In late June, a email scam called WannaSpam emerged. Hundreds of computer users reported being sent an email from someone (or multiple people), claiming to be the developers of WannaCry. The email threatened to destroy the victims' data unless they sent 0.1 BTC to the Bitcoin address of the hackers.
This program can be delivered the same way a trojan is, it is loaded through hyperlinks run by emails, Dropbox link, or advertisement. When run, the ransomware will quickly encrypt the files on the computer using the same encryption method Instant Messaging uses, except only those used by the system. It also has the ability to attack network drives as well.
From version 2.0 and above of this ransomware, instead of using spam emails, spoofed links or advertisement as means of transfer, it behaves like a worm. With the help of remote malicious code, it actively attacks every vulnerable computer on the infected computer's network.
It scans for TCP and UDP ports 139 and 445 (SMB) from the computers, if found listening and the host is found vulnerable to this attack, it will download itself into the host and start its execution.
ExploitsThis ransomware uses the EternalBlue exploit kit leaked by The Shadow Brokers, which was patched by Microsoft on March 14. However, many companies and organizations have not installed this patch. Due to the damage that the ransomware caused, Microsoft launched a patch for Windows XP, Windows Server 2003, and Windows 8, which all have been no longer supported at the time. Many antivirus vendors and computer security companies have also created programs to "immunize" against the NSA hacking tools.
StoppingOn May 14, a British network engineer Darien Huss, found that the ransomware searches an unregistered domain with nonsense letters and numbers. If the website is found, the ransomware will stop the spread. Darien shared the "Kill Switch" with a man named MalwareTech on the Internet. They bought the domain to stop the ransomware. This ultimately significantly slowed the spread of WannaCry. Eventually, the developer updated the ransomware to remove this "kill switch"
Decryption tool released
Adrien Guinet, a French security researcher from Quarkslab, found that the ransomware did not remove the prime numbers from memory after encrypting the files, meaning that the user can use these numbers to generate the pair of public key and private key again.
Before generating a pair of RSA encryption keys, the system will need to choose two prime numbers. After generation of these keys, the numbers should be kept secret to prevent other users (such as hackers) to use them to regenerate the private key.
The WanaKiwi tries to find out the prime numbers left by the ransomware and generates the private key, so that the user might not need to pay the ransom for files decryption. However there are some limits, otherwise the decryption tool might not be able to help decrypt the files:
- The infected machine should have never been rebooted.
- Since the memory location for these prime numbers are no longer allocated, they could be erased or overwritten by other processes, so the decryption tool should be started as early as possible in order to find the numbers.
However, in most cases, the system has already rebooted and therefore the decryptor is not suitable in most cases.
Other LanguagesWannaCry provides translations for these langauges:
- Chinese (Simplified)
- Chinese (Traditional)
Affected Organizations (according to Wikipedia)
- São Paulo Court of Justice (Brazil)
- Aristotle University of Thessaloniki (Greece)
- Vivo (Telefônica Brasil) (Brazil)
- Lakeridge Health (Canada)
- PetroChina (China)
- Public Security Bureaus (China)
- Sun Yat-sen University (China)
- Instituto Nacional de Salud (Colombia)
- Renault (France)
- Deutsche Bahn (Germany)
- Telenor Hungary (Hungary)
- Andhra Pradesh Police (India)
- Dharmais Hospital (Indonesia)
- Harapan Kita Hospital (Indonesia)
- University of Milano-Bicocca (Italy)
- Q-Park (Netherlands)
- Portugal Telecom (Portugal)
- Automobile Dacia (Romania)
- Ministry of Foreign Affairs (Romania)
- MegaFon (Russia)
- Ministry of Internal Affairs (Russia)
- Russian Railways (Russia)
- Banco Bilbao Vizcaya Argentaria (Spain)
- Telefónica (Spain)
- Sandvik (Sweden)
- Garena Blade and Soul (Thailand)
- National Health Service (United Kingdom)
- Nissan UK (United Kingdom)
- FedEx (United States)
- STC (Saudi Arabia)
- Boeing (United States)
- Cambrian College (Canada)
- Chinese public security bureau (China)
- CJ CGV (South Korea)
- Dalian Maritime University (China)
- Faculty Hospital (Slovakia)
- Guilin University Of Aerospace Technology (China)
- Guilin University Of Electronic Technology (China)
- Hezhou University (China)
- Hitachi (Japan)
- Honda (Japan)
- LATAM Airlines Group (Chile)
- NHS Scotland (Scotland)
- O2 (Germany)
- Petrobrás (Brazil)
- Pulse FM (Australia)
- Sberbank (Russia)
- Shandong University (China)
- Government of Gujarat (India
- Government of Kerala (India)
- Government of Maharashtra (India)
- Government of West Bengal (India)
- Suzhou Vehicle Administration (China)
- Telkom (South Africa)
- Timrå Municipality (Sweden)
- TSMC (Taiwan)
- Universitas Jember (Indonesia)
- University of Montreal (Canada)
Including the very first version, there are 5 known versions:
- Version 1.0 - April 25, 2017
- Version 2.0 - May 13, 2017
- Version 2.1 - May 14, 2017
- Version 2.2 - May 15, 2017
- Version 3.0 - June 12, 2017
- actual_ransom a twitterbot, tracking ransom payments of the malware