Over the weekend security experts witnessed how the new iteration of WannaCry ransomware spread over thousands of users and networks worldwide. This virus is neither old, nor extremely complex however it was able to launch a massive attack on both computer users, companies and even government institutions.
How Wannacry Ransomware Works
The WannaCry virus is also known as Wana Decrypt0r 2.0 ransomware, WanaCry or the .WNCRY virus. It was initially discovered back in March 2017 when the security analysis revealed that it exhibits the typical features of ransomware viruses. Upon infection it encrypts target user data based on a predefined built-in list of file type extensions. The virus is a part of a whole family of related threats called Wcry and depending on the attack campaign, the hackers can use various distribution methods and custom configuration. The payloads can be configured to not only encrypt user files but also to deliver other malware, cause dangerous system modifications or other types of sabotage.
All processed files are encrypted with the .wcry extension. As usual the criminal operators demand a ransomware fee. The core threat is programmed to extort 300 US Dollars payable in the Bitcoin digital currency. A distinct characteristic of the virus is its ability to generate a customized payment gateway site and note that is based on the unique victim ID. It is generated based on data harvested from the compromised machines. This may include both system and user data. The used encryption cipher generates a public and private key. The private key is sent to the remote C&C server where it is stored.
It was discovered that the criminals have utilized automated vulnerability testings frameworks to launch automated attacks against whole computer networks. A significant part of the virus infections has been due to running outdated versions of the Microsoft Windows operating systems. The target vulnerability permits remote attackers to infiltrate the machines. The exploit was fixed by Microsoft the same day it was reported in a security bulletin.
There are several important factors that we need to consider when evaluating the potential of WannaCry and its apparent mass infection campaign:
- Upon infection the WannaCry virus creates a persistent environment. The system changes to ensure that the virus will run automatically when the user starts their computer. In the majority of cases the modifications also prevent the victims from manually removing the ransomware themselves.
- Custom variants and derivatives based on the Wcry ransomware family can be used in incoming attacks.
- Social Engineering tricks are used to force the victims to pay the ransomware fee. The imposed time limit and other strategies have resulted in a high payment ratio.
Another similar threat known as UIWIX ransomware has been found to have similar distribution tactics. It is possible that it is operated by the same hacker collective responsible for the WannaCry virus infections.
WannaCry Virus Protection Tips
Computer victims can protect themselves by following the standard security policies recommended for virus protection. They consist of important guidelines that help protect targets from becoming victims of the malware:
- Employ Protection – A quality anti-virus and anti-malware software ensures that the computer users stay protected. The good ones employ advanced engines that can detect malware based on both behavior patterns and predefined signatures.
- Avoid Social Engineering Tricks – The majority of WannCry virus attacks come from spam email campaigns that pose as legitimate messages from well-known companies or government institutions. Computer users should employ common sense and carefully inspect the messages before interacting with them in any way – clicking on hyperlinks or downloading file attachments.
- Perform Timely Updates – Computer users can defend themselves from the automated vulnerability testing attacks by performing updates to the latest available versions of all installed software, including the Microsoft Windows operating system. Microsoft has posted a reminder on their blog for all users who have not performed the necessary update to apply the MS17-010 patch.
The Success Behind The WannaCry Virus
The main reason behind the success of the WannaCry ransomware is its massive spread campaign. The creators of WannaCry have been able to maintain email spam messages that employ social engineering tactics. And while a lot of strategies are related to the common virus distribution techniques, the security experts suggest that the WannaCry virus may also be delivered via other malware or payload droppers.
The virus has successfully compromised targets in around 150 countries in the world following a large-scale attack campaign initiated on Friday. The hackers behind it have customized the individual virus binaries to include instructions in 28 languages. It is possible that the provided detailed instructions have contributed to the high payment ratio. Payments to the Bitcoin addresses associated with the WannaCry virus operators are recorded constantly, showing that the victims resort to paying the money even though virus deletion and file recovery is possible.
The WannaCry virus has impacted worldwide companies and organizations including Deutsche Bahn, Telefonica, UK hospitals, FedEx, Nissan and even government institutions. To capitalize on the virus’s success computer hackers have created scam utilities and even decryptors that promise the victims a quick fix. Usually they are distributed under a lower price and are found on sites that pose as legitimate security companies. The research team at AV-TEST identified 452 WannaCrypt samples soon after the infection has spread.
An Upcoming Wave of WannaCry Virus Attacks Is Expected
The security experts are currently investigating into the origins of the WannaCry virus. At the moment the identity of the hacker operators is not known. However, ever since the first large-scale attacks have quieted down, the live trackers that monitor new infections showcase that a new virus campaign is probably going to launched soon. There are several likely scenarios that are being discussed by the analysts:
- New Spread Campaign With The Current Samples – The hackers continue to use the already developed malware samples and infection techniques.
- New Virus Samples – The criminals can create new derivatives based on the core of WannaCry virus. A significant change in its code can make it undetectable by security software that do not employ a behavior check.
- Combined Approach – The hackers can develop a new virus based on the original or follow-up WannaCry samples and use new approaches to spread it to their targets such as other software vulnerabilities.
Author Bio: Martin Beltov graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast, he enjoys writing about the latest threats and mechanisms of intrusion. He mainly contributes to the Best Security Search website.
Martin Beltov is a guest blogger, all opinions are his own.