The world witnessed one of the most vicious cybercrimes these past few days: The WannaCry Ransomware. The well-coordinated ransomware attack caused Britain’s NHS to cancel surgeries; a large-scale disruption of Russia and China’s public and private institutions; and a world-wide digital paralysis.
According to Sumann Subramaniam, Enterprise Security Expert at Tech One Global, WannaCry spreads by using a vulnerability in implementations of Server Message Block (SMB) in Windows systems. This exploit is named as ETERNALBLUE. It encrypts the computer’s hard disk drive and then spreads laterally between computers on the same LAN. The ransomware also spreads through malicious attachments to emails.
Once it’s activated, WannaCry then asks the user to pay in $300 in bitcoins within 72 hours or see their files deleted permanently.
Luckily, the Microsoft Community managed to create a tool to combat the ransomware. Codenamed “WanaKiwi,” the tool can the decrypt the data attacked by a ransomware under one condition: your computer should have not restarted or turned off.
According to User Halim from the Microsoft Community:
“This condition must come from how the rudimentary software algorithm works. The researcher focused on the initial numbers stored in the random memory of the computer on which the software is based to perform the encryption process.
More generally and simply, the tool searches for these numbers and begins the process of decrypting encrypted data in advance, hence the importance of the above requirement, in addition to the reference of some other reports to another condition is not to take off new software after infection such as games and office applications which can damage the order. Store those numbers on your computer’s memory by using that space for another program.
Note: The new tool works on both Windows 2008, 7, XP, and Vista, and has been proven effective by some security companies. Another tool named WanaKey is based on the same principle.”
WanaKiwi: Wanakiwi_0.2.zip or Wanakiwi.zip
Basically, WanaKiwi steals back the decryption key from the attackers. However, despite the solutions discovered each day, we are still not in the clear as experts say: new strains of ransomwares operating using the same model might already be in development.
Paying the Ransom
According to YouTuber Barnacules, there’s zero news yet that someone who paid the ransom actually received a decrypting key.
If somehow you got infected and you paid the key, here are some things you can do according to Microsoft:
Immediately contact your bank and your local authorities. If you paid with a credit card, your bank may be able to block the transaction and return your money.
You can also contact the following government fraud and scam reporting websites:
- In Australia, go to the SCAMwatch website.
- In Canada, go to the Canadian Anti-Fraud Centre.
- In France, go to the Agence nationale de la sécurité des systèmes d’information website.
- In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
- In Ireland, go to the An Garda Síochána website.
- In New Zealand, go to the Consumer Affairs Scams website.
- In the United Kingdom, go to the Action Fraud website.
- In the United States, go to the On Guard Online website.
If your country or region isn’t listed here, Microsoft recommends that you contact your country or region’s federal police or communications authority.
For an illustrated overview about ransomware and what you can do to help protect yourself, see The 5Ws and 1H of ransomware.
If you’re in an enterprise, see the Microsoft Malware Protection Center for in-depth information about ransomware.
WannaCry is a loud wake-up call. Cybersecurity is a serious issue and mismanaging it can cause billions worth of damages. With technologies like cloud and business solutions, security today is only a matter of mindset and guidance.
You can start by checking our free guide here to grasp the basic concepts of operating a secured network. Get it done with Tech One Global.