WannaCry Ransomware

All you need to know about WannaCry

WannaCry - has taken the world by storm with its fearsome traits. The ransomware cryptoworm, unveiled to exploit the vulnerable Windows Operating System. The makers of WannaCry have exploited the Windows vulnerability known as EternalBlue, which depends on the Microsoft vulnerability that was fixed with a patch update MS17-010, dated March 14 of this year. The vulnerability stands the exploit making a way for the miscreant to gain access to the victim's PCs and so as to introduce the encryptor. On installation, it operates to encrypt the victim's file.

WannaCry Ransomware

If the patch is installed already, the Windows vulnerability will not be bothersome and hence hackers are out of reach to infect the victim with such ransomware. However, the experts from the industry state that the vulnerability patch update does not work wonders to completely dissuade the creepy encryptor completely.

Once the system is compromised, WannaCry endeavors to spread itself over the nearby network locally onto the other PCs, more in the form of a PC worm. The encryptor filters different PCs for a similar vulnerability that can be infected with the aid of EternalBlue, and when WannaCry finds a machine exposed to vulnerability, it compromises the information and hence the machine.

WannaCry operates to encrypt any kind of data be it personal or official data like videos, pictures and other file formats that are sensitive user data. the encrypted files becomes unreachable by the user.

Once installed, it encrypts files and demands a ransom payment from the user to decrypt them and own back the files again. The ransomware wannacry is a worm that sends a malicious payload. It combines two primary components

  • Worm Module - It does self promotion

  • Ransom Module - This ensures the ransom activities demanding the ransom to decrypt the files and data.

The dogma of Wannacry

The source of infection is still mysterious. Discussions and debates spread all over, claims that the infection has been passed on through emails, nevertheless there is no clear statement to rely on.

Given the way of the contamination schedule, it is conceivable that lone few targets may have been the initial victims with the worm and after that however the worm triggering routine started to grow out and infect compromised PCs.

WannaCry is a vulnerable malware made out of two key parts, a worm module and a ransomware module. The ransomware module is spread by a buddy worm module. The worm module utilizes the Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0144) and the Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0145) to infect the victim system.

The demand amount - US$300-$600 in bitcoin

Confirming the ransomware infection

Devices compromised by Wanna Cry show up a black background image with commands mentioned in red.

A step by step protocol is delivered to the user victim on how to pay the ransom as per the demand.

The ransomware locks the users' data files by adding an extension .WCRY at the end of the locked files

Victims can also notice some alien files in folders where their sensitive data are encrypted

!Please Read Me!.txt




With one text file in leaving a message to the victim about process of the ransom to be paid

Preventive measures

The critical concerns with the Wannacry infecting multiple folds of accounts within a short span of time is that, it has the capability to transmit by itself exploiting the vulnerable Windows system. The system once compromised, ensures that the malware sneaks into all the system that are connected across the local network.

An ounce of Prevention is worth a pound of cure. With proper solutions in place. Endpoints can stay ahead of vulnerable threats. IT administrators are to implement the following:

1. Update Microsoft patches - all the versions of Windows be it the latest or the earlier versions are available with patches. The security patch fixes the vulnerable issue and defies ransomware interference from infecting the system.

2. If there is no option to update the security patch, implement the use of firewall to close port 445 to obstruct or stop the creepy attack on the network and hence to stay away from infection. However, this security option should be a last resort as shutting down this port would block other critical network services.

3. Ensure that all the system connected across your network is completely roofed up with a robust protection system and is updated with the latest patches or close the 445 port with firewall.

4. Implement Comodo Endpoint security system integrated with antimalware solutions which delivers authentic protection from ransomware that does not interfere with normal operations of the computer.

If you are an Existing user of Comodo Lab solutions

The existing users are certainly ahead of the ransomware even from the most trending WannaCry malware with future-proof security mechanism. Its just a few extra pounds of preventive measures adding to the existing security system would save your data from the hackers' reach.

Empower your system and network with the latest patch update

Implement or automate an instant scanning, in case there exists any suspicious intervention and to prevent the ransomware from encrypting the files.

If the scan reveals the existance of MEM:Trojan.Win64.EquationDrug.gen, enforce immediate removal and restart the system.

Enforce a system software to backup files to avoid complete loss of data and prevent users from staying all at sea.

Implement a robust and dedicated email security system to secure emails that goes and comes in and out of the system.

How to remove ransomware

There is no ransomware expulsion apparatus or CryptoLocker evacuation device. Rather, if your customer PCs do get tainted with ransomware and your information is scrambled, take after these means:

  • Try not to pay the ransom payment.
  • In the event that you pay the payoff:
  • There is no assurance that the assailant will supply a technique to open your PC or decode your records.
  • The aggressor utilizes the payoff cash to finance extra assaults against different clients.
  • Segregate the contaminated PC before the ransomware can assault organize drives to which it approaches.
  • Utilize Comodo Endpoint Protection Manager to refresh the infection definitions and sweep the customer PCs.
  • New definitions are probably going to recognize and remediate the ransomware. Comodo Endpoint Protection Manager naturally downloads infection definitions to the customer, the length of the customer is overseen and associated with the Comodo Endpoint Protection System.
  • Restore the harmed documents from a backup system.