then proceed to display the following message with a demand for $300 to decrypt the files.
Who Were the Targeted Victims?
This attack which is known as ‘WannaCry’ is a ransomware family targeting Microsoft Windows Operating system.
The initial attack course is unclear, but a violent worm helps spread the ransomware. To stop it,a serious patch was released by Microsoft on March 14 to remove the underlying vulnerability in supported versions of Windows but many organizations have not yet applied this patch.
For example, computers running unsupported versions of Windows??(Windows XP, Windows Server 2003) did not have an available patch, but Microsoft released a security patch for Windows XP and Windows Serve 2003 over the weekend.
The thing is, with MS17-010, the attacker can use just one exploit to get remote access with system privileges, meaning both steps (Remote Code Execution +Local Privilege Escalation combined) use just one bug in the SMB protocol. That is to say, by remotely gaining control over a victim’s PC with system privileges without any user’s action, the attacker can spray this malware in the local network by having control over one system inside this network and that one system will spread the ransomware to all vulnerable Windows systems not patched for MS17-010.
How Did It Slowed Down?
However, the good news is that “WannaCry” is slowing down, and the chance of more machines becoming infected has been seriously reduced. You can thank one 22-year-old British cybersecurity researcher for that, who used his self-assembled IT hub to locate the ransomware’s “kill switch.”
So, what exactly is this “kill switch” and how did he find it? First, the researcher got a sample of the WannaCry malware from a friend. Using his IT hub, he analyzed the sample and found the “kill switch.” Basically, he realized that the attack was referencing an unregistered domain, which is an URL at which there isn’t a website. So, the researcher proceeded to register the domain and essentially prevented the ransomware from spreading to any new computers from then on out.
Better say it “solution like” instead of full solution, because it has a big IF inside the solution. A tool call ‘wanakiwi’ was developed by the security researcher Adrien Guinet and Benjamin Delpy. The new decryptor is known to work on many Windows versions and its effectiveness is also confirmed by Europol.WanaKiwi works on both Windows 7 and Windows XP, which suggests that “it works for every version of Windows XP to 7, including Windows 2003, Vista and 2008 and 2008 R2.” – confirms Matt Suiche from security firm ComaeTechnologies. The ‘IF’ inside the solution is that DO NOT REBOOT YOUR INFECTED MACHINES and try Wanakiwi ASAP. If you reboot or shut down your PC, the solution will not work.
The original encrypted files (.WNCRY) remain unmodified. The decrypted files are generated as separate files. After recovering the file immediately, take a backup of your recovered file, including the 00000000.dky file generated by wanakiwi which is the decryption key. Once you have backed-up your infected file, reinstall a fresh version of Windows.
Two Things to Learn About
This researcher’s way of solving the problem provides us with two warnings: The first thing is, being the importance of taking security into your own hand. The second: ransomware, even the worst kinds, can be tackled.
However, ransomware is still a reality consumers have to face, as it will continue to grow both in impact and frequency. In fact, the threat has seen a consistent increase throughout the past few years, as the number of ransomware incidents increased to 229 in 2016 from 159 in 2015.