More than 70 countries have come into the grip of powerful ransomware lately and the infected victims include hospitals, universities and businesses.
Known as WannaCrypt ransomeware worm, aka WanaCrypt or Wcry, the worm is installed on Windows computers and gradually spreads across networks by infecting Microsoft’s SMB file-sharing services.
The worm in fact abuses bug designed MS17-010 that was a patch in March this year for the newest versions of Windows. Once NSA had exploited it to hijack and spy its targets. It was then codenamed as Eternalblue.
Last month NSA revealed Eternalblue has been stolen and was leaked online. Immediately thousands of machines were reported were hacked on the internet.
The worm however has its own variant and it is designed to encrypt uncountable number of files after landing in a computer. The hijackers thereafter charges ransom between $300 and $600 in Bitcoin from owners of the documents for restoration.
Payload Security said the worm drops several programs on the machine like Tor and manages adding itself to the Windows Registry. This is the reason it also persists across reboots and thereafter inder reverse-engineering.
The malware encrypts several documents in the machine and is capable of snatching keys too for the remote desktop access. It disables system repair tools and also deletes volume snapshots. It changes desktop backdrop to get attention of victims and thereafter demand ransom to correct the lingo.
Saying its visibility could be limited the Kaspersky’s research team adds, “We have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia.”