FANDOM


Wannacry 03

Infection distribution throughout different regions.

WannaCry, originally named as WanaCrypt, having aliases of Wana Crypt0r and Wana Decrypt0r, is a ransomware worm on Microsoft Windows (can be run on Linux via WINE) that uses two NSA-leaked tools that has wreaked havoc in airports, banks, universities, hospitals and many other facilities. It has spread to some 150 countries worldwide, mainly Russia, Ukraine, the US, and India. It is not decryptable as it uses RSA-2048; thus, the only way to retrieve files is by backup or directly paying with Bitcoin equivalent to $300 USD. Required payment increases to the Bitcoin equivalent of $600 USD after 72 hours since the initial infection of the PC. 7 days after the victim's infection, the malware will start deleting the computer's files.

Infection

This program can be delivered the same way a trojan is, it is loaded through hyperlinks run by emails, Dropbox link, or advertisement. When run, the ransomware will quickly encrypt the files on the computer using the same encryption method Instant Messaging uses, except only those used by the system. It also has the ability to attack network drives as well.

New Version

From version 2.0 and above of this ransomware, instead of using spam emails, spoofed links or advertisement as means of transfer, it behaves like a worm. With the help of remote malicious code, it actively attacks every vulnerable computer on the internet.

It scans for TCP and UDP ports 139 and 445 (SMB) from the computers, if found listening and the host is found vulnerable to this attack, it will download itself into the host and start its execution.

Exploits

Wannacry 01

Exploit used by WannaCry

This ransomware uses the EternalBlue exploit kit leaked by The Shadow Brokers, which was patched by Microsoft on March 14. However, many companies and organizations have not installed this patch. Due to the damage that the ransomware caused, Microsoft launched a patch for Windows XP, Windows Server 2003, and Windows 8, which all have been no longer supported at the time.
What is WanaCrypt0r 206:12

What is WanaCrypt0r 2.0 -WannaCry Ransomware-?

Many antivirus vendors and computer security companies have also created programs to "immunize" against the NSA hacking tools.
WannaCry Virus- Just The Beginning! What's Next?11:19

WannaCry Virus- Just The Beginning! What's Next?

Stopping

On May 14, a British network engineer Darien Huss, found that the ransomware searches an unregistered domain with nonsense letters and numbers. If the website is found, the ransomware will stop the spread. Darien shared the "Kill Switch" with a man named MalwareTech on the Internet. They bought the domain to stop the ransomware. However, the developer of WannaCry has updated the ransomware to be unaffected by this.
Wannacry 08-1024x372

Properties of malware files used by WannaCry

Decryption tool released

Adrien Guinet, a French security researcher from Quarkslab, found that the ransomware did not remove the prime numbers from memory after encrypting the files, meaning that the user can use these numbers to generate the pair of public key and private key again.

Before generating a pair of RSA encryption keys, the system will need to choose two prime numbers. After generation of these keys, the numbers should be kept secret to prevent other users (such as hackers) to use them to regenerate the private key.

The WanaKiwi tries to find out the primes numbers left by the ransomware and generates the private key, so that the user might not need to pay the ransom for files decryption. However there are some limits:

  1. The infected machine should have never been rebooted.
  2. Since the memory location for these prime numbers are no longer allocated, they could be erased or overwritten by other processes, so the decryption tool should be started as early as possible in order to find the numbers.

Otherwise the decryption tool might not be able to help decrypting the files.

Other Languages

WannaCrypt Map00:18

WannaCrypt Map

WannaCry Ransomware in Action - NSA Exploit based05:37

WannaCry Ransomware in Action - NSA Exploit based

Video by The PC Security Channel.

Killing WannaCry Ransomware - Explained in depth05:42

Killing WannaCry Ransomware - Explained in depth

Wannacry 06

The ransom note in Chinese.

WannaCry provides translations for these langauges:
  • Bulgarian
  • Chinese (Simplified)
  • Chinese (Traditional)
  • Croatian
  • Czech
  • Danish
  • Dutch
  • English
  • Filipino
  • Finnish
  • French
  • German
  • Greek
  • Indonesian
  • Italian
  • Japanese
  • Korean
  • Latvian
  • Norwegian
  • Polish
  • Portuguese
  • Romanian
  • Russian
  • Slovak
  • Spanish
  • Swedish
  • Turkish
  • Vietnamese

Affected Organizations (according to Wikipedia)

  • São Paulo Court of Justice (Brazil)
  • Aristotle University of Thessaloniki (Greece)
  • Vivo (Telefônica Brasil) (Brazil)
  • Lakeridge Health (Canada)
  • PetroChina (China)
  • Public Security Bureaus (China)
  • Sun Yat-sen University (China)
  • Instituto Nacional de Salud (Colombia)
  • Renault (France)
  • Deutsche Bahn (Germany)
  • Telenor Hungary (Hungary)
  • Andhra Pradesh Police (India)
  • Dharmais Hospital (Indonesia)
  • Harapan Kita Hospital (Indonesia)
  • University of Milano-Bicocca (Italy)
  • Q-Park (Netherlands)
  • Portugal Telecom (Portugal)
  • Automobile Dacia (Romania)
  • Ministry of Foreign Affairs (Romania)
  • MegaFon (Russia)
  • Ministry of Internal Affairs (Russia)
  • Russian Railways (Russia)
  • Banco Bilbao Vizcaya Argentaria (Spain)
  • Telefónica (Spain)
  • Sandvik (Sweden)
  • Garena Blade and Soul (Thailand)
  • National Health Service (United Kingdom)
  • Nissan UK (United Kingdom)
  • FedEx (United States)
  • STC (Sadui Arabia)
    Wannacry-timeline

    Timeline of key events relating to the WannaCry ransomware, made by Symantec.

Variants

Including the very first version, there are 4 known versions:

  • Version 1.0 - April 25, 2017
  • Version 2.0 - May 13, 2017
  • Version 2.1 - May 14, 2017
  • Version 2.2 - May 15, 2017

Patches

References

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.