The wannacry ransomware is composed of various components
- Files with encryption keys
- Application to encrypt data
- Application to decrypt data
- A copy of Tor Browser
Unlike other ransomware, wannacry has taken the internet world by storm as it created a very bad impact on almost all the business from all parts of world. It was developed as a self-contained program with all the application components, made to infect the computer and find its way into the infected computer as a dropper.
How does WannaCry infect Windows PCs?
The program code is simple and clear that the IT security experts find it easy to examine. The wanna cry ransomware tries to access the kill switch URL (hard coded). In case if it fails to do so, it proceeds to search and encrypt files in an uncontrollable fashion from MP3 files to MS office files. By this way the files are left inaccessible to the user. A ransom notice is then sent to the victim demanding a huge sum of money ($300 in bitcoin) to unlock the encrypted files.
The malware authors of WannaCry have exploited the vulnerability called EternalBlue found in Windows. This Microsoft vulnerability was fixed by patch update MS17-010 on March 14th 2018. The cyber criminals gain access to the system through the vulnerability and introduces an encrypter file to lock the important files which is made inaccessible by the user.
Once the PC is infected with Wannacry it does not start encrypting files immediately. It initially tries to gain access to an URL before it starts to encrypt the files. Reports says, the wanna cry tries to contact this URL to increase the complexity of the URL.
Wannacry – where does it originate from?
The source of infection is still unknown. And the information is still unclear though some security researchers claim that the infection is passed through emails.
- WannaCry has two key parts
- Worm Module
- Ransomware Module
The ransomware module is passed on to infect the system and the worm module exploits the vulnerability of SMB Server Remote Code Execution (CVE-2017-0144) and (CVE-2017-0145) to infect the target system.
Symptoms that confirm that the ransomware is infected
- If the system is compromised with WannaCry ransomware, a system displays a black background with commands mentioned in red.
- The victim is given a guideline on how to pay the demanded ransom
- The ransomware encrypts and leaves the data files inaccessible by adding .WCRY extension at the end of each locked file.
- There can be unknown files in the folders where the important data is encrypted.
The patch that was required to prevent WannaCry ransomware was developed even before the attacks were started.
There was a Bulletin released by the Microsoft Security Team on March 14, 2017, the Windows implementation of the SMB protocol was updated to deny infection through the vulnerability Eternal Blue.
Nevertheless, the Windows users were lethargic and took it light that most of the systems are yet to be patched as of May 2017 even after showing red alerts by the Microsoft Security teams.
The unpatched system that were infected would not be able to restore files from a safe backup. While there are some indications that says some people on paying ransom are regaining access to their encrypted files.
Update the Windows OS with the latest available patches. Outdates OSes are prone to malware infectionsClose port 445 by implementing the use of firewall – this can be an alternative option if there is no option available to update the security patch.
Implementing the use of an effective security suite like Comodo Antivirus which delivers enhanced virus protection from ransomware and preventing the same from interfering with regular operations of the computer.