WannaCry Ransomware: All you need to need to Know

WannaCry Ransomware has been in NEWS since May 12, 2017 infecting more than 2,00,000 computers in more than 150 countries. WannaCry spread using a flaw in older Microsoft Windows systems and wreaked havoc on organizations including FedEx and Telefónica, as well as the UK’s National Health Service(NHS).

What is Ransomware ?

There are many types of malware that affect a computer, ranging from those that steal your information to those that just delete everything on the device. In simple terms, Ransomware is a type of malicious software, when installed, blocks your access to your computer and demands a certain amount of ransom to be paid to unlock the same. Ransomware usually locks computers, encrypts the data on it and prevents software and apps from running. Ransomware attacks are typically carried out using a Trojan, entering a system through, for example, a downloaded file or a vulnerability in a network service. When the program runs, it manages to somehow lock your system and demands certain amount of ransom to be paid before you can unlock your system again.

What is WannaCry ?

WannaCry or WannaCrypt is a type of ransomware, that has surfaced since May 12, 2017 and has infected more than 2,00,000 computers in more than 150 countries, including India. The WanaCrypt0r 2.0 bug encrypts data on a computer within seconds and displays a message asking the user to pay a ransom of $ 300 in Bitcoins to restore access to the device and the data inside.

Why is WannaCry so dangerous ?

WannaCry has infected Germany’s rail network Deutsche Bahn, Spanish telecommunications operator Telefonica, US logistics giant FedEx and Russia’s interior ministry. Several plants of carmakers Renault and Nissan have stopped production in France and England due to the malware. However, the most critical attack has been Wannacry’s hit on the National Health Service of the United Kingdom making confidential patient information and documents inaccessible and hence, stalling surgeries and other critical patient care activity across the British Isles.

It had been feared that the attack could bring public utilities or transport systems to a halt, forcing the government to pay a huge ransom to normalise services.

How does WannaCry attack systems?

It often reaches victims as mail attachment. Once opened,exploiting the Windows vulnerability, it spreads to other computers in the network as well . It originates from a tool called EternalBlue that was among the NSA-related tools dumped online in April by an anonymous group, Shadow Brokers. It was first spotted active online by security experts in the U.K. on Friday, and within hours it had managed to spread exponentially. Microsoft had earlier made available an update to eliminate the vulnerability. But a whole lot of systems had not been updated.

The ransomware virus then drops a file named ‘!Please Read Me!.txt’ which contains the text explaining what has happened (to the computer) and how to pay the ransom.”

Who was behind the attack ?

It isn’t known yet. However, it is widely accepted that the hackers used the ‘Eternal Blue Hacking Weapon’ created by America’s National Security Agency (NSA) to gain access to Microsoft Windows computers used by terrorist outfits and enemy states. The NSA tool was stolen in April by a group called Shadow Broker and now the malware has surfaced in May.

The accidental Solution

The solution to this critical problem has been accidentally very simple. One of UK’s cyber security researcher found out that WannaCry was connecting out to a specific domain, which was not registered. So he registered the domain. This apparently was the kill switch.

The kill switch was precoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.

So when the researcher registered the domain and it became live, the kill switch got activated and it has stopped from spreading.