"Oops, your important files have been encrypted."
Welcome to WannaCry, where cybercriminals block your files and demand payment for decryption. If this message appeared on your computer, it has been infected with WannaCry or a similar form of ransomware.
As the name suggests, ransomware is malicious software that encrypts files and requires a payment (ransom) to decrypt them. WannaCry remains one of the most well-known varieties of ransomware in an activity. Because? There are a few reasons why WannaCry gained notoriety:
It can be transmitted as a worm, which means that it can spread between computers and networks automatically (without requiring human interaction).
WannaCry exploited a Windows exploit that made millions of people vulnerable.
The result was a loss of hundreds of millions (or even billions) of dollars.
The variety of ransomware spread quickly and furiously and was stopped just as quickly.
It is simple (and well-chosen) name also made it memorable. Wouldn't you also cry if you found all your important files locked?
Cybercriminals charged victims $ 300 in bitcoin to release their files. Those who did not pay on time had to pay twice as much for the decryption key. Due to the use of Cryptocurrency and its worm behavior, WannaCry became known as a Cryptoworm.
Who were the victims?
Although it appears that WannaCry had no specific targets, it spread quickly to 150 countries, with the majority of incidents occurring in Russia, China, Ukraine, Taiwan, India, and Brazil. Several individuals and organizations were reached, including:
Companies: FedEx, Honda, Hitachi, Telefonica, O2, Renault
Universities: the Guilin University of Electronic Technology, Guilin University of Aerospace Technology, Dalian Maritime University, Cambrian College, Aristotle University of Thessaloniki, University of Montreal
Transport companies: Deutsche Bahn, LATAM Airlines Group, Russian railways
Government agencies: Andhra Pradesh Police, Chinese Public Security Agency, National Health Institute (Colombia), NHS - National Health Service (United Kingdom), NHS of Scotland, São Paulo Court of Justice, several state governments in India ( Gujarat, Kerala, Maharashtra, West Bengal)
The attack took advantage of companies that used old or outdated software. Why didn't these organizations apply the patch? Companies like the NHS have a hard time shutting down the entire system to apply updates, as they need items, such as patient data, to be always available. Despite this, failing to apply the updates was much more damaging in the long run.
How was the attack stopped?
Cybersecurity researcher Marcus Hutchins found that after WannaCry entered a system, he tried to connect to a specific URL. If the URL was not found, the ransomware would infect the system and encrypt files. Hutchins managed to register a domain name to create a sinkhole DNS that acted as a kill switch and disabled WannaCry. He faced some tense days when cybercriminals attacked his URL with a variant of the Mirai botnet (attempting a DDoS attack to bring down the URL and the kill switch).
Hutchins was able to protect the domain using a version of the cached site, which could handle higher levels of traffic, and the kill switch held up. It was not clear why the kill switch was in the WannaCry code: whether it was accidentally added or whether cybercriminals wanted to be able to stop the attack.
Can WannaCry be removed?
As with all malware, removing the WannaCry ransomware is possible, but undoing its negative effects is more complicated. Removing the malicious code from blocked files will not cause them to be recovered. For all types of ransomware, security specialists do not recommend paying the ransom to unlock the files. There is no guarantee that you will receive a decryption code in exchange for payment (remember that we are dealing with criminals). Even if cybercriminals send the key, paying the ransom validates their tactics, encourages them to continue spreading the ransomware, and is likely to fund other illegal activities.
Some cybersecurity researchers believe that WannaCry was a wiper. This means that he deleted his files instead of encrypting them and that the authors never intended to unlock the files. There were also implementation problems in the payment process: they provided the same three bitcoin addresses to all victims, so it was almost impossible to track who paid.
So, what can you do with the locked files? If you're lucky, you can find an online decryption tool. Cybersecurity researchers decrypt ransomware and offer decryption keys online for free. However, not every variety of ransomware can be decrypted. In the case of WannaCry, a decryption key is available, but it may not work on all computer systems.
If you are unable to decrypt your files, you can restore a previous backup of your system that contains your normal files. But you still need to remove the actual malicious code. Consult our guides to remove the ransomware from your PC or Mac.
Find the best free antivirus to prevent from WannaCry attacks.
Comments