What is a Ransomware?

As evident from the name, Ransomware is just a software with evil purposes. When you install it, mostly being unaware, this software “encrypts” or locks down all the files in your computer and therefore prevents you from using them. To get back your own files, they demand an amount of money as ransom, hence the term Ransomware. They claim to unlock or “decrypt” your files once you pay them the asking ransom.

  • What is WannaCry and how did it spread?

WannaCry/WanaCrypt0r/Wanna Crypt/Wanna Decryptor uses an exploit named EternlBlue that NSA developed years ago, for their own use. But recently a hacker group called Shadow Brokers released the code of EternalBlue to public. Then someone took the code and crafted it into a program named mssecvc.exe or tasksche.exe file that is essentially the ransomware.

It spreads mostly through e-mail attachments. Unaware users click on the attached mssecvc.exe or tasksche.exe file and thus becomes a victim of this virus. Not only does it infect the victim’s computer but also spreads itself to other computers in the same network, magnifying the severity of this attack.

Where did it spread?

The global attack of this virus began on 12th May, Friday where it infected several NHS hospitals in Europe. The most affected countries are Russia, India, Ukrain and Taiwan. The first version has effected almost 300000 devices in 150 countries. Because of the enormous storage spaces nowadays hard drives offer, almost everyone stores their valuable personal files in their computers, so this attack is seriously harmful.

Who are affected?

This ransomware uses vulnerability in the SMB protocol in older version of windows operating system, like Windows XP that Microsoft discontinued years ago. Govt. organizations as well as individuals who use those obsolete versions without any security patch are susceptible to this attack.

How does it work?

Many breakdowns of WannaCry on YouTube videos show the essential components of the virus’s working principle. Since its main objective is to encrypt user’s files, it uses encryption key. The virus works perfectly without internet, so it is obvious that people behind it hard-coded the key into the program itself.

WannaCry Ransomware Attack PopUp

Source:Wikipedia

Once the user runs the .exe file, it locks down all the files and folders and displays a warning. A popup appears asking for ransom and if you refuse to pay it, they warn to permanently delete your files. There is a Contact Us button which you can use to communicate with them. And to conceal the destination of this communication, this virus comes with inbuilt Tor program which opens up a circuit. Hackers chose Bitcoin as the payment method, to hide the traces of the recipient.

That’s not all of it. The first user is affected when he consciously runs the virus. But after that, the virus propagates to all the connected computers through an open SMB port and worst of all, activates itself without user confirmation required. This technique has amplifies the attack to one per second till date.

  • How to protect yourself from it?

Recently, security researcher blog MalwareTech discovered that it has a kill switch inside itself.

They looked into this and found that the ransomware looks up if a certain domain name is registered. If not, it runs and continues to spread. So they registered that domain name and found that it stopped. They assumed that the developer may have implemented this kill switch which  on purpose. But a new version arose named WannaCry 2.0 that avoided the kill switch altogether and continued its nefarious efforts.

So does that mean it is unstoppable? No! Microsoft has already released patched to old Windows XP systems to block the SMB ports to prevent spreading of it. But most people who are lazy enough to upgrade are also lazy enough to apply those patches. Why would you use that old version anyways? To avoid such attacks, keep your system as up-to-date as possible. Upgrade your old legacy PC to Windows 8 or Windows 10 which WannaCry cannot harm. Also, this is a bit inconvenient, but try to have regular backups of your data, preferably somewhere offline. In that case, if this virus attacks your machine, you can risk losing your data because you already have a copy of it.

But what if you are already attacked?

If unfortunately you are already a victim, it is up to you if you are willing to pay the ransom. Because sadly you cannot decrypt files on your own, you get two choices. Let all your data go and start all over again, or consider paying the ransom hoping for getting your files back. Yes! There is no guarantee of it. Since these people behind it have unethical purposes, you cannot expect them to have moral conscience.

In my opinion, the best way to decide whether or not to pay is to stop it before it infects you. Use most up-to-date​ systems in your machine, and DO NOT click on attachments of email you are not sure about. The greatest weapon of cyber attacks is unawareness, so a little bit of knowledge can save you a lot.