WannaCry Ransomware: What is it? What Can You Do if You Become a Ransomware Victim?
Author Name: Rajiv Kumar Email: rajiv.kr.147@gmail.com Date: 16th May 2017
1
WannaCry Ransomware: What is it? What Can You Do if You Become a Ransomware Victim? WannaCrypt Ransomware, also known by the names WannaCry, WanaCrypt0r or Wcrypt is a Ransomware that targets Windows operating systems. Discovered on 12th May 2017, WannaCrypt was used in a large Cyber-attack and has since infected more than 230,000 Windows PCs in 150 countries now.
(Photo Source: comparitech.com)
What is WannaCry Ransomware? Ransomware is a kind of cyber attack that involves hackers taking control of a computer system and blocking access to it until a ransom is paid and displays a message requesting payment to unlock it.
2
What does Ransomware do? There are different types of Ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.
(Photo Source: @fendifille/Twitter)
They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider. Ransomware can:
•
Prevent you from accessing Windows. Encrypt files so you can't use them.
•
Stop certain apps from running (like your web browser).
•
Ransomware will demand that you pay money (a “ransom”) to get access to your PC or files. We have also seen them make you complete surveys.
3
How does your computer become infected with Ransomware? In most cases, the software infects computers through links or attachments in malicious messages known as phishing emails. "The age-old advice is to never click on a link in an email," said Jerome Segura, a senior malware intelligence researcher at Malwarebytes, a San Jose-based company that has released anti-ransomware software. "The idea is to try to trick the victim into running a malicious piece of code." The software usually is hidden within links or attachments in emails. Once the user clicks on the link or opens the document, their computer is infected and the software takes over.
How Ransomware works? The Ransomware encrypts data on the computer using an encryption key that only the attacker knows. If the ransom isn't paid, the data is often lost forever. When the Ransomware takes over a computer, the attackers are pretty explicit in their demands. In most cases, they change the wallpaper of the computer and give specific instructions telling the user how to pay to recover their files; the price can double if the amount isn't paid within 24 hours. Law enforcement officials have discouraged people from paying these ransoms.
An Example of How Ransomware Works Here’s an example of the stages of a “Locky� attack originating from a spear-phishing email. Hackers could send an employee a phishing email that looks like it comes from their boss asking them to open a link. But it actually links to a malicious website that surreptitiously downloads the virus onto their computer.
4
1. End user receives an email that appears to be from their boss. It contains a URL to a SaaS application such as Salesforce, Workday or ZenDesk. 2. The link opens a browser window and directs the user to a website that seems legitimate. It’s actually a landing page for an exploit kit hosted in a.co.cc top level domain (TLD). 3. Upon loading the page, the web server hosting the exploit kit begins communicating with the victim machine. The server sends requests about versions of software such as Java to find a vulnerable version for which the kit has an exploit. 4. When a vulnerable version is confirmed, the kit attempts to exploit the vulnerability. Once successful, the exploit kit pushes down a malicious .EXE file – let’s call it “ransomware.exe.” The malicious binary on the victim machine then attempts to execute. 5. From this beachhead, the binary spawns child processes, including vssadmin.exe (shadow copy), to delete existing shadows on the victim machine and create new ones to hide in. The attacker does this to limit the possible recovery of files by the victim using Shadow Copies that Windows stores on a system.
5
6. The binary uses a PowerShell executable to propagate copies of itself throughout the filesystem. The executable also searches the filesystem for files of specific extensions and begins to encrypt those files. 7. The powershell.exe child process creates three copies of the originating malware binary, first in the AppData directory, next in the Start directory, and finally in the root C:\ directory. These copies are used in conjunction with the registry modifications to restart the malware upon reboot and login events. 8. After encrypting the victim’s files, the malware sends the encryption key and other hostspecific information back to the command-and-control server. 9. The server then sends a message to the victim. This could be a simple “alert user of encryption and directions on paying us.” It could also include directions that result in downloading additional malware, which enables the attacker to steal credentials from the victim as well.
