How the Ransomware WannaCry Spread and How It Can Be Removed?

Ransomware is evolving into a major threat. The cyberattack by "WannaCry" that caused damage on a global scale will be a new place in memory. It spread rapidly due to its strong infectivity due to self-renewal activity.

What is Ransomware?

A Type of Malware (Malware) That Requires a Ransom. Restrictions such as locking infected terminals and highly encrypting data stored on terminals are applied, and money is required in exchange for releasing the restrictions. Damages such as "business suspension" and "data loss" due to the inability to use data, and "financial damage" when a ransom is paid are enormous. Also, there is no guarantee that the data will be returned even if you pay the ransom.

Attackers used to be single entertainers who wanted to show off their skills, but now they are not limited to individual users, such as criminal groups aiming for money itself, and national intelligence organizations targeting confidential information in hostile countries. , The damage targeting companies and organizations is increasing, and it is becoming more malicious.

Ransomware first appeared in the world in 1989. It was a malicious program (AIDS Trojan = AIDS Trojan) that demands a ransom to infect and release via an external medium (floppy disk) instead of via the Internet as it is today.

Main Transmission Routes

Infection via email (phishing email, scattered email)

Infected by clicking a link in an email and being directed to a malicious site, or by accidentally opening a zip file or executable file attached to an email.

Infected through website

Infected from falsified legitimate sites, files downloaded from those sites and displayed fraudulent advertisements (malvertizing).

Infected from removable media

Infected by a malicious program (USB worm) that propagates and spreads through removable media connected via USB.

Ransomware WannaCry that caused infection damage to more than 300,000 terminals in 150 countries around the world

How did the ransomware WannaCry (also known as WannaCrypt, WannaCryptor, Wcry, etc.), which caused infection damage to more than 300,000 devices in 150 countries around the world, occur and spread?

Transmission Route

• Initial infection route unknown
• Infected via LAN (worm activity) using a vulnerability (CVE-2017-0145) in the Windows OS protocol Server Message Block (SMB) that allows infected terminals to share files on the network.

Behavior After Infection

1. Infection operation starts when a specific URL is accessed and cannot be accessed (kill switch operation)
2. Encrypt files for 166 extensions
3. The character string [.WNCRY] is added to the end of the encrypted file name.
4. Delete Volume Shadow Copy after the encryption process is complete
5. A message appears on the desktop indicating that it was encrypted
6. A timer shows the ransom request and payment deadline
7. Ransom demand is $ 300-600 in virtual currency Bitcoin (not cash)
8. The ransom payment deadline is within 3 days. Since then, the requested amount has doubled. Display a threatening statement to delete the encrypted file if you have not paid for 7 days

Correspondence of Anti-virus Vendor at That Time

1. Before the news, most AV products couldn't detect WannaCry samples, and they slipped through except for some behavior signatures.
2. Numerous WannaCry samples were reported on the Internet two days after the outbreak, and these hashes were blacklisted in sequence.
3. For online terminals with an internet connection, known hash samples can be detected by query search to the cloud.
4. Each company sends out correspondence on the blog

Measures to Reduce the Damage Caused by Ransomware Infection

From the WannaCry case, ransomware with no guarantee that it will not be infected even if strong measures are taken.

Here, we will introduce measures to reduce damage in the event of infection or suspicion of infection.

Response After Infection

Basically, there are actually many cases where you do something with the impatience that your computer cannot be used normally, and on the contrary, make the situation worse. First of all, calm down and contact the person in charge such as the system management department in the company and take possible measures.

1. Remove the terminal from the network
2. Take network share offline
3. Identify the system to which the device was connected (which could be connected)
4. Check if files on other systems are encrypted
5. Confirm the infection route
6. Check for a backup of encrypted data
7. Decide on a policy for encrypted data

Measures to Prevent Infection With Ransomware

Proactive measures to avoid ransomware infection are essential. From here, we will look at specific effective measures.

Basic Measures

• Do not open suspicious email attachments, do not access URLs in the text.
• Keep up to date with antivirus software.
• Update the OS and software that are the entry points for ransomware, and keep them up to date.
• Back up important data regularly and evacuate to a network environment different from the terminal such as an external HDD or cloud storage service.