dubad.blogg.se - Crypto locker worm

The fact that this rather pedestrian executable spread via EternalBlue is ultimately more interesting than the ransomware itself.

The SMB protocol helps various nodes on a network communicate, and an unpatched version of Microsoft's implementation could be tricked by specially crafted packets into executing arbitrary code, an exploit known as EternalBlue. WannaCry spreads via a flaw in the Microsoft Windows implementation of the Server Message Block (SMB) protocol. It then displays a ransom notice, demanding some Bitcoin-not an outrageous amount, often on the order of $300-to decrypt the files. If the ransomware can connect to that URL, it shuts down if it can't, it proceeds to search for and encrypt files in a slew of important formats, ranging from Microsoft Office files to MP3s and MKVs, leaving them inaccessible to the user. Once launched, WannaCry tries to access a hard-coded URL-this is a kill switch, and we'll discuss it in more detail in a moment. Whatever the original WannaCry source code is, it hasn't been found or made available to researchers, although it's easy enough for them to examine the binary's execution.

A copy of Tor, used for command-and-control communications with the ransomware gang.

An application that encrypts and decrypts data.

It arrives on the infected computer in the form of a dropper, a self-contained program that extracts the other application components embedded within itself.

The WannaCry ransomware executable works in a straightforward manner and is not considered particularly complex or innovative. After infecting a Windows computer, it encrypts files on the PC's hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.Ī number of factors made the initial spread of WannaCry particularly noteworthy: it struck a number of important and high-profile systems, including many in Britain's National Health Service it exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency and it was tentatively linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organization that may be connected to the North Korean government. WannaCry is a ransomware worm that spread rapidly through across a number of computer networks in May of 2017.