# Wanna Cry Ransome Cyber Attack



## Sarvesh (May 14, 2017)

*Wanna Cry Ransomware* cyber attack has hit more than 104 countries, Russia & India among the worst affected, US NSA is being criticized

News links below:

Wanna Cry ransomware cyber attack: 104 countries hit, India among worst affected, US NSA criticized

Global ransomware cyber attack downs computers in 74 countries, malware used stolen NSA tools

Andhra police computers hit by Wanna Cry cyber attack:

Andhra police computers hit by cyberattack - Times of India

In the wake of the largest ransomware attack in the history that had already infected over 114,000 Windows systems worldwide since last 24 hours, Microsoft just took an unusual step to protect its customers with out-of-date computers.

Microsoft has just released an emergency security patch update for all its unsupported version of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions.

Patch download Link: Microsoft Update Catalog

Tech Guide/ Info: Customer Guidance for WannaCrypt attacks

God bless Our Earth & its people.

Update: some more info Protect Against WannaCry: Microsoft Issues Patch for Unsupported Windows (XP, Vista, 8,...)


----------



## bssunilreddy (May 14, 2017)




----------



## Vyom (May 14, 2017)

Quite an apt name, "Wanna Cry". I wonder who named it so.

As for the ransomware is concerned, well that's what you get for using un-updated Windows. Either use legit windows or use Linux. 
Good lesson to a lot of people and organizations out there. I feel sad for hospitals and the likes for getting attacked tho.


----------



## quicky008 (May 15, 2017)

is the patch for this ransomware included by default with microsoft's creators update?


----------



## Zangetsu (May 15, 2017)

Vyom said:


> Quite an apt name, "Wanna Cry". I wonder who named it so.
> 
> As for the ransomware is concerned, well that's what you get for using un-updated Windows. Either use legit windows or use Linux.
> Good lesson to a lot of people and organizations out there. I feel sad for hospitals and the likes for getting attacked tho.


MS should name the patch as Don't Cry

Linux is good alternative to get protected and also a updated AV database.


----------



## chimera201 (May 15, 2017)

But what is the infection method? Clicking on links or something?


----------



## Flash (May 15, 2017)

What is the "Wanna Cry" ransomware's possible impact on Linux users?


----------



## Zangetsu (May 15, 2017)

Has AV companies updated the Database...I think yes


----------



## chimera201 (May 15, 2017)

^I got mail from Bitdefender on May 13 saying its updated for it.


----------



## Sarvesh (May 15, 2017)

It can only spread if you download unsolicited file attachment and run it or if you are connected to a network (LAN) which is already affected. It exploits the security issue only on older MS OSes such as XP, XP x64, Vista, Windows 7, Windows 8, Windows Server 2003 (including Datacenter Edition), Windows Server 2008 & Windows XP embedded.

Windows has released security patch (KB4012598) for all these OSes.
Download from here : Microsoft Update Catalog

Simply download and install.
Windows 10, Windows 8.1 & Windows 7 with latest updates installed is not affected.
Anybody using XP or other OS mentioned above should immediately install the patch. You can download the patch on any secure system (Win 10, Linux, Android etc.) and then apply to your system before connecting to internet.


----------



## Hrishi (May 16, 2017)

The ransom ware uses cryptographic injection and residence method to stay on the machine. The actual DLL code is encrypted in a loader with AES encryption. Once the loader is invoked, it uses a 128 bit key to decrypt the actual DLL and associate with a process, almost immediately starting the encryption process. 
It spreads via File Share and SMB to the lan/wan segment. 
A typical infection vector can be either a file share, or a archive or a pdf or spam email. 

Sent from my ONE E1003 using Tapatalk


----------



## Zangetsu (May 16, 2017)

'Accidental hero' halts ransomware attack and warns: this is not over


----------



## Prime_Coder (May 16, 2017)

chimera201 said:


> But what is the infection method? Clicking on links or something?


the attack spreads by phishing emails, but also uses the backdoor developed by the U.S. (NSA) to spread through a network which has not installed recent security updated to directly infect any exposed systems. Read here: WannaCry ransomware attack - Wikipedia


----------



## lywyre (May 16, 2017)

Thankfully, I no longer connect with our PC or laptop. I stay online using my mobile and at office we use Ubuntu.

