Ransom.WannaCrypt

Short bio

Ransom.WannaCrypt is a self-propagating ransomware capable of encrypting files in affected systems. It appends affected encrypted files with the .WCRY extension and demands a $300 or $600 ransom in Bitcoin for decryption.

It can also communicate to its command-and-control (C&C) server via encrypted Tor channels.

Impact

Common infection method

Infection method:

Ransom.WannaCrypt, unlike most ransomware, is not distributed via an email spam campaign. It is spread by taking advantage of a vulnerability in Microsoft’s Server Message Block (SMB) protocol known as EternalBlue.

Avoidance advice:

Remediation

Malwarebytes can remove Ransom.WannaCrypt without further user interaction, but it cannot decrypt the encrypted files.

The third-party decryptor for Ransom.WannaCrypt known as Wanakiwi can be downloaded here.