WannaCry

  • Attack that combined a known and highly-publicized exploit

  • Ransomware that would encrypt files and demand bitcoin as payment for the encryption keys

How it Works

  • Executes two components:

    • one that attempts to exploit a known SMB vulnerability

    • one that had the ransomware

  • Dropper would attempt to call out domains and if the domain reached out to was valid, it would stop.

  • If a domain was not reached, it would then change registry keys, create services, and encrypt files (changing the extensions to .WNCRY)

  • Registry keys would display a message indicating what the ransom was to get the key to decrypt the files

  • The service that was created was used to spread via SMB to other vulnerable systems the computer could access

    • It would scan from an infected computer for connections and systems that were still vulnerable to this exploit and when it discovered one, the weaponized exploit would run and gain remote code execution on the next machine

Remediation

  • Security researcher Marcus Hutchins discovered:

    • the domain name was hardcoded into the exploit itself

    • the domain was unregistered.

  • He registered the domain and set up a sinkhole server

    • this stopped WannaCry from completing full execution of the ransomware and spreading

PreviousVirusesNextAnalyzing Malicious Windows Programs

Last updated