{"id":16518,"date":"2017-05-13T21:05:41","date_gmt":"2017-05-14T01:05:41","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=16518"},"modified":"2021-03-17T10:29:39","modified_gmt":"2021-03-17T14:29:39","slug":"wannacry-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/wannacry-ransomware\/16518\/","title":{"rendered":"WannaCry: Are you safe?"},"content":{"rendered":"<p><em>(Updated on Tuesday, May 16)<\/em><\/p>\n<p>A few days ago saw the beginning of the Trojan encryptor WannaCry outbreak. It appears to be pandemic \u2014 a global epidemic. We counted more than 45,000 cases of the attack in just one day, but the true number is much higher.<\/p>\n<h2>What happened?<\/h2>\n<p>Several large organizations reported an infection simultaneously. Among them were several British hospitals that had to suspend their operations. According to data released by third parties, WannaCry has infected more than 200,000 computers. The sheer number of infections is a big part of the reason it has drawn so much attention.<\/p>\n<p>The largest number of attacks occurred in Russia, but Ukraine, India, and Taiwan have suffered much damage from WannaCry as well. In just the first day of the attack, we found WannaCry in 74 countries.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/05\/06015724\/wannacry_04.png\"><img decoding=\"async\" class=\"alignnone size-full wp-image-16521\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/05\/06015724\/wannacry_04.png\" alt=\"\" width=\"2468\" height=\"1240\"><\/a><\/p>\n<h3>What is WannaCry?<\/h3>\n<p>Generally, WannaCry comes in two parts. First, it\u2019s an <a href=\"https:\/\/www.kaspersky.com\/blog\/exploits-problem-explanation\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">exploit<\/a> whose purposes are infection and propagation. The second part is an <a href=\"https:\/\/www.kaspersky.com\/blog\/ransomware-for-dummies\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">encryptor<\/a> that is downloaded to a\u00a0computer after it has been infected.<\/p>\n<p>The first part is the main difference between WannaCry and the majority of encryptors. To infect a computer with a common encryptor, a user has to make a mistake, for example by clicking a suspicious link, allowing Word to run a malicious macro, or downloading a suspicious attachment from an e-mail message. A system can be infected with WannaCry without the user doing anything.<\/p>\n<h3>WannaCry: Exploit and propagation<\/h3>\n<p>The creators of WannaCry have taken advantage of the Windows exploit known as EternalBlue, which relies on\u00a0a vulnerability that Microsoft <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">patched in security update MS17-010<\/a>, dated March 14 of this year. By using the exploit, the malefactors could gain remote access to computers and install the encryptor.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">How to properly update <a href=\"https:\/\/twitter.com\/hashtag\/Windows?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Windows<\/a> to protect your computer from <a href=\"https:\/\/twitter.com\/hashtag\/WannaCry?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#WannaCry<\/a> <a href=\"https:\/\/t.co\/QevgKiqEz0\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/QevgKiqEz0<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ransomware<\/a> <a href=\"https:\/\/t.co\/7AKhc2YLFv\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/7AKhc2YLFv<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/864877223769231361?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">May 17, 2017<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>If you have the update installed, then this vulnerability no longer exists for you, and attempts to hack the computer remotely through the vulnerability will fail. However, researchers from Kaspersky Lab\u2019s GReAT (Global Research &amp; Analysis Team) <a href=\"https:\/\/securelist.com\/blog\/incidents\/78351\/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">would like to emphasize<\/a> that <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/patch\/?utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=termin-explanation\" target=\"_blank\" rel=\"noopener noreferrer\">patching<\/a> the vulnerability will not deter the encryptor entirely. Therefore, if you launch it somehow (see the above on <em>making a mistake<\/em>), then that patch will do you no good.<\/p>\n<p>After hacking a computer successfully, WannaCry attempts to spread itself over the local network onto other computers, in the manner of a <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/worm\/?utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=termin-explanation\" target=\"_blank\" rel=\"noopener\">computer worm<\/a>. The encryptor scans other computers for the same vulnerability that can be exploited with the help of EternalBlue, and when WannaCry finds a vulnerable machine, it attacks the machine\u00a0and encrypts files on it.