WannaCry ransomware attack is a
worldwide cyber attack that started on 12th may 2017. It is called
Wannacryptor/WannaCry and it took the world by storm. WannaCry attack was
basically designed to exploit the computers running on Microsoft windows. This worm
uses the EternalBlue exploit to enter a computer, taking advantage of vulnerability
in Microsoft's implementation of the Server Message Block (SMB) protocol.
Earlier this vulnerability was discovered by National Security Agency of USA,
but instead of informing about the same, they built the EternalBlue exploit for
their mischievous works. This vulnerability was then hacked by the group called
“The Shadow Broker” and since then the virus has been on loose.
How does the WannaCry virus spreads?
WannaCry virus belongs to the Wcry
ransomware family. WannaCry uses EternalBlue vulnerability that states SMBv1
protocol in various versions of Microsoft Windows accepts specially crafted
packets from remote attackers that allow them to run any executable file on the
system. As soon as this worm or the executable file gains excess of the
computer, it makes a copy of itself and then executes itself. Once the worm or
virus is running on the system, it will try to connect to the following the domains
depending upon the version of the windows.
If the worm is able to connect to any
of the domains then this virus would stop spreading across the network. Ultimately
these domains act like a kill switch for initialization of the virus. WannaCry
virus uses the AES-128 cipher to target a list of predefined file type
extensions which includes the following:
.123, .3dm, .3ds, .3g2, .3gp, .602, .7z, .aes, .ai, .ARC, .asc, .asf,
.asp, .avi, .backup, .bak, .bmp, .brd, .c, .cgm, .class, .cpp, .crt, .cs, .csr,
.csv, .db, .dbf, .dch, .dif, .dip, .doc, .docb, .docm, .docx, .dot, .dotm,
.dotx, .dwg, .edb, .eml, .fla, .flv, .frm, .gif, .gpg, .gz, .hwp, .ibd, .jar,
.java, .jpeg, .jpg, .js, .jsp, .key, .lay, .lay6, .ldf, .m3u, .m4u, .max, .mdb,
.mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .msg, .myd, .myi, .n,
.nef, .odb, .odg, .odp, .ods, .odt, .ost, .otg, .otp, .ots, .ott, .p12, .PAQ, .pas,
.pdf, .pem, .php, .pl, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx,
.ppt, .pptm, .pptx, .psd, .pst, .rar, .raw, .rb, .rtf, .sch, .sh, .sin, .slk,
.sql, .sqlite3, .sqlitedb, .stc, .std, .stw, .suo, .swf, .sxc, .sxd, .sxm, .sxw,
.tar, .tarbz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vb, .vdi, .vmdk,
.vmx, .vob, .vsd, .vsdx, .wav, .wb2, .wk1, .wks, .wma, .wmv, .xlc, .xlm, .xls,
.xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .zip.
The original WannaCry ransomware is
signed as counterfeit messaging application and is distributed to the victims
via emails, infected software’s and even malicious ads. All the data is encrypted
using the “.wcry” extension. WannaCry
also creates a ransom note named @Please_Read_Me@.txt and executables that
launch the decryptor named @WanaDecryptor@.exe.
How to Remove WannaCry Virus from your computer?
This section will provide you with a
brief tutorial on how to remove WannaCry using certain applications. While the
applications can single handedly remove the infection on their own, but it is
better to have double-coverage during the scan.
WannaCry ransomware virus can be
removed from system by using a combination of certain programs and along with
antivirus and anti-malware application.
It is a simp0le three step process. We will be using the following
software to remove the virus:
. Rkill program
. Emsisoft Anti-Malware
. Malwarebytes Anti-Malware
RKILL Program:
We use this program so as to terminate any program that may hinder in the removal process of any running activity. One can download the Rkill program using the below link
Save the downloaded file
iexplore.exe on desktop. On running the file it automatically stops any process
associated with Sysprotector Registry Cleaner Tech Support Scam and any other
malware. The process may take some time and once the program is finished, the
processing window will be closed and a log file will be generated. Review the
log file and continue with the next step. “Do
not restart your system after the Rkill task is completed”
Download the EMSISOFT software from the below link, and place it on the desktop.
EMSISOFT Anti-Malware:
Download the EMSISOFT software from the below link, and place it on the desktop.
- Once the file has been downloaded, double-click on the EmsisoftAntiMalwareSetup_bc.exe icon to start the program. If Windows Smart Screen issues an alert, please allow it to run anyway.
- Run the program on safe mode and install. You will need to follow regular instructions and go for trial version. Once the file is downloaded, all the virus definitions will be updated.
- We strongly suggest that you select Enable PUPs Detection to protect your computer from nuisance programs such as toolbars and adware. File will now be installed.
- Go the scan section and select the Malware scan. When the scan has finished, the program will display the scan results that shows what infections where found. Now click on the Quarantine Selected button, which will remove the infections and place them in the program's quarantine.
MalwareBytes Anti-Malware (MBAM):
Download the MBAM
program from the following link:
Now, Double-click on the file named
as “named mb3-setup-1878.1878-3.0.6.1469.exe.” to run the file. This will start
the installation of MBAM onto your computer. After the installation is complete
make sure to check the Launch Malwarebytes Anti-malware checked. “Do not reboot even if asked to”.
- MBAM will now start and you will at the main screen below.
- We now need to find the largest amount of malware and unwanted programs that is possible with malware bytes. Go to settings > protections > enable the scan for root kits.
- Select the Threat scan from scan tab and start scanning. All the virus updated will be downloaded automatically. Scanning might take some time, scanned results will be shown on the desktop.
- View and Remove the displayed files (.wcry.exe) and “Do not yet reboot the system”.
How to recover infected files from WannaCry virus?
- WannaCry worm works on the victim’s device by generating a pair of keys i.e. a public and private key for encryption and decryption purpose.
- After studying the behavior of the virus, patches have been provided by Microsoft so as to prevent further damage.
- Github, an open repository has provided couple of tools to recover the encrypted data. The tools are WannaKey and WannaKiwi. This uses one of another windows flaw and tries to generate the prime numbers used to encrypt the data. However, the catch is that the infected computers have not been turned off, which is very least of the possible cases. Though, the advancements can be used in future and help protect our computers for further such attacks.
WannaKey :- https://github.com/aguinet/wannakey
WannaKiwi :- https://github.com/gentilkiwi/wanakiwi/releases
Restoring files from Shadow Volume Copies
- Windows provide a facility to create shadow copies if the System Restore is enabled on our system. Windows create shadow copy snapshots that contain the copies of your file from the time System restore was enabled.
- Note: This method is not fool proof, though as even these files may not be encrypted, they also may not be the latest version of the file. Please note that Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7 & Windows 8. While the chances are small that these files are not infected by the worm, but it is worth trying.
The below link is help in this too.
No comments:
Post a Comment