FANDOM


WannaCry, originally named as WanaCrypt, having aliases of Wana Crypt0r and Wana Decrypt0r, is a ransomware that can run on windows XP+ (can be run on Linu via WINE) that uses two NSA-leaked tools that has wreaked havoc in airports, banks, universities, hospitals and many other facilities. It has spread to some 150 countries worldwide, mainly Russia, Ukraine, the US, and India. It is not decryptable as it uses RSA-2048; thus, the only way to retrieve files is by backup or directly paying with Bitcoin equivalent to $300 USD. Required payment increases to the Bitcoin equivalent of $600 USD after 72 hours since the initial infection of the PC. 7 days after the victim's infection, the malware will start deleting the computer's files.

Infection[1]Edit

This program can be delivered the same way a trojan is, it is loaded through hyperlinks run by emails, Dropbox link, or advertisement. When run, the ransomware will quickly encrypt the files on the computer using the same encryption method Instant Messaging uses, except only those used by the system. It also has the ability to attack network drives as well.

From version 2.0 and above of this ransomware, instead of using spam emails, spoofed links or advertisement as means of transfer, it behaves like a worm. With the help of remote malicious code, it actively attacks every vulnerable computer on the internet.

It scans for TCP and UDP ports 139 and 445 (SMB) from the computers, if found listening and the host is found vulnerable to this attack, it  deleting the computer's files.

Edit

ExploitsEdit

Wannacry ransomeware uses EternalBlue exploit kit leaked by The Shadow Brokers, which was patched by Microsoft on March 14. However, many companies and organizations have not installed this patch. Due to the damage that the ransomware caused, Microsoft launched a patch for Windows XP, Windows Server 2003, and Windows 8, which all have been no longer supported at the time.  [2]What is WanaCrypt0r 2.0 -WannaCry Ransomware-? Many antivirus vendors and computer security companies have also created programs to "immunize" against the NSA hacking tool

Decryption tool releasedEdit

Adrien Guinet, a French security researcher from Quarkslab, found that the ransomware did not remove the prime numbers from memory after encrypting the files, meaning that the user can use these numbers to generate the pair of public key and private key again.

Before generating a pair of RSA encryption keys, the system will need to choose two prime numbers. After generation of these keys, the numbers should be kept secret to prevent other users (such as hackers) to use them to regenerate the private key.

The WanaKiwi tries to find out the prime numbers left by the ransomware and generates the private key, so that the user might not need to pay the ransom for files decryption. However there are some limits, otherwise the decryption tool might not be able to help decrypt the files:

  1. The infected machine should have never been rebooted.
  2. Since the memory location for these prime numbers are no longer allocated, they could be erased or overwritten by other processes, so the decryption tool should be started as early as possible in order to find the numbers

Other languegesEdit

WannaCry provides translations for these langauges:

  • Bulgarian
  • Chinese (Simplified)
  • Chinese (Traditional)
  • Croatian
  • Czech
  • Danish
  • Dutch
  • English
  • Filipino
  • Finnish
  • French
  • German
  • Greek
  • Indonesian
  • Italian
  • Japanese
  • Korean
  • Latvian
  • Norwegian
  • Polish
  • Portuguese
  • Romanian
  • Russian
  • Slovak
  • Spanish
  • Swedish
  • Turkish
  • Vietn==Affected Organizations (according to Wikipedia)[3]==
  • São Paulo Court of Justice (Brazil)
  • Aristotle University of Thessaloniki (Greece)
  • Vivo (Telefônica Brasil) (Brazil)
  • Lakeridge Health (Canada)
  • PetroChina (China)
  • Public Security Bureaus (China)
  • Sun Yat-sen University (China)
  • Instituto Nacional de Salud (Colombia)
  • Renault (France)
  • Deutsche Bahn (Germany)
  • Telenor Hungary (Hungary)
  • Andhra Pradesh Police (India)
  • Dharmais Hospital (Indonesia)
  • Harapan Kita Hospital (Indonesia)
  • University of Milano-Bicocca (Italy)
  • Q-Park (Netherlands)
  • Portugal Telecom (Portugal)
  • Automobile Dacia (Romania)
  • Ministry of Foreign Affairs (Romania)
  • MegaFon (Russia)
  • Ministry of Internal Affairs (Russia)
  • Russian Railways (Russia)
  • Banco Bilbao Vizcaya Argentaria (Spain)
  • Telefónica (Spain)
  • Sandvik (Sweden)
  • Garena Blade and Soul (Thailand)
  • National Health Service (United Kingdom)
  • Nissan UK (United Kingdom)
  • FedEx (United States)
  • STC (Saudi Arabia)
  • Boeing (Un
  • Boeing (United States)[4]Timeline of key events relating to the WannaCry ransomware, made by Symantec.
  • ==Variants[5]==

Including the very first version, there are 4 known versions:


notesEdit

malware wiki made me copy and paste the images DONT SUE ME FOR PLAGIRASOM IT WAS MALWARE WIKI'S FALUT