• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Ransomware  /  WannaCry Ransomware Creating Havoc Worldwide by Exploiting Patched Windows Exploit!
13 May 2017

WannaCry Ransomware Creating Havoc Worldwide by Exploiting Patched Windows Exploit!

Written by Rajib Singha
Rajib Singha
Ransomware
Estimated reading time: 3 minutes

Ransomware are causing major disruptions in recent years.

Recently leaked dump of NSA EternalBlue exploit is used by cybercriminals to spread WannaCry ransomware worldwide. Dump of MS-17-010 Windows OS Vulnerability was made public by the notorious Shadow Broker group on 14th April, 2017. This vulnerability affects most of the desktop and server editions Microsoft Windows and Microsoft has released patch for the same in March, 2017. However, systems that have not applied this patch are affected by the WannaCry ransomware which uses wormlike behavior to affect vulnerable system on the network.

WannaCry Creating Havoc Worldwide

This ransomware has already affected high profile organizations in Spain, UK, China and other countries including India. These organizations include clinics and hospitals in UK, telecom, gas, electricity and other utility providers. Many universities in China have also been targeted.

In Quick Heal Security Labs, till now 3000+ WannaCry ransomware attacks have been detected out of which around 2450 are from India. Quick Heal and Seqrite have successfully defended these cases of attacks from compromise and data encryption.

How WannaCry Ransomware works?

Attack is carried when systems are connected to network using SMB services. These services are attacked and exploited by “EternalBlue” exploit, planting WannaCry Ransomware causing the file encryption after successful execution. When files are encrypted, it appends “.WNCRY” extension to all encrypted files.

WannaCry Ransomware Encrypted files

Image 1: WannaCry Ransomware Encrypted files

After successful exploitation, it adds below files to the system:

  • C:\ProgramData\<random_alphanumeric>\@WanaDecryptor@.exe
  • C:\ProgramData\<random_alphanumeric>\tasksche.exe
  • C:\ProgramData\<random_alphanumeric>\taskdl.exe
  • C:\ProgramData\<random_alphanumeric>\taskse.exe

WannaCry adds below malicious registry entries to make persistence into the system, so that it could launch the infection after each system reboots:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  • “xwjfzbtm432″=”\”C:\\ProgramData\\<random_alphanumeric>\\tasksche.exe\“”

After successful encryption it shows below warning message containing instructions to follow to recover the files. The countdown timer is shown to create panic so as to make the victim pay the demanded ransom. Otherwise it threatens that all encrypted data would be deleted. WannaCry shows ransomware warning message in the language of current region.

wannacry-ransomware-warning-message

 

Image 2: WannaCry Ransomware Warning Message

How Seqrite Endpoint Security protects against WannaCry Ransomware?

Seqrite Virus Protection successfully detects and cleans malicious file responsible for file encryption as “TrojanRansom.Wanna”

seqrite-virus-protection-warning-message

 

Image 3: Seqrite Virus Protection Warning Message

Seqrite Advanced Behavior Detection System proactively detects this ransomware activity successfully based on its behavior. User needs to click on BLOCK button in this situation to stop encryption activity.

seqrite-advanced-behavior-based-detection-prompt

 

Image 4: Seqrite Advanced Behavior Based Detection Prompt

Seqrite Anti-ransomware technology also successfully detects file encryption activity of WannaCry Ransomware:

seqrite-anti-ransomware-detects-encryption-activity

 

Image 5: Seqrite Anti-ransomware detects encryption activity

Recommendations to reduce ransomware attacks:

Quick Heal Security Labs highly recommends taking the following measures to reduce the risk of infection by WannaCry Ransomware:

  • Apply Patch for vulnerabilities used by this ransomware from Microsoft
  • Take regular back up of your important data and periodically check the backup restoration process to make sure files are getting properly restored.
  • Ensure that security solutions are switched on all nodes of the network.
  • Always keep installed security software up-to-date with latest signature updates.
  • Perform Full System Scan using installed security software.
  • Avoid clicking on links and opening attachment in emails from unknown and suspicious sources.

Acknowledgement:
Subject matter experts –
Prashil Moon and Dipali Zure
Quick Heal Security Labs

 Previous PostBanking malware, Dridex bounces back through PDF
Next Post  MS17-010 – Windows SMB server exploitation leads to ransomw...
Rajib Singha
About Rajib Singha

Rajib is an IT security news junkie and a computer security blogger at Quick Heal. He is passionate about promoting cybersecurity awareness, content and digital...

Articles by Rajib Singha »

Related Posts

  • BEC and Ransomware attacks unsettle businesses globally.

    BEC and Ransomware attacks increase during the pandemic

    January 22, 2021
  • Thanos Ransomware adopts hyper-weaponized RIPlace tactics — collects huge pay-offs.

    Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic

    November 18, 2020
  • Hackers ransack businesses by riding on the modern-day Trojan Horse.

    PonyFinal Ransomware dubbed by many as the modern-day Trojan horse.

    August 26, 2020

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • The Data breach inferno burning big-ticket businesses The Data breach inferno burning big-ticket businesses February 5, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks Pharma Sector needs to streamline its insides to avoid cyberattacks February 12, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond Turn the Page: Cybersecurity Predictions for 2021 & beyond February 18, 2021

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • Businesses now worried about the surge in COVID-19 infodemic

    Businesses now worried about the surge in COVID-19 infodemic

    February 26, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond

    Turn the Page: Cybersecurity Predictions for 2021 & beyond

    February 18, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks

    Pharma Sector needs to streamline its insides to avoid cyberattacks

    February 12, 2021

Stay Updated!

Topics

Antivirus For Linux (10) apt (9) BYOD (9) COVID-19 (10) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (279) cyber security (25) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (56) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.