- Get link
- Other Apps
WannaCry is a ransomware worm that, in May 2017, infected several computer networks. After infecting Windows computers, it encrypts files on the PC's hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin to decrypt them.
Is your computer vulnerable to attack by the WannaCry ransomware? Read on to find out as we explore everything there is to know about the WannaCry ransomware attack.
What is the Wannacry Virus?
WannaCry is an example of crypto-ransomware, a type of malicious software ( malware ) used by cybercriminals to extort money.
The ransomware does this by encrypting valuable files, so you can't read them, or by locking them from your computer, so you can't use it.
The ransomware that uses encryption is called crypto-ransomware. The kind that locks it off your computer is called locker ransomware.
Like other types of crypto-ransomware, WannaCry takes your data hostage and promises to return it if you pay a ransom.
WannaCry is intended for computers running the Microsoft Windows operating system. It encrypts the data and demands the payment of a ransom in the cryptocurrency Bitcoin for its return.
The WannaCry ransomware consists of multiple components. It reaches the infected computer in the form of a dropper, a standalone program that extracts the other components of the application integrated into itself. Those components include:
- An application that encrypts and decrypts data
- Files containing encryption keys
- A copy of Tor
Once started, WannaCry tries to access an encoded URL; if it can't, it proceeds to find and encrypt files in a host of important formats, ranging from Microsoft Office files to MP3 and MKV, leaving them inaccessible to the user. It then displays a ransom notice, demanding $ 300 worth of Bitcoin to decrypt the files.
How and When Did It Originate? Who Created It?
WannaCry is an interesting version of ransomware due to the way it spreads. Most ransomware starts with a relatively simple phishing email that encourages victims to click the link and download the malware.
WannaCry, short for Wanna Decryptor, spreads via the Server Message Block protocol, which is used by Windows computers to share files. That makes it very easy for malware to jump between different computers that are on the same Windows network.
This makes ransomware particularly dangerous for business and school computers that regularly connect to large networks. It even managed to infect high-level government organizations in countries like the UK.
The origins of WannaCry back to May 2017, when a mysterious group of hackers who call themselves Shadow Brokers publicly released a trove of stolen NSA code. The tools included a secret hacking technique known until then as EternalBlue, which exploits flaws in a Windows protocol known as Server Message Block to remotely take over any vulnerable computer.
Several security researchers began work to try to discover the origins of WannaCry. It was indicated that the code could have a North Korean origin. WannaCry had been circulating for months before it exploded on the internet on May 12, 2017. This older version of the malware, called Ransom, had important commonalities in the tools, techniques, and infrastructure used by attackers with those used by the Lazarus Group.
The Lazarus Group is a hacking group that has been linked to North Korea. Starting their careers in 2009 with crude DDoS attacks on South Korean government computers, they have grown increasingly sophisticated, hacking Sony and pulling off bank heists.
How Does the Wannacry Virus Affect Computers?
When run, WannaCry checks if the switch domain is available. If not, the ransomware encrypts your computer's data and then tries to exploit EternalBlue to spread to more computers on the Internet and on the same network.
An infected computer will search the target network for devices that accept traffic on TCP ports 135-139 or 445, indicating that the system is configured to run SMB.
It will then establish an SMBv1 connection to the device and use the buffer overflow to monitor the system and install the ransomware component of the attack.
As with other ransomware, the malware displays a message informing the user that their files have been encrypted and demands a ransom payment of $ 300 in Bitcoin in three days or $ 600 in seven days.
Three encrypted Bitcoin addresses are used to receive payments from victims. As with all Bitcoin wallets, transactions and balances are publicly accessible, but the owners remain unknown.
Security experts advise affected users not to pay the ransom because the payment often does not result in data recovery.
Is It Possible to Remove It From the Computer?
As we said earlier, WannaCry only affected Windows computers, so here is how to remove it from Windows. Before you begin, make sure you have updated Windows with the latest patches.
- Click on the Start menu
- Type Windows Defender in the search box
- Double click Defender to run a scan
- If you find something, use Defender to remove it
If you can't run Defender or can't remove the virus, the next step is to run third-party antivirus software and use it to scan your PC and remove the virus.
Comments
Post a Comment