Our cloud based tool can can help your organization immediately detect the WannaCry Vulnerability.
What is WannaCry ransomware?
WannaCry’s initial hits include UK’s National Health Service, the Spanish telecommunications firm Telefónica, and the logistics firm FedEx. Such was the scale of the ransomware campaign that it caused chaos across hospitals in the United Kingdom. Many of them had to be shut down triggering operations closure on short notice, while the staff was forced to use pen and paper for their work with systems being locked by Ransomware.
How does WannaCry ransomware get into your computer
As evident from its worldwide attacks, WannaCrypt first gains access to the computer system via an email attachment and thereafter can spread rapidly through LAN. The ransomware can encrypt your systems hard disk and attempts to exploit the SMB vulnerability to spread to random computers on the Internet via TCP port and between computers on the same network.
Is WannaCry a Trojan dropper?
WannaCry exhibits the properties of a Trojan dropper and tries to connect to the domain hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, using the API InternetOpenUrlA():
However, if the connection is successful, the threat does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. It’s only when the connection fails, the dropper proceeds to drop the ransomware and creates a service on the system.
Hence, blocking the domain with firewall either at ISP or enterprise network level will cause the ransomware to continue spreading and encrypting files.
When Executed, WannaCry creates the following registry keys:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\<random string> = “<malware working directory>\tasksche.exe”
- HKLM\SOFTWARE\WanaCrypt0r\\wd = “<malware working directory>”
It changes the wallpaper to a ransom message by modifying the following registry key:
- HKCU\Control Panel\Desktop\Wallpaper: “<malware working directory>\@WanaDecryptor@.bmp”
The ransom asked against the decryption key starts with $300 Bitcoin which increases after every few hours.
Promisec can help you prevent
- Light touch on premise installation plus optional cloud scanning capabilities.
- Rapid search and detect functionality across 1000s of endpoints
- Quick patch deployment and verification
- Get it now for 90 days, no cost!
Contact us today to see how we can help against WannaCry!