[vc_row type=”in_container” full_screen_row_position=”middle” scene_position=”center” text_color=”dark” text_align=”left” overlay_strength=”0.3″][vc_column column_padding=”no-extra-padding” column_padding_position=”all” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_shadow=”none” width=”2/3″ tablet_text_alignment=”default” phone_text_alignment=”default” column_border_width=”none” column_border_style=”solid”]
Today we’re going to talk about what happened with the ransomware “WannaCry” that affect almost the whole world one week ago.
The “WCry” or “WannaCrypt0r” ransomware spread rapidly across Europe, Asia and other countries reaching almost 150 countries and disrupting or closing 45 hospitals in the UK, train station in germany and others big comanies as Telefonica Movistar in Spain. As the ransomware continued to propagate, I got my hands on a sample and quickly began analyzing the malware. This post will walk through my findings and provide a technical overview of the strain of WCry ransomware which caused the massive impact on Friday. Many have done great work analyzing this malware in action and helping contain its spread, and I hope my comprehensive static analysis will provide a good overall picture of this particular ransomware variant on top of that.
Researches and Europol estimates over 150,000 computers impacted globally thus far, many people received unwelcome notes Friday similar to those below demanding a fee to decrypt their files. While the notes promise to return the data, it’s not guaranteed that paying the ransom will return data safe and sound, but if it gets this far and adequate backups are not in place, it may be the only recourse the victim has. No one ever wants to see one of these.
and this is the wallpaper that appear on the Desktop.
There has been a lot of discussion about the method of propagation and the overall impact of this ransomware, but what does this ransomware actually do from start to finish? That is the question I’ll answer in this post.
To begin, we accessed the malware by grabbing it (SHA256 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c/MD5 Db349b97c37d22f5ea1d1841e3c89eb4 ) from VirusTotal. See the appendix for a summary of the files dropped with the malware. Some tracks were pointing direct to the NSA by methodology, but then my miracle it changed to North Korea.
WannaCry follows a flow similar to that of other ransomware as it damages a machine. So, it begins with an initial beacon, other researchers have already reported is basically a killswitch function. If it makes it past that step then it looks to exploit the ETERNALBLUE/MS17-010 vulnerability and propagate to other hosts. WCry then goes to work doing damage to the system, first laying the foundations for doing the damage and getting paid for recovery,and once that is done WannaCry starts encrypting files on the system. See the diagram below for an overview of how this malware works. I’ll walk through each of these steps in more detail below.
The graphic illustrates, the malware inflicts damage by executing a series of tasks. I’ll walk through each of these tasks, which are numbered below. Each first level of the outline corresponds to that step in the execution flow graphic.
So… honestly I can explain you in a technical level how it works (as I unsdertand after read many hours to share the essence of it with you) but that can take long so I will give you some tip to improve you security levels to avoid it…. on the next post.
ransomware, ransom, malware, wary, wanna cry, NSA, north korea, analysis, learn, learning, the best security practice, ethical hacking, IT, Admin, Administrator, Server, User, Kali Linux, Phone, Download, Blog, WordPress, Free, Lab, Pentest, Pentester