Ransom.WannaCrypt

Short bio

Ransom.WannaCrypt is Malwarebytes detection name for a ransomware application that will encrypt files on a victim machine and demand payment to retrieve the information.  Ransom.WannaCrypt has self-propagating capabilities via SMB exploits. Ransom.WannaCrypt appends the extension .WCRY to in encrypted files and demands a payment of $300 – $600 in Bitcoin for decryption.

Ransom.WannaCrypt can communicate via encrypted Tor channels with command-and-control (C&C) servers controlled by the attackers.

Symptoms

Ransom.WannaCrypt may run silently in the background during the encryption phase and not provide any indication of infection to the user. Ransom.WannaCrypt may prevent the execution of Antivirus programs and other Microsoft Windows security features and may prevent system restoration as a means to solicit payment. Ransom.WannaCrypt may display a warning after successful encryption of the victim machine.

Type and source of infection

Ransom.WannaCrypt has a unique propagation methodology and is not distributed via malicious spam email or exploit kit.  Ransom.WannaCrypt is spread by taking advantage of a vulnerability in Microsoft’s Server Message Block (SMB) protocol. The vulnerability has been widely known as EternalBlue and was released as part of the collection tools reportedly stolen by ShadowBrokers.  Once successful exploitation of a vulnerable system occurs, Ransom.WannaCrypt looks for other vulnerable PC’s and attempts to automatically spread itself to any computer found.

Aftermath

Systems affected by ransomware are rendered unusable due to files that are typically used for regular operations being encrypted.

Affected users who choose to pay the threat actors behind ransomware campaigns in exchange for access to data may find that they don’t get their files back. There is also no sure way to know that threat actors will honor their end of the deal after paying the ransom.

Affected users who chose to pay the threat actors may also find themselves likely targets for future ransomware campaigns.

Data held hostage that wasn’t given back to users or deleted after the ransom has been paid can be used by threat actors either to (a) sell on the black market or (b) create a profile of the user they can use for fraud.

Protection

Malwarebytes protects users from Ransom.WannaCrypt by using Anti-Ransomware and Anti-Exploit technology.

Remediation

Malwarebytes can detect and remove Ransom.WannaCrypt without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

Take note, however, that removing this ransomware does not decrypt your files.

The third-party decryptor for Ransom.WannaCrypt known as Wanakiwi can be downloaded here.

Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language