WannaCry one of the most massive ransomware attacks

Yesterday much of the world was affected by WannaCry, a ransomware that in addition to encrypting the files of its victims and asking for the classic ransom with Bitcoins, spread through local networks using a worm that exploited a known critical Windows vulnerability. like MS17-010.

This means that if a computer becomes infected, others that are connected to the same local network could also be automatically infected if they are vulnerable.

This Windows vulnerability was patched last March, but it has still managed to infect thousands of computers around the world, mainly from companies that often have many computers connected to each other.

Given the great impact it has had, Microsoft released special patches for Windows XP, Windows 8 and Server 2003 yesterday since they are still widely used systems but they no longer receive security updates on a regular basis like the most recent versions of Windows.

It is worth mentioning that even if you have everything up to date, the ransomware itself can still end up infecting your computer like any other malware that spreads by spam emails, links, false programs and various social engineering techniques. The vulnerability in Windows was something that was simply exploited to spread it further.

In the following map of https://intel.malwaretech.com you can see the scope of the attack, affecting practically all countries, including Uruguay:

And here you can see a real-time map with active infections: intel.malwaretech.com/WannaCrypt.html

Once WannaCry runs on a computer, it starts encrypting 2048 bit RSA all kinds of files from .jpg, .Doc, .mp4 up to file extensions that you have probably never seen. It does not encrypt the entire hard drive, but the files it finds from the running Windows user.

Then a window like the following appears (shared on Twitter by @assolini):

At the moment there is no way to break the encryption to recover the files, but it is recommended not to pay to avoid financing cybercriminals and because there are also no guarantees that the files can be recovered. What you should do is remove the malware from your computer and try to recover the files in another way, for example from backups.

Update– A tool has been developed that can help you recover files under certain conditions.

In the image you can see the Bitcoin address to which you have to pay, it is not the only one they are using to receive payments, but this particular one has currently made 23 transactions according to blockchain.info, that is, received some $ 6,900.

Other detected addresses can be seen in the following tweet from an investigator, totaling about 17 thousand dollars received, which is not much considering the magnitude of the attack, although many victims are surely still thinking about what to do to recover their files:

Update: Currently (05/14 at 01:15 -3 GMT) between the three accounts, 16.45162378 bitcoins are added, almost 30 thousand dollars.

How to protect yourself from WannaCry?

Update: At Telefnica they have developed a tool that can help to recover the files encrypted by WannaCry, the details can be found here.

In 2007 I wrote this article titled Is it good to update Windows? And 10 years later there are still many people who wonder about it and even consider it a bad thing, when in fact it is just the opposite.

Updates to any operating system and program usually include security patches that solve vulnerabilities, such as the one that was exploited with WannaCry.

Therefore, everything should be kept up-to-date to be more secure and in case of not being able to do so due to compatibility issues with some applications, measures should be applied to reduce the impact of possible attacks, such as not using the Windows Administrator user, limit permissions, among other measures.

In the case of ransomware, it is best to have security backups that are updated periodically.

It is also necessary to use antivirus, although some uninformed computer scientists tell you that they are useless. Many have functions that detect complex attacks and block them before they cause any damage, of course they are not 100% effective but in terms of security there is nothing to ensure absolute security.

There are also specific tools to protect against ransomware such as Latch ARW, Malwarebytes Anti-Ransomware and AntiRansom 2.0, all of which block WannaCry.

WannaCry and Telefnica:

I cannot fail to mention @chemaalonso in all this, perhaps the most visible face of the company when it comes to security, since he was the center of attention in much of the Spanish-speaking world, mainly in Spain.

This ransomware affected hospitals, universities, government institutions, and companies around the world. Telefnica was one of them and one of the first to report the attack, also helping other companies and antivirus manufacturers to create the signatures that detect malware.

For more details, I recommend reading the article that Chema has published on his blog The #WannaCry Ransomware Attack, where he clearly explains everything that has happened and the actions they have taken in the event of the incident.

Final comments:

Something interesting about this massive attack is the Windows vulnerability that was exploited to increase the spread of WannaCry. Here you can find technical details and how to test it using Metasploit thanks to the Argentine researcher Sheila Berta.

As I commented at the beginning, the vulnerability was patched by Microsoft in March after appearing as a 0-Day. A few weeks later a group called The Shadow Brokers It leaked a series of exploits from the United States National Security Agency (NSA) and among them was coincidentally one that took advantage of the mentioned Windows vulnerability.

This raises an obvious question if they had this tool in their possession, what other 0-days are they currently able to take advantage of to make their own? The impact they can have we have already seen.

Finally, commenting on a peculiarity of this version of WannaCry, the researchers analyzing samples of the malware discovered that it tries to connect to the following domain:

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea. com

If the connection is successful the computer does not become infected or attempt to attack other systems on the network, but if the connection to the domain fails then the malware activates, encrypts the files and spreads.

Why have the creators done this? It is suspected that it was a protection mechanism to disable malware in test environments (anti-sandboxing), but the domain was free, so they have registered it and now it always responds successfully which has stopped the attack as a kill switch. The history and details about this can be read in this article from malwaretech.com.

Of course, it is not ruled out that other variants of the ransomware may appear or other types of malware that take advantage of the same Windows vulnerability to spread.

WannaCry around the world, spread even to ATMs!: