Over the weekend security experts witnessed how the new iteration of WannaCry ransomware spread over thousands of users and networks worldwide. This virus is neither old, nor extremely complex however it was able to launch a massive attack on both computer users, companies and even government institutions.
The WannaCry virus is also known as Wana Decrypt0r 2.0 ransomware, WanaCry or the .WNCRY virus. It was initially discovered back in March 2017 when the security analysis revealed that it exhibits the typical features of ransomware viruses. Upon infection it encrypts target user data based on a predefined built-in list of file type extensions. The virus is a part of a whole family of related threats called Wcry and depending on the attack campaign, the hackers can use various distribution methods and custom configuration. The payloads can be configured to not only encrypt user files but also to deliver other malware, cause dangerous system modifications or other types of sabotage.
All processed files are encrypted with the .wcry extension. As usual the criminal operators demand a ransomware fee. The core threat is programmed to extort 300 US Dollars payable in the Bitcoin digital currency. A distinct characteristic of the virus is its ability to generate a customized payment gateway site and note that is based on the unique victim ID. It is generated based on data harvested from the compromised machines. This may include both system and user data. The used encryption cipher generates a public and private key. The private key is sent to the remote C&C server where it is stored.
It was discovered that the criminals have utilized automated vulnerability testings frameworks to launch automated attacks against whole computer networks. A significant part of the virus infections has been due to running outdated versions of the Microsoft Windows operating systems. The target vulnerability permits remote attackers to infiltrate the machines. The exploit was fixed by Microsoft the same day it was reported in a security bulletin.
There are several important factors that we need to consider when evaluating the potential of WannaCry and its apparent mass infection campaign:
Another similar threat known as UIWIX ransomware has been found to have similar distribution tactics. It is possible that it is operated by the same hacker collective responsible for the WannaCry virus infections.
Computer victims can protect themselves by following the standard security policies recommended for virus protection. They consist of important guidelines that help protect targets from becoming victims of the malware:
The main reason behind the success of the WannaCry ransomware is its massive spread campaign. The creators of WannaCry have been able to maintain email spam messages that employ social engineering tactics. And while a lot of strategies are related to the common virus distribution techniques, the security experts suggest that the WannaCry virus may also be delivered via other malware or payload droppers.
The virus has successfully compromised targets in around 150 countries in the world following a large-scale attack campaign initiated on Friday. The hackers behind it have customized the individual virus binaries to include instructions in 28 languages. It is possible that the provided detailed instructions have contributed to the high payment ratio. Payments to the Bitcoin addresses associated with the WannaCry virus operators are recorded constantly, showing that the victims resort to paying the money even though virus deletion and file recovery is possible.
The WannaCry virus has impacted worldwide companies and organizations including Deutsche Bahn, Telefonica, UK hospitals, FedEx, Nissan and even government institutions. To capitalize on the virus’s success computer hackers have created scam utilities and even decryptors that promise the victims a quick fix. Usually they are distributed under a lower price and are found on sites that pose as legitimate security companies. The research team at AV-TEST identified 452 WannaCrypt samples soon after the infection has spread.
The security experts are currently investigating into the origins of the WannaCry virus. At the moment the identity of the hacker operators is not known. However, ever since the first large-scale attacks have quieted down, the live trackers that monitor new infections showcase that a new virus campaign is probably going to launched soon. There are several likely scenarios that are being discussed by the analysts: