Here’s a full debrief on the WannaCry ransomware that is still a threat to businesses around the world.
Also known as Wcry, WannaCrypt, Wana DeCryptor, WannaCry is a ransomware threat that started to spread rapidly on Friday May 12 2017. The ransomware has been around for a number of weeks but the attackers tweaked the WannaCry code and then released it into the wild late last week.
Brian Krebs reported that Lawrence Abrams, owner of the tech-help forum BleepingComputer, said WannaCry wasn’t a big player in the ransomware space until “something caused it to be spread far and wide very quickly.”
“Today, it just went nuts,” continued Abrams. “This is by far the biggest outbreak we have seen to date.”
The refreshed ransomware worm is now designed to exploit a critical Microsoft vulnerability, referred to as Microsoft Security Bulletin MS17-010, first made available in mid March 2017.
It is believed that the new WannaCry variant was spammed out with a malicious link or attachment. When the user clicked on the item, the ransomware attempted to infect the Windows computer and encrypt files on the machine, promising to release them if $300 USD of Bitcoin is paid.
If there are no up-to-date backups from which to restore, paying the ransom may be the only way for a business to retrieve its files.
File types that could be encrypted by the WannaCry ransomware include pictures, movies, scripts, Microsoft Office file types, databases, and archived files:
.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc
While WannaCry is infecting the victims machine, it also searches for vulnerable unpatched Windows systems and tries to infect those too. This is why WannaCry has spread at such speed.
Ransomware is a kind of cyber-attack that involves hackers taking control of a computer system and blocking access to it until a ransom is paid. For cyber criminals to gain access to the system they need to download a type of malicious software onto a device within the network. This is often done by getting a victim to click on a link or download it by mistake.
Once the software is on a victim's computer the hackers can launch an attack that locks all files it can find within a network. This tends to be a gradual process with files being encrypted one after another.
Cyber criminals often demand payment in return for unlocking the files. This is normally in the form of bitcoin, the online cryptocurrency.
The original version of WannaCry was in every way just like the standard ransomware campaigns, the main difference being the “.wcry” extension it added to files it had encrypted. However, what makes the outbreak of second version of WannaCry such big news is the way that it spreads. The main deployment method is via the MS17-010 vulnerability in SMB.
All Windows computers that have not installed the Critical Microsoft Security Bulletin MS17-010, issued in March 2017, are vulnerable.
If you have any questions, queries or have been hit by ransomware such as WannaCry, please contact us via email [email protected] or call 01482 210999.