How much do hackers demand? Ransomware often demands between 0.3 and 1 Bitcoins, but can demand a payment denominated in dollars (between $300 and $500) but made via Bitcoin (The digital currency is popular among cybercriminals because it is decentralized, unregulated and practically impossible to trace.)
Should you pay the ransom? Victims are advised not to pay the ransom as it encourages the attackers. Even if the victims pay the amount, it is also no guarantee that all files will be returned to them in tact. Instead, the best thing to do is restore all files from a back up. If this isn't possible, there are some tools that can decrypt and recover some information.
6
What can you do if you become a Ransomware Victim? If you find yourself falling victim to ransomware, there are a handful of things you can do to gain access to your computer or files. 1. Disconnect from the Internet immediately and don’t panic! The first thing you should do if you are a victim of ransomware is to disconnect your infected device from the Internet and any other devices in your home. This can help prevent any potential spread of the infection to your other devices. 2. Try to avoid paying the ransom. The best long-term strategy for beating ransomware is to never pay and making sure to back up your files, either through a backup service or manually with an external hard drive. 3. Do your research. It’s a good idea to try and do some research using Google or another search engine to try and identify the name of the ransomware, as it’ll help inform you of the best course of action. If you can’t spot an obvious name for your ransomware, as a last resort, any text in the ransom note can be Googled to aid you in determining which you’re dealing with. 4. Remove the ransomware from your device. Once you have a better understanding of what type of ransomware you’re dealing with, you have a couple of options: try some troubleshooting yourself or bring your device to an expert. 5. Contact law enforcement. Ransomware hackers are criminals, and what they’re doing is a crime, so you can and should contact law enforcement to report if you are a ransomware victim. 6. Restore the system using your backups. If you can’t identify where the ransomware came from, it might be a good idea to restore from an older backup to be on the safer side. 7. Use Ransomware prevention or removal tools. Use good free anti-ransomware software. BitDefender, AntiRansomware and RansomFree are some of the good ones. You may use RanSim Ransomware Simulator to check if your computer is sufficiently protected. Kaspersky WindowsUnlocker can be useful if the Ransomware totally blocks access to your computer or even restrict access to select important functions, as it can clean up a ransomware infected Registry.
7
What can you do to avoid being a ransomware victim? How to prevent the infection? Ransomware is currently rampant on the Internet, and shows no signs of slowing down. Cybercriminals are making too much money on it. Here are helpful tips on how you can defend yourself from a likely attack. 1. Don’t interact with spam emails. By clicking links or opening suspicious attachments, you could be inviting ransomware, or other malware, onto your computer. Just delete spam immediately without opening it. 2. Avoid suspicious sites and downloads. Web sites that illegally promise free software, music, and movies are often bait to lure in unsuspecting victims. 3. Keep regular backups of your important files. If you can, store your backups offline, for example in a safe-deposit box, where they can’t be affected in the event of an attack on your active files. 4. Use an anti-virus, and keep it up to date. Install and use up-to-date antivirus solution such as Microsoft Security Essentials. 5. Keep your operating system and software up to date with patches. Malware like this finds ‘vulnerabilities’ or weak spots in your system if it hasn’t been updated in a while. 6. Review the access control settings on any network shares you have, whether at home or at work. Don’t grant yourself or anyone else write access to files that you only need to read. Don’t grant yourself any access at all to files that you don’t need to see – that stops malware seeing and stealing them, too. 7. Don’t give administrative privileges to your user accounts. Privileged accounts can “reach out” much further and more destructively both on your own hard disk and across the network. Malware that runs as administrator can do much more damage, and be much harder to get rid of, than malware running as a regular user.
8
List Ransomware Decryptor Tools http://www.thewindowsclub.com/list-ransomware-decryptor-tools
References http://www.telegraph.co.uk/ http://indiatoday.intoday.in http://www.theaustralian.com.au https://www.carbonblack.com http://money.cnn.com http://www.nextadvisor.com https://in.norton.com/
9