WannaCRY Decryptor first appeared around February 2017 and works by encrypting files on target computers before demanding a ransom be paid in the cryptocurrency Bitcoin.
How does Wanna Decryptor work?
The malware is delivered as a Trojan through a loaded hyperlink that can be accidentally opened by a victim through an email, advert on a webpage or a Dropbox link. Once it has been activated, the program spreads through the computer and locks all the files with the same encryption used for instant messages.
Once the files have been encrypted it deletes the originals and delivers a ransom note in the form of a readme file. It also changes the victim’s wallpaper to a message demanding payment to return the files.
How can you remove it?
Not by paying the ransom.
Security experts point out that some antivirus software is capable of catching the Wanna Decryptor virus.
“This particular ransomware is correctly identified and blocked by 30% of the AV vendors using current virus definitions. It is correctly handled by both Kaspersky and BitDefender,” said Phil Richards, the CISO at Ivanti.
“There is no public decryption (crack code) available at present.
“This malware modifies files in the /Windows and /windows/system32 directories and enumerates other users on the network to infect. Both of these actions require administrative privileges.”
The first and foremost thing you should do is not to click any Link of Gmail, Dropbox. Any link might contain the Trojan virus which may effect your system and lock all your files in a sandbox which would then become impossible for you to open.
In less than 24 hours, the WannaCry ransomware borrowed from leaked NSA exploits to spread across at least 75,000 PCs. But, for now, the ransomware outbreak has been curtailed.
That’s because a U.K.-based researcher going by the name of MalwareTech shut the operation down, albeit by a stroke of good fortune. As he researched the spread of WannaCry, which hit 48 NHS hospitals across Britain particularly hard, the 22-year-old saw that one of the web domains used by the attackers hadn’t been registered. So he registered the site, took control of the domain for $10.69 and started seeing connections from infected victims, hence his ability to track the ransomware’s spread.
But in doing that he also took down the WannaCry operation without meaning to. Whoever was behind the ransomware included a feature designed to detect security tools that would fake internet access for quarantined PCs by using a single IP address to respond to any request the computer made. This is a feature of a “sandbox,” where security tools test code in a contained environment on a PC. When MalwareTech registered his domain to track the botnet, the same IP address was pinged back to all infected PCs, not just sandboxed ones. “So the malware thought it was in a sandbox and killed itself. Lol,” MalwareTech said. “It was meant as an anti-sandbox measure that they didn’t quite think through.”
WannaCry will return — so patch
For those already infected, it’s a little too late for MalwareTech’s efforts to save them. As with multiple NHS organizations, many will have to rely on whatever contingency plans and backups they have in place.
And while MalwareTech confirmed the malware was still out of action Saturday, he warned the attackers will likely alter their code to remove the somewhat bizarre error and restart their ransomware campaign imminently.
“This sample may have been stopped, but I’m 100 per cent sure they will learn from the mistake and try again monday. people need to be prepared,” he added.They might start a new campaign today.”
The advice, then, is to patch all Windows PCs with the latest update, as it prevents attacks using the NSA’s exploits following a Microsoft update in mid-March. In the meantime, Microsoft and anti-virus companies have added detections for WannaCry, so users should update those systems too.
The tech giant has also issued an advisory for concerned users, in which it confirmed it’s releasing a patch for the out-of-support Windows XP. It’s also recommending businesses disable the SMBv1 protocol, while ensuring the SMB protocol cannot be directly accessed from the internet will go some way to preventing this worm from causing havoc again.