A new ransomware strain named WannaCry (aka WannaDecryptor, aka WannaCryptor, aka WanaCypt0r, aka WCry) has infected more than 226,000 computers in more than 100 countries around the world so far.
According to Avast malware researcher Jakub Kroustek, most of the detections are coming from Russia, Ukraine, India and Taiwan.
Kaspersky Lab forum users report that the WannaCry ransomware managed to infiltrate the internal computer system of the Ministry of Internal Affairs of Russia and Investigative Committee of Russia.
“It first appeared in February 2017, but now it’s updated and looks different than previous versions”, said one of the Kaspersky Lab forum users.
Spain’s Computer Emergency Response Team CCN-CERT also posted an alert on their site about a widescale ransomware attack affecting a few Spanish organizations.
The National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical institutions.
What is WannaCry ransomware?
WannaCry ransomware comes in two parts. The first part – the EternalBlue exploit kit which was created by the U.S. National Security Agency in order to use Windows OS vulnerabilities. The second part – an encryptor that is downloaded to a computer after it has been infected.
The WannaCry attacks are initiated using an SMBv1 remote code execution in Microsoft Windows OS. The EternalBlue exploit has been made publically available through the Shadowbrokers public dump on April 14th, 2017 and patched by Microsoft on March 14. However, many companies, public organizations and computer users have not yet installed the patch to their systems.
The ransomware encrypts the files and also drops multiple ransomware notes on different languages. WannaCry demands to pay $300 in Bitcoin wallet.
WannaCry virus provides timer countdown warning that the payment amount will be raised after 3 days and the victim will completely lose their personal files after 7 days.
The ransomware also changes the victim’s wallpaper with instructions on how to pay the ransom demand and how to get the decryptor tool.
Update May 22th: The transactions statistics of Bitcoin wallets used by WannaCry creators show that some of the victims have paid the ransom. The three bitcoin wallets have received 296 payments totaling 48.86359565 BTC ($99,448.11 USD).
The file extensions targeted by the WannaCry ransomware include:
- Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
- Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv).
- Emails and email databases (.eml, .msg, .ost, .pst, .edb).
- Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
- Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
- Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
- Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
- Virtual machine files (.vmx, .vmdk, .vdi).
How to decrypt files locked by WannaCry ransomware? (Update May 2017)
This decryption tool works only if you haven’t restarted the infected computer and you haven’t killed the ransomware process (wnry.exe or wcry.exe). So please don’t restart your system if you want to get your encrypted files back.
WanaKiwi decryptor searches the computer’s memory for prime numbers and pieces together the encryption key used. However, the tool relies on current running memory. So, if you’ve restarted the infected system or you you’ve done too much operations on your PC since the ransomware infiltration, it’s possible the key will not be found.
Click the download button below and extract the downloaded .zip to a folder on your desktop. Please notice: we recommend you to download this file from another clean PC and then transfer it via USB flash drive in order to avoid risks of overwriting the decryption key in memory.
Next, double-click the wanakiwi.exe file to run it.
WanaKiwi decryptor will automatically detect the WannaCrypt malicious processes (wnry.exe or wcry.exe) running on the system.
It might take a couple of minutes for the tool to find the key, and once it’s found the tool will start to search your computer for encrypted files and decrypt them automatically.
After the decryption process completed, you will see a ransom note as a background and all the unlocked files next to their encrypted copies.
How to prevent WannaCry infection?
1. Make sure that your computer has enabled endpoint anti-malware solution.
Plumbytes Anti-Malware is a trusted software that can detect and remove most of security threats. Plumbytes is able to detect and immediately block a suspicious process that mimics the behavior of a typical crypto-ransomware process, including Ransom:Win32.WannaCrypt.
2. Install the official Windows patch (MS17-010), which closes the SMB Server vulnerability used in this ransomware attack. Microsoft even released this patch for operating systems that are no longer officially supported, such as Windows XP and Vista.
3. Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen or any other malware, remove it immediately and reboot the system. Make sure MS17-010 patches are installed.
4. You can disable SMBv1 protocol as it’s described here – https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012.
5. Backup all important personal/business data to an external hard drive or cloud storage service.
6. Block port 445 for extra safety. Blocking TCP port 445 could help with the vulnerability if you haven’t patched your OS yet.