<\/p>\n<p>Therefore, by infecting one computer, WannaCry can infect an entire local area network and encrypt all of the computers on the network. That\u2019s why large companies suffered the most from the WannaCry attack \u2014 the more computers on the network, the greater the damage.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"ksec\">\n<h3>WannaCry: Encryptor<\/h3>\n<p>As an encryptor, WannaCry (sometimes called WCrypt or, for no discernable reason, <a href=\"http:\/\/www.mirror.co.uk\/tech\/what-wanna-decryptor-look-ransomware-10410236\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">WannaCry Decryptor<\/a>) behaves like any other encryptor; it encrypts files on a computer and demands ransom to decrypt them. It most closely resembles a variation of the infamous <a href=\"https:\/\/www.kaspersky.com\/blog\/cryptxxx-ransomware\/11939\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">CryptXXX Trojan<\/a>.<\/p>\n<p>WannaCry encrypts files of various types (the full list is <a href=\"https:\/\/securelist.com\/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world\/78351\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">here<\/a>) including office documents, pictures, videos, archives, and other file formats that potentially contain critical user data. The extensions of the encrypted files are renamed .WCRY, and the files become completely inaccessible.<\/p>\n<p>After this, the Trojan changes the desktop wallpaper to a picture that contains information about the infection and actions that the user supposedly has to perform to recover the files. WannaCry spreads notifications as text files with the same information across folders on the computer to ensure that the user receives the message.<\/p>\n<p>As usual, the actions entail transferring a certain amount of money, in bitcoins, to the wallet of the perpetrators. After that, they say, they will decrypt all of the files. Initially, cybercriminals demanded $300 but then raised the stakes to $600.<\/p>\n<p>In this case, the malefactors also try to intimidate victims\u00a0by stating that the ransom amount will be increased in three days \u2014 and, moreover, that after seven days the files will be impossible to decrypt.<br>\nAs ever, we do not recommend paying the ransom. Perhaps the most compelling reason not to give in is that there\u2019s no guarantee that the criminals will decrypt your files after receiving the ransom. As a matter of fact, researchers have shown that other cyberextortionists sometimes <a href=\"https:\/\/www.kaspersky.com\/blog\/ranscam-ransomware\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">simply delete user data<\/a>.<\/p>\n<h3>How a domain registration suspended infection \u2014 but why it is probably not over yet<\/h3>\n<p>Interestingly enough, a researcher going by name Malwaretech <a href=\"https:\/\/www.malwaretech.com\/2017\/05\/how-to-accidentally-stop-a-global-cyber-attacks.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">managed to suspend infection<\/a> by registering a <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/domain-name\/?utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=termin-explanation\" target=\"_blank\" rel=\"noopener\">domain<\/a> with a long and nonsensical name.<\/p>\n<p>It turned out that some versions of WannaCry addressed that very domain, and if they did not receive a positive reply, then they would install the encryptor and start their dirty work. If there was a reply (that is, if the domain had been registered), then the malware would stop all of its activities.<\/p>\n<p>After finding the reference to this domain in the Trojan\u2019s code, the researcher registered the domain, thus suspending the attack. In\u00a0the remainder of the day, the domain was addressed tens of thousands of times, which means that tens of thousands of computers were\u00a0spared.<\/p>\n<p>There is a theory that this functionality was built into WannaCry \u2014 like a circuit breaker \u2014 in case something went wrong. Another theory, embraced by the researcher himself, is that it is a way to complicate the analysis of the malware\u2019s behavior. Testing environments used in research are often designed such that <em>any<\/em> domain returns a positive response; in such cases, the Trojan would do nothing in the testing environment.<\/p>\n<p>Regrettably, for new versions of the Trojan, all the criminals have to do is change the domain name indicated as the \u201ccircuit breaker\u201d and infections will resume. Therefore, it is very likely that the WannaCry outbreak will continue.<\/p>\n<h3>How to defend against WannaCry<\/h3>\n<p>Unfortunately, there is currently no way to decrypt files that have been encrypted by WannaCry (however, our researchers are on it). For now, prevention is the only hope.<\/p>\n<p>Here are several pieces of advice on how to prevent infection and minimize damage.<\/p>\n<ul>\n<li>If you already have a Kaspersky Lab security solution installed on your system, then we recommend doing the following: Manually run a scan for critical areas, and if the solution detects MEM:Trojan.Win64.EquationDrug.gen (that is how our antivirus solutions detect WannaCry), remove it and reboot your system.