Skip to main content

Wannacry Ransomware: What It Is and Why Everyone is Worried

So the most popular question I got asked by people in the past week was “what on earth is Ransomware?” So let me put it this way, imagine you wake up in the morning and you turn on the data on your phone so you can see the WhatsApp messages that came in while you were asleep. You are then greeted by a screen on your phone with a message written across the whole screen saying, “Your phone has been encrypted. To regain access to it, send 10 BTC to Bitcoin account XYZ”. You are puzzled because not only have you never seen this message before, but you don’t even know what “encrypted” means or what BTC or a Bitcoin is. Now you, assuming this is a typical “gadget” error, restart the phone (like you would any PC) and the same message pops up again. You think of Googling the problem on your phone, but then you can’t access the Google app. Then realization slowly sets in that you can no longer access your WhatsApp, your contacts list, your music or even the Date/Time app itself! That is basically ransomware at work.

By definition, with ransomware a hacker basically locks all the files on your computer and promises to give you the key to unlock them only after you pay said hacker in some form of currency. This payment is commonly in Bitcoin primarily because Bitcoin offers anonymity to its users thus making such accounts much more difficult to trace than regular bank accounts.  As most of us may be thinking, this issue of ransomware may sound like a first world problem, but the WannaCry ransomware that is currently running amok on the internet does not discriminate at all. Lots of media outlets in the UK ran with headlines about how most medical institutions had been brought to a grinding halt by this ransomware and how it has spread to over a hundred countries to date.

WannaCry ransomware typically affects a number of Windows operating systems (such as Windows XP, Windows 7 and Windows server 2012 among others) as long as they have not been patched against a particular flaw that they have. The flaw, or vulnerability in technical terms, is in the file sharing functionality that is in most Windows operating systems known as Server Message Block (SMB). This basically means that users of Linux and Mac platform are quite safe from this particular exploit.

Adding more flesh to WannaCry, it is not your typical run-of-the-mill ransomware as described earlier. It comes fitted with an extra functionality in that it spreads like a Worm. In information security, a worm works like a virus in that it causes all kinds of havoc on your computer and network. The definitive difference between it and a virus though, is that a worm can spread across a network without the victim or target doing anything to trigger it. With a virus you usually have to click something or download some application for it to execute. However, a worm, just scans your network for vulnerable targets in a predefined sequence and proceeds to spread and infect as many of those computers as it can.

What this means is that if any computer on your network is infected with WannaCry, the infection will spread to other vulnerable Windows computers on your network as well. The impact of this ransomware is so severe that Microsoft even decided to send patches to operating systems that they no longer support such as Windows XP!
Now that the severity of such an attack may have sunk in a bit, it is only appropriate that we share with you a few possible incident preparation and response activities you or your organizational Computer Emergency Response Team (CERT) can implement. One way is to keep your operating systems patched and up to date. If you don’t have a patch management system/framework, then you should probably look into implementing one. Another option is to frequently back up your data. By doing this, if your data is encrypted by the ransomware, you can always have another copy of it on hand.

As a final point to note, it is never a good idea to pay the ransom. This is because of two main reasons; one is that the hackers may not send you the key to unlock your files even after you pay them. Secondly, even if they do send you the key, there really is nothing stopping them from blocking the security patch from installing and then encrypting your files all over again. Remember, they are really just criminals after all.

Comments

Post a Comment

Popular posts from this blog

Password Cracking: RainbowCrack table generation, sorting and usage

I had to do this demo after one of my students asked for my assistance regarding how to use this tool. Usually, I just assign different tools to them individually depending on the aspect of penetration testing we are covering (session hijacking, vulnerability scanning, etc) and then tell them to submit a report and a video demo of how the tool is used. Anyway, after a brief one-to-one discussion I realized the student had actually done the research on how rainbow tables operate (above and beyond the material in the lecture slides) so I figured that if he was here asking for assistance, he genuinely needed it. The tool is available at the RainbowCrack site.  A detailed description of this nifty tool can also be found here . So, firstly I had to generate the rainbow tables. The command line syntax is: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index where: hash_algorithm  Rainbow table is hash algorithm sp...
Post a Comment
Read more

Malware Analysis: A Python Malware on campus 1

So a few weeks back after a class I'd taken with them,  a number of my students told me of a particular malware that was affecting students' computers, in particular, computers running Windows OS. According to them, if you tried to open a folder that was residing on the USB stick with the malware, the malware would delete some of your files and convert folders into executable files. Granted, the likelihood of a random folder miraculously transforming into a single executable file was kinda "out there" but I figured I'd check it out and use that as a teaching moment for those interested in venturing into malware analysis. So I tasked them to bring me a sample of the malware so I could take a look at it and maybe figure it out. I advised one of them to download DumpIt  and then extract the memory dump from an infected computer using a clean flash disk and then bring it to me. How do you do this exactly? here's how: Download DumpIt . It's a portable...
Post a Comment
Read more

How I Recovered my Corrupted 2TB Hard Drive without having to copy everything to another Drive

So, a little back story. I have a 2 Terabyte external hard drive that's split into 3 partitions for backup; one for entertainment, one for work and one for personal projects. A friend of mine had a Lenovo laptop that was having challenges with installing WLAN drivers (you'd install the drivers and they'd keep giving an error that drivers aren't working. If you tried to uninstall them, they'd just reappear...but that's a whole different story). Anyway, my friend decided to roll-back from Windows 10 to Windows 8 and wanted to copy one of the test builds from my 2TB HDD so I lent it to him. Little did I know that that Lenovo laptop had other plans for me. Upon connecting the external hard drive to the Lenovo laptop, it immediately read it as a FAT32 formatted drive (it was actually NTFS formatted) and had 1.82 TB free space of the "actual" size 1.82 TB. Where panic would have ensued for many, I managed to keep in the growing irritation at such a thing ...
1 comment
Read more