What is WannaCry ransomware?
How to prevent it?
WannaCry’s initial hits include UK’s National Health Service, the Spanish telecommunications firm Telefónica, and the logistics firm FedEx. Such was the scale of the ransomware campaign that it caused chaos across hospitals in the United Kingdom. Many of them had to be shut down triggering operations closure on short notice, while the staff were forced to use pen and paper for their work with systems being locked by Ransomware.
As evident from its worldwide attacks, WannaCrypt first gains access to the computer system via an email attachment and thereafter can spread rapidly through LAN. The ransomware can encrypt your systems hard disk and attempts to exploit the SMB vulnerability to spread to random computers on the Internet via TCP port and between computers on the same network.
WannaCry exhibits the properties of a Trojan dropper and tries to connect to the domain hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, using the API InternetOpenUrlA():
However, if the connection is successful, the threat does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. It’s only when the connection fails, the dropper proceeds to drop the ransomware and creates a service on the system.
Hence, blocking the domain with firewall either at ISP or enterprise network level will cause the ransomware to continue spreading and encrypting files.
When Executed, WannaCry creates the following registry keys:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\<random string> = “<malware working directory>\tasksche.exe”
- HKLM\SOFTWARE\WanaCrypt0r\\wd = “<malware working directory>”
It changes the wallpaper to a ransom message by modifying the following registry key:
- HKCU\Control Panel\Desktop\Wallpaper: “<malware working directory>\@WanaDecryptor@.bmp”
The ransom asked against the decryption key starts with $300 Bitcoin which increases after every few hours.
Promisec can help you prevent
- Light touch on premise installation plus optional cloud scanning capabilities.
- Rapid search and detect functionality across 1000s of endpoints
- Quick patch deployment and verification
- Get it now for 90 days, no cost!
Contact us today to see how we can help against WannaCry!