<\/li>\n<li>If you\u2019re a Kaspersky security user, keep <a href=\"https:\/\/www.kaspersky.com\/blog\/system-watcher-patent\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">System Watcher<\/a> on. It\u2019s essential to fight any new variants of the malware that might emerge.<\/li>\n<li>Install software updates. This case desperately calls for all Windows users to install the\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/wannacry-windows-update\/16593\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">MS17-010 system security update<\/a>. Microsoft even released it <a href=\"https:\/\/www.kaspersky.com\/blog\/wannacry-windows-update\/16593\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">for systems that are no longer officially supported<\/a>, such as Windows XP or Windows 2003. Seriously, install it right now; it\u2019s very important.<\/li>\n<li>Create file backups on a regular basis and store the copies on storage devices that are not constantly connected to the computer. If you have a recent backup copy, then an encryptor infection is not a catastrophe; you can spend a few hours reinstalling the operating system and apps, then restore your files and move on. If you\u2019re just too busy to handle a backup, take advantage of the backup feature built into <a href=\"https:\/\/www.kaspersky.com\/total-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kts___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Total Security<\/a>, which can automate the process.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kis-trial-ransomware\">\n<ul>\n<li>Use a reliable antivirus. <a href=\"https:\/\/www.kaspersky.com\/internet-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kismd___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Internet Security<\/a> can detect WannaCry both locally and during attempts to spread it over a network. Moreover, System Watcher, a built-in module, can roll back any unwanted changes, which means that it will prevent file encryption even for those malware versions that are not yet in antivirus databases.<\/li>\n<\/ul>\n<p>To find out how this applies to your business <a href=\"https:\/\/www.kaspersky.com\/blog\/wannacry-for-b2b\/16544\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">follow these tips<\/a>. You can learn more about ransomware protection <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/wiki-section\/products\/ransomware-protection\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What makes the self-replicating encryptor WannaCry so dangerous and how to prevent infection.<\/p>\n","protected":false},"author":675,"featured_media":16520,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2683],"tags":[1680,1577,2372,420,422,723,2510],"class_list":{"0":"post-16518","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-cryptors","10":"tag-cryptxxx","11":"tag-exploit","12":"tag-ransomware","13":"tag-threats","14":"tag-trojans","15":"tag-wannacry"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/wannacry-ransomware\/16518\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/wannacry-ransomware\/6011\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/wannacry-ransomware\/4194\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/wannacry-ransomware\/11120\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/wannacry-ransomware\/8700\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/wannacry-ransomware\/9148\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/wannacry-ransomware\/10503\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/wannacry-ransomware\/10313\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/wannacry-ransomware\/16147\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/wannacry-ransomware\/3181\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/wannacry-ransomware\/7306\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/wannacry-ransomware\/6714\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/wannacry-ransomware\/10170\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/wannacry-ransomware\/15524\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/wannacry-ransomware\/422\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/wannacry-ransomware\/16518\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/wannacry-ransomware\/16518\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/ransomware\/","name":"Ransomware"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/16518","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/675"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=16518"}],"version-history":[{"count":17,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/16518\/revisions"}],"predecessor-version":[{"id":39059,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/16518\/revisions\/39059"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/16520"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=16518"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=16518"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=16518"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}