I will wait till this weekend to update our PC and laptop (both Win 7). Hope the dust would be settled by then.

I recommend every body to take a backup of your documents and personal collections to an external hard-disk.


----------



## chimera201 (May 16, 2017)

Most people would have disabled their Windows Update due to forced Win 10 installation. GG MS and NSA.


----------



## Flash (May 16, 2017)

Cyber attacks linked to North Korea, security experts claim


----------



## BhargavJ (May 17, 2017)

I've read that it often stays in the computer for a while before striking. I'm not infected at present. Suppose I am infected but the thing is dormant and so everything appears to be fine, and I make a backup of my important files and copy them to a pendrive, and then my computer files get encrypted, will the files in the pendrive stay safe or is it that the files have already been infected and it is just waiting for some kind of trigger to encrypt the files? Sorry I'm don't know much about these things. 

Edit: I opened the Microsoft Update Catalog, but it has nothing for Windows 7. So how do I download the update for Win 7?


----------



## chimera201 (May 17, 2017)

BhargavJ said:


> I've read that it often stays in the computer for a while before striking. I'm not infected at present. Suppose I am infected but the thing is dormant and so everything appears to be fine, and I make a backup of my important files and copy them to a pendrive, and then my computer files get encrypted, will the files in the pendrive stay safe or is it that the files have already been infected and it is just waiting for some kind of trigger to encrypt the files? Sorry I'm don't know much about these things.
> 
> Edit: I opened the Microsoft Update Catalog, but it has nothing for Windows 7. So how do I download the update for Win 7?



Check View Update History. If you have May 2017 Security Monthly Quality Rollup, you are all good. Else you need to check for updates.
Also have a good Anti-virus installed.


----------



## BhargavJ (May 17, 2017)

chimera201 said:


> Check View Update History. If you have May 2017 Security Monthly Quality Rollup, you are all good. Else you need to check for updates.
> Also have a good Anti-virus installed.



Have the KB4019264 (2017-05 Security Monthly Quality Rollup for Windows 7) installed, so no problem. Also have Kaspersky security suite installed. Thanks.


----------



## Sarvesh (May 17, 2017)

BhargavJ said:


> Have the KB4019264 (2017-05 Security Monthly Quality Rollup for Windows 7) installed, so no problem. Also have Kaspersky security suite installed. Thanks.


Relax! You are safe. Keep your system & Antivirus up to date & do not download any suspicious software or file from any site or email. Kaspersky is one of the best protection around.


----------



## whitestar_999 (May 17, 2017)

Ransomware resides within & encrypt files from the infected system,there is no infected file like in case of virus.In case of ransomware there are only 2 types of files:encrypted & non-encrypted.So if a file backup is taken before encryption of files then they are the same files before ransomware infected the system.


----------



## Sarvesh (May 17, 2017)

Yes Ransomware is basically a malicious tool (software) which upon execution encrypts files & deletes the originals.

Paying ransom did not help anyone.

Instead you can use a data recovery software to recover / undelete some files from the hard disk if stuck in such situation.


----------



## meetdilip (May 17, 2017)

Does system restore work ?


----------



## whitestar_999 (May 17, 2017)

Actually many people did & continue to get their files decrypted after paying ransom,that is the basic premise of ransom.Only if people get what they want,will the ransom threat work.That is why USA has no negotiation policy with terrorists regarding hostage situation because that will encourage terrorists to take even more hostages in future.

As for backup,if they were taken before ransomware encrypt files then it is fine but if a system is still infected with ransomware & you connect your external hdd containing backup to it then backup files will also start getting encrypted.


----------



## Sarvesh (May 18, 2017)

whitestar_999 said:


> Actually many people did & continue to get their files decrypted after paying ransom


There is no official confirmation of any success yet.

Read the following:

Paying the WannaCry ransom will probably get you nothing. Here's why.

Should you pay the WannaCry ransom? - BBC News

The Ransomware Hackers Made Some Real Amateur Mistakes

Can files locked by WannaCry be decrypted: A technical analysis


----------



## whitestar_999 (May 18, 2017)

My reply was not meant specifically for wannacry but all ransomware in general.As I said ransomware success depends on giving people what they want without which it is useless as a ransomware.Maybe wannacry messed up with payment system but ransomware in general have a good payment system which was also mentioned in some links posted above.


----------



## billubakra (May 18, 2017)

This is a good read. Covers everything from Digital India to the greatest tech genius in the world Mr. Fadiaaaaaaaaa
WannaCry cyber-attack: Bad that India is crying, but more scary is govt response


----------



## kg11sgbg (May 18, 2017)

My PC and Laptop's Windows 10 patched up to the latest updates.
Commercial AV suites which I use,are also on their latest updates.


----------



## maheshn (May 18, 2017)

Sarvesh said:


> There is no official confirmation of any success yet.
> 
> Read the following:
> 
> ...



360 Total Security *claims* to have a decryption tool shown on their homepage at 360 Total Security: Free Antivirus Protection | Virus Scan & Removal for Windows, Mac and Android

Seems to be a beginning.....


----------



## Sarvesh (May 18, 2017)

maheshn said:


> 360 Total Security *claims* to have a decryption tool shown on their homepage at 360 Total Security: Free Antivirus Protection | Virus Scan & Removal for Windows, Mac and Android
> 
> Seems to be a beginning.....


*NO* decryption tool yet...... it is recovery tool

Read their blog at Biggest Ransomware Attack Ever - Tips to stay safe from WannaCry ransomware

It is clearly mentioned - "_There is no decryption tool for the WannaCry ransomware at this moment. If you are unluckily infected, in the worst case you may have to pay the attackers to save your data. We don’t suggest this unsavory approach; instead, you can cut off the Internet connection immediately and turn to security experts or wait for the decryption tool. To prevent this from happening, install the security patches and back up all important files NOW to protect yourself._"

Some of the Ransomware removal tools available:

What is Ransomware? | Free Ransomware Removal Tools | Avast
Kaspersky Anti-Ransomware Tool for Business
Free Ransomware Decryption Tools | Unlock Your Files | AVG
Anti Ransomware Tool


----------



## kg11sgbg (May 19, 2017)

For Home users,at worst they have to format their machine's drives,if it gets infected.


----------



## billubakra (May 19, 2017)

Sorry if this is a dumb question, the machines are locked by ransomware fine but can't we boot say via Ubuntu or HBCD to recover files?


----------



## whitestar_999 (May 19, 2017)

Files are there but encrypted,even if you recover them they are of no use because data inside them is scrambled/gibberish because of encryption.You have to decrypt the files to make them meaningful again which requires the decryption key for which money was being asked.


----------



## Sarvesh (May 19, 2017)

billubakra said:


> Sorry if this is a dumb question, the machines are locked by ransomware fine but can't we boot say via Ubuntu or HBCD to recover files?


The files on desktop & My Documents are encrypted and originals are deleted & thoroughly overwritten, so cannot be recovered. But the files on the other drives / partitions are encrypted and originals are simply deleted, so can be recovered using any undelete or recovery tool in case of Wanna Cry Ransomware.

Reference for technical details :
Can files locked by WannaCry be decrypted: A technical analysis


----------



## whitestar_999 (May 19, 2017)

It is not so simple,a fundamental principle of file recovery is avoidance of any write operation on the affected disk & all ransomware create new files on disk resulting in lots of write operations on disk.In short success rate will vary greatly from system to system depending on how much % free space was there on the disk,state of fragmentation etc.


----------



## Sarvesh (May 19, 2017)

whitestar_999 said:


> It is not so simple,a fundamental principle of file recovery is avoidance of any write operation on the affected disk & all ransomware create new files on disk resulting in lots of write operations on disk.In short success rate will vary greatly from system to system depending on how much % free space was there on the disk,state of fragmentation etc.


Yes you are right success rate will depend on the free space & also the shadow copy created by Windows.


----------



## whitestar_999 (May 19, 2017)

Many ransomware first delete shadow copies though.


----------



## Sarvesh (May 19, 2017)

Why Microsoft remained silent till the devastating attack? 
Microsoft held back a free WannaCry patch, says report - CNET


----------



## bssunilreddy (May 19, 2017)

Tool can decrypt some files in Wanna Cry ransomware attack


----------



## Sarvesh (May 19, 2017)

Tool for decrypting Wanna Cry Ransomware files.

The WannaKiwi decryption tool works in Windows XP,  2003 and 7 computers that have not been rebooted.

GitHub - gentilkiwi/wanakiwi: Automated wanadecrypt with key recovery if lucky

Readme link
wanakiwi/README.md at master · gentilkiwi/wanakiwi · GitHub


----------



## BhargavJ (May 20, 2017)

I've read that the ransomware had this thing which checked whether or not it was running in a virtual environment, and if it was, it stopped working (infecting). Suppose a person was using a copy of Windows installed in VMWare, would it be possible for the host machine to get infected if the ransomware successfully infected the virtual machine, or would it be possible for the infection to skip the virtual machine entirely and jump directly to the host machine?

My Win 10 key is in the hardware itself, the UEFI BIOS or whatever it is called. Suppose I create a virtual machine and install Win 10 in it, will I need another license for that? If I use the same license, will there be a clash wherein Microsoft would detect two copies of the same license, one in the main host machine and another in the virtual one, and cancel my license?


----------



## whitestar_999 (May 20, 2017)

And what exactly is the practical utility of above with regard to ransomware.If one is running a VM then it needs to have internet access to get infected by ransomware but then if a virtual machine can be infected by a ransomware over internet then real system also has the same risk of getting ransomware infection because it is also using same net connection unless one intentionally wants to infect a VM to observe ransomware behaviour while keeping main host system secure by deploying various security measures.

All windows editions will require a new license for running in a VM.Also every VM has its own virtual BIOS/UEFI(depending on software & option) so one can not use same genuine embedded win key in host system to activate windows in any VM anyway.

P.S. Keep your windows & AV updated & don't click/open any attachments(even if it came from known sources) in emails without scanning it with AV first.


----------



## Sarvesh (May 20, 2017)

The systems mainly affected were using older unsupported Oses such as Windows XP, 2003 & Windows 8 etc.

The mainstream Windows such as Windows 10, Windows 8.1 etc. already got the security update in March to fix the security exploit. So any current system with latest updates is already secured against Wanna Cry Ransomware.


----------



## BhargavJ (May 20, 2017)

whitestar_999 said:


> And what exactly is the practical utility of above with regard to ransomware.



The question was simply about whether or not virtualization is effective in stopping ransomware, since if the ransomware detects virtualization and stops doing its work, then virtualization has proved effective.

I'm not trying to test any malware in a virtual environment; I was just thinking of virtualization as a second layer of protection. I keep Windows and the AV updated, and I never click on unsafe links. I also use Sandboxie. If virtualization can add another layer, all the better. But it seems even virtualization is not a 100% foolproof method.


----------



## whitestar_999 (May 20, 2017)

It may or may not be effective depending on how complex your networking setup is hence the reply.*You seem to have an impression that merely running windows in a VM is enough to stop ransomware which is not true.*


----------



## Zangetsu (May 22, 2017)

BhargavJ said:


> I'm not trying to test any malware in a virtual environment; I was just thinking of virtualization as a second layer of protection. I keep Windows and the AV updated, and I never click on unsafe links.* I also use Sandboxie*. If virtualization can add another layer, all the better. But it seems even virtualization is not a 100% foolproof method.


Since, u use SB..i have a query

Does the AV detects virus/worms which pops up in SB environment ?


----------



## BhargavJ (May 22, 2017)

I very rarely get a virus notification from the AV. Most of the time, Kaspersky blocks suspected pages in the browser itself. The AV does scan inside the Sandboxie folder. I remember a time when I was getting a false positive for a small app from inside the Sandboxie folder, and I had to add the Sandboxie folder to the exclusions list of the AV. So yes, the AV does detect viruses in the Sandboxie folder. I'd recommend you start using it. I've read that viruses can break out of sandboxes, but most of the time, you're probably safe. You get peace of mind knowing that all your internet activity is limited to inside a box, and only stuff you permit leaves the box.


----------



## kg11sgbg (Jun 5, 2017)

Sarvesh said:


> The systems mainly affected were using older unsupported Oses such as Windows XP, 2003 & Windows 8 etc.
> 
> The mainstream Windows such as Windows 10, Windows 8.1 etc. already got the security update in March to fix the security exploit. So any current system with latest updates is already secured against Wanna Cry Ransomware.


Agreed with you...@Sarvesh.
No need for worrying,to those members ,those of whom are having and running,Genuine Windows OS(7,Vista,8,8.1,10) with latest security updates + patches.


----------

