Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
0

WannaCry explained: A perfect ransomware storm | #computerhacking | #hacking | #hacking | #aihp


What is WannaCry?

WannaCry is a ransomware worm that spread rapidly through across a number of computer networks in May of 2017. After infecting a Windows computer, it encrypts files on the PC’s hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.

A number of factors made the initial spread of WannaCry particularly noteworthy: it struck a number of important and high-profile systems, including many in Britain’s National Health Service; it exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency; and it was tentatively linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organization that may be connected to the North Korean government.

How WannaCry works

The WannaCry ransomware executable works in a straightforward manner and is not considered particularly complex or innovative. It arrives on the infected computer in the form of a dropper, a self-contained program that extracts the other application components embedded within itself. Those components include: 

  • An application that encrypts and decrypts data
  • Files containing encryption keys
  • A copy of Tor, used for command-and-control communications with the ransomware gang

Whatever the original WannaCry source code is, it hasn’t been found or made available to researchers, although it’s easy enough for them to examine the binary’s execution. Once launched, WannaCry tries to access a hard-coded URL—this is a kill switch, and we’ll discuss it in more detail in a moment. If the ransomware can connect to that URL, it shuts down; if it can’t, it proceeds to search for and encrypt files in a slew of important formats, ranging from Microsoft Office files to MP3s and MKVs, leaving them inaccessible to the user. It then displays a ransom notice, demanding some Bitcoin—not an outrageous amount, often on the order of $300—to decrypt the files.

How does WannaCry spread?

WannaCry spreads via a flaw in the Microsoft Windows implementation of the Server Message Block (SMB) protocol. The SMB protocol helps various nodes on a network communicate, and an unpatched version of Microsoft’s implementation could be tricked by specially crafted packets into executing arbitrary code, an exploit known as EternalBlue.

The fact that this rather pedestrian executable spread via EternalBlue is ultimately more interesting than the ransomware itself. It is believed that the U.S. National Security Agency discovered this vulnerability and, rather than reporting it to the infosec community, developed the EternalBlue code to exploit it. This exploit was in turn stolen by a hacking group known as the Shadow Brokers, who released it obfuscated in a seemingly political Medium post on April 8, 2017. Microsoft itself had discovered the vulnerability a month prior and had released a patch, but many systems remained unpatched and vulnerable, and WannaCry, aided by EternalBlue, began spreading rapidly on May 12. In the wake of the outbreak, Microsoft slammed the U.S. government for not having shared its knowledge of the vulnerability sooner.

Copyright © 2022 IDG Communications, Inc.

Click Here For The Original Source.


————————————————————————————-

Translate

Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish