• Home
  • News
  • Big Data & Analytics
  • DevOps
  • Security
  • GDPR
  • AI & ML
  • Women in Tech
  • Cloud & Infrastructure
  • CIO
  • Deskflix
  • Events
  • Whitepapers
  • Spotlights
  • IT Leaders 250
  • Research
  • Delta
  • Tech Marketing Hub
  • About Us
  • Newsletters
  • Sign in
  •  
      • Newsletters
      • Account details
      • Contact support
      • Sign out
     
     
    • You are currently accessing Computing via your Enterprise account.

      If you already have an account please use the link below to sign in.

      If you have any problems with your access or would like to request an individual access account please contact our customer service team.

      Phone: +44 (0) 1858 438800

      Email: customerservices@incisivemedia.com

      • Sign in
     
  • Follow us
    • Twitter
    • LinkedIn
    • Newsletters
    • Facebook
    • YouTube
  • Register
  • Events
    • Upcoming events
      event logo
      How to overcome your Active Directory consolidation challenges

      In this web seminar we explore how best to go about assessing and modernising your AD as we reveal our research findings into AD health and readiness, consolidation challenges, and strategies for success.

      • Date: 20 Apr 2021
      event logo
      Mitigating Ransomware Attacks

      In this webinar, Javvad Malik, Security Awareness Advocate at KnowBe4, will share practical advice and real-world examples of how you can defend your organisation from the ongoing ransomware threat.

      • Date: 27 Apr 2021
      event logo
      Desklix: Digital Workplace

      The Coronavirus pandemic has had a huge impact on our lives with most organisations making a sudden switch to mass remote working. As restrictions are progressively eased, the impact continues, with organisations having to decide when to allow staff back into offices, what proportion of remote working should be expected, and how all of this should be supported.Take part in this virtual event to put your questions to the experts, and see what your peers have learnt from the pandemic, and how they plan to apply this understanding to 2021 and beyond.

      • Date: 12 May 2021
      event logo
      How to improve security whilst reducing workload and stress

      In this webinar we discuss the existing situation and its solutions, with automation one of the most promising.

      • Date: 13 May 2021
      • Computing UK, London
      View all events
  • Whitepapers
    • LATEST WHITEPAPERS
      Darktrace 120x194
      Cyber AI Response: Threat Report 2019

      This white paper details 7 case studies of attacks that were intercepted and neutralised by Darktrace cyber defense AI, including a zero-day trojan in a manufacturing company's network. Learn how Darktrace Antigena AI Response modules fight back autonomously, no matter where a threat may emerge, extending to the Cloud, Email and SaaS.

      Download
      Darktrace 120x194
      Cyber AI & Darktrace Cloud

      This white paper explores how cloud is a security blind spot for many organisations who struggle with the limited visibility and control in this new environment, where their existing security tools are often not applicable.

      Download
      Find whitepapers
      Search by title or subject area
      View all whitepapers
  • Spotlights
    • Spotlights

      Welcome to Computing's Spotlight section, where we focus in on particularly important themes and topics of enterprise IT.

      Intel logo

       

      Endpoint Management and Security Hub

  • IT Leaders 250
  • Research
  • Delta
  • Tech Marketing Hub
  • About Us
Computing
Computing
  • Home
  • News
  • Big Data & Analytics
  • DevOps
  • Security
  • GDPR
  • AI & ML
  • Women in Tech
  • Cloud & Infrastructure
  • CIO
  • Deskflix
 
    • Newsletters
    • Account details
    • Contact support
    • Sign out
 
 
  • You are currently accessing Computing via your Enterprise account.

    If you already have an account please use the link below to sign in.

    If you have any problems with your access or would like to request an individual access account please contact our customer service team.

    Phone: +44 (0) 1858 438800

    Email: customerservices@incisivemedia.com

    • Sign in
 
  • Security

What is the 'WCry' or 'WanaCrypt0r' ransomware?

NHS and systems worldwide taken down by WanaCrypt0r 2.0. But what is it, who's behind it and where does it come from?

Ransomware has boomed in the last 18 months as the most profitable form of malware
Ransomware has boomed in the last 18 months as the most profitable form of malware
  • Graeme Burton
  • @graemeburton
  • 12 May 2017
  • Tweet  
  • Facebook  
  • LinkedIn  
  • Send to  
0 Comments

When first reports began to emerge on Friday 12 May that IT systems at the East and North Hertfordshire NHS had gone down in a suspected ransomware attack, it didn't come as too much of a surprise: the NHS is a regular target for ransomware, it seems, not least because of the number of Windows XP PCs that are still run by lackadaisical and, frankly, negligently run NHS Trusts.

As reports emerged from hospitals and GP surgeries across the UK - mostly from insiders rather than official admissions from the organisations themselves - it became clear that this was no ordinary ransomware attack.

And it wasn't just the NHS under attack, but organisations across the world, with the ransomware propagated not by phishing, but the exploitation of a Microsoft Windows security flaw exposed by the Shadow Brokers in February. Microsoft patched the flaw a month later.

So what is WCry, also known as WanaCrypt0r, the ransomware believed to be behind the global attacks?

The original WCry 1.0 ransomware never did make a big splash - Sophos's database indicates a low prevalence of the malware that it dubs "Troj/Ransom-EKL" which it also lists as Hydracrypt.

This ransomware could encrypt more than 160 different file types and, after encrypting the victim's files, the malware would display a ransom note demanding that the victim make a payment in bitcoin to recover the affected files. It was typically circulated via file attachments sent in phishing emails.

"[From] what we have seen so far this ransomware appears to be less sophisticated than Cryptolocker, CTB-Locker or Cryptowall, but it's certainly not less dangerous," according to security firm ReaQta in an advisory written when the ransomware first emerged last year.

Hydracrypt also threatens to sell encrypted documents on the so-called ‘dark web', although this is likely an empty threat. "What's interesting, other than the fact that the malware appears to be written in MFC, is that a big section of it is clearly obfuscated with what appears to be something similar to MoVfuscator," adds ReaQta in its analysis. 

In February 2016, EmsiSoft released a decryptor for Hydracrypt, enabling users to largely recover from an outbreak. It may also be possible to remove it by rebooting in safe mode, shutting down processes related to the ransomware in Windows Task Manager, then running System Restore to rollback the operating system.

And WanaCrypt0r 2.0 might not be a tougher nut to crack, despite the hysteria surrounding its sudden spread. 

Reports suggest that it was initially spread via phishing, but took off as a result of a worm component that took advantage of the security flaw in Microsoft's SMB networking protocol.

This security flaw - as far as we can ascertain - had been used for years by the US National Security Agency (NSA), but was released earlier this year when the Shadow Brokers group released their entire trove of NSA-linked hacking tools that, they claimed, they scraped from a server being used by the NSA as part of its covert online operations.

WanaCrypt0r 2.0 demands a ransom of around $300 - in bitcoin, obviously - and like WanaCrypt0r 1.0 uses AES 128-bit encryption. The malware gives victims three days to pay-up before raising the ransom, and seven days before, it claims, files will be rendered unrecoverable.

WanaCrypt0r 1.0 and its variants did not spread far and wide, and it was not, as a result, widely analysed. The same is true of WanaCrypt0r 2.0, which is one of a number of variants of the WanaCrypt0r ransomware. 

However, none of the variants so far seen have been much more sophisticated than the original, according to ReaQta CEO Alberto Pelliccione. It is therefore possible that it may be equally easy to recover from a WanaCrypt0r 2.0 outbreak as it was from the original.

"We are currently investigating. WanaCrypt0r is not new and there were variants around before today, but this one is the first that appears to have been weaponised," Pelliccione told Computing.

"Except for the exploit, so far we haven't found anything particularly new or exciting about the binary apart from, of course, the weaponisation that has given it an added kick, enabling it to be widely spread very fast.

"However, we have performed a comparative analysis on our malware samples yet."

He added, though, that there may be some complications. 

"While stopping it is easy and doesn't require rebooting in safe mode, the recovery archives will most likely be compromised, especially if the user clicked 'Yes' on the UAC dialog.

"During the encryption process, the user is asked for permission to modify the system. That box, in particular, is the one used to delete the shadow copies. If the user clicked 'no' then there's a chance that recovery is possible using a system restoration point," said Pelliccione. 

Hence, it "might be possible" to recover from a WanaCrypt0r 2.0 outbreak if "the user declined the permissions request during the infection process". 

He continued: "A more accurate answer will come after it's clear how the encryption is handled, because that's normally where you understand if the ransomware has been 'well' implemented or not."

Security software firm Kaspersky, meanwhile, is working on a decryption tool that may help victims recover their system and files. 

Computing will update the story as soon as we have more information about WanaCrypt0r 2.0. 

 

Computing Big Data and IoT Summit logo

Computing's Big Data and IoT Summit 2017 and the Big Data and IoT Summit Awards are coming on 17 May 2017. 

Find out what construction giant Amey, Lloyds Banking Group, Financial Times and other big names are doing in big data and the Internet of Things. 

Attendance to the Summit is free to qualifying senior IT professionals and IT leaders, but places are strictly limited, so apply now. 

AND on the same day, Computing is also proud to present the Big Data and IoT Summit Awards, too. See the finalists - and secure a table for your team at the Awards - now

Further reading

MS Amlin CISO Ali Zeb: split your security teams into 'strategic security' and 'technical security'
  • Security
  • 11 May 2017
Mass ransomware attack may be exploiting unpatched Microsoft SMB MS17-010 vulnerability using NSA tools
  • Threats and Risks
  • 12 May 2017
Global ransomware campaign takes down hospitals and GP surgeries in the UK - WanaCrypt0r variant believed responsible
  • Strategy
  • 12 May 2017
'Locky-style' ransomware Jaff is on the loose, warns Forcepoint
  • Security
  • 12 May 2017
SLocker: Android ransomware threat returns in undetectable form
  • Security
  • 11 May 2017
Eugene Kaspersky denies that Kaspersky Lab is being used to spy on Americans by Russian intelligence
  • Security
  • 11 May 2017
  • Tweet  
  • Facebook  
  • LinkedIn  
  • Send to  
  • Topics
  • Security
  • Threats and Risks
  • Hacking
  • Cloud and Infrastructure
  • Public Sector
  • Health
  • Security
  • WanaCrypt0r
  • NHS
  • security-spotlight

More on Security

Google revises Disclosure Policy to help improve patch adoption
Google revises Disclosure Policy to help improve patch adoption

Google's Project Zero will not share technical details of the bug for 30 days if a vendor fixes the vulnerability within a 90-day deadline

  • Security
  • 19 April 2021
US sanctions six Russian tech firms for suppoUS sanctions six tech firms for supporting Russian intelligence servicesrting malicious cyber activities of Russian intelligence services
US sanctions six tech firms for supporting Russian intelligence services

Named firms are Positive Technologies, