All you want to know about WannaCry virus




Source: Kaspersky
Google + LinkedIn Facebook Twitter
A few days ago, a widespread outbreak of the WannaCry virus – which uses the Trojan program – began to become a pandemic threatening the whole world; it was called an epidemic due to its massive spread that infected more than 45,000 cases in just one day, So much.

What happened?

A large number of large institutions such as British hospitals have been subjected to a simultaneous attack that has led to the suspension of their operations. According to data from third parties, the WannaCry virus has hacked more than 100,000 computers, making it the main cause of this virus.

Russia came first in terms of vulnerability to the virus. Several countries such as Ukraine, India and Taiwan have also suffered from the virus. In total, 74 countries were affected by the virus, all on the first day of the attack.

What is WannaCry?

The WannaCry virus is generally attacked in two stages: the first phase is called exploiting the vulnerabilities and aims to infiltrate and spread. The second phase is called cryptography. This is done by an encryption program that is downloaded to the computer after being infected with the virus.

This is the main difference between WannaCry virus and most other encryption programs. To be able to infiltrate a computer through a shared encryption program, a user must commit a line, such as clicking on a suspicious link that allows the Word program to run a malicious macro, or to download a suspicious attachment from an e-mail message. WannaCry can be infected without any error.

WannaCry virus: exploit gaps and spread

WannaCry virus users have benefited from the Windows vulnerability known as EternalBlue, and have taken advantage of Microsoft’s vulnerability in MS17-010 security updates on March 14 this year. By using this vulnerability, hackers could remotely access computers and install the encryption software.

If you install the update, and the vulnerability no longer exists in your computer, you will not find any attacks to remotely compromise your computer. Kaspersky Lab’s Global Research and Analysis team wants the GREAT team to point out in particular that addressing and correcting the vulnerability will in no way detract from the cryptographic program. So if you somehow help run the encryption program (see above to see if you made a mistake ), the processing and debugging will not work.

After the WannaCry virus successfully penetrates your computer, it will try to spread over the LAN to access other computers, just like a computer worm does. The software then scans other computers for the same vulnerability that can be exploited with the help of the EternalBlue vulnerability. When the WannaCry virus finds a weak mechanism, it attacks and encrypts files inside it.

The WannaCry virus has been found to be able to spread to the entire LAN and encrypt all other computers connected to this network when it penetrates a single computer; making large companies more susceptible to WannaCry virus attacks – the more computers on the local network increase the damage.

WannaCry Virus: Encryption Program

Because WannaCry is a cryptographic program (some are called WCrypt encryption or WannaCry, even if logically a cryptographic program, not a decryption program), it works like other encryption programs; that is, it places code on the files in the computers and then requests Ransom versus decryption. It is pretty much another version of the infamous CryptXXX Trojan encryption program.

WannaCry encrypts various types of files ( and the full list here ) that include – of course – office documents, images, sound clips, archive files, and other file formats that may contain very important data for the user. The encrypted file extensions are renamed to .CRY (the name of the encoder) and the files become inaccessible at all.

After that, the Trojan software changes the desktop background to a picture that contains information about the infection and the actions that the user must do to restore the files. The WannaCry virus publishes notifications in the form of text files that contain the same information in all folders in the computer until it ensures that the user receives the message.

As usual, all these things end up converting a certain amount of petcupine into the purse of the bad guys. After that, encryption may be encrypted from all files. At first, cybercriminals asked for $ 300 and then decided to raise the price; the latest versions of the WannaCry virus demanded a ransom of $ 600.

Vandals also threaten the user that the ransom will increase after 3 days, and it will be impossible to decrypt the files after 7 days. We recommend not paying the ransom to the bad guys because there is no guarantee that they will file the files after they receive the ransom. In fact, researchers have shown that other cybercriminals – at times – simply delete user data, meaning that it is physically impossible to decode the remains of files, yet they continue to demand ransom as if nothing has happened.

How to temporarily stop the spread of infection? Why has this epidemic not ended yet?

Interestingly, a Malwaretech researcher has been able to stop the spread of infection temporarily by registering a domain whose name is long and meaningless at all over the Internet.

Some versions of the WannaCry virus have been found to have addressed this same area, and when they do not receive a positive response, they install the encryption program and start dirty work. If there is a response (ie domain registration), the malicious program stops all its activities.

After you find a reference for this domain in the Trojan code, the domain researcher records the attack temporarily. Over the remainder of the day, this area has been written tens of thousands of times, saving tens of thousands of computers from being infected.

There is a theory that the WannaCry function works as a “circuit breaker” in the event of an error, and another theory supported by the same researcher suggests that this is one of the methods used to complicate the analysis of malignant software behavior. In the testing environments used in the search, it was often a deliberately positive response from any field, and the Trojann encoder – in this case – did nothing in the testing environment.

Unfortunately, it is enough for the bad guys to change the domain name previously referred to as “circuit breaker” in the new versions of Trojan until the virus resumes its attack. So the first day of the WannaCry virus attack is likely to be the last day.

How do I experience WannaCry virus?

Unfortunately, nothing can be done now to decrypt files that WannaCry has hacked and encrypted (but our researchers are working to find a solution). This means that the only way to deal with hacking is to avoid being compromised in the first place.

Here are some tips on how to prevent hacking and minimize damage:

If you already have a Kaspersky Lab security solution installed in your system, we recommend that you do the following: Start a manual scan of the parts that are critical to you, and if the security solution detects a malicious program such as MEM: Trojan.Win64.EquationDrug.gen (this is The way our anti-virus solutions detect WannaCry virus), restart your system.
If you are a current client, keep the System Watcher module on, it is necessary to combat the new types of the virus that may appear.
Install software updates. This epidemic seriously calls for the installation of MS17-010 security updates by all Windows users, especially when Microsoft releases updates to systems that are no longer officially supported such as Windows XP or Windows 2003. You’re most seriously installed , install these Updates now! Now it is what is called the most important time.
Make backup copies of files regularly and store copies in storage devices that are not always connected to your computer. If you have a recent backup, the virus will not be a disaster, but it will be a waste of hours to reinstall the system. If you do not want to create backups yourself, you can take advantage of the Kaspersky Total Security integrated backup service that can automate this process.
Use a reliable antivirus program. Kaspersky Internet Security can detect the WannaCryy virus when it tries to penetrate the device, when it attempts to spread over networks. In addition, the integrated System Watcher module has the advantage of eliminating all unwanted changes, which means that it will prevent file encryption even with those malicious viruses not yet listed in antivirus software databases.


In: A Technology & Gadgets Asked By: [23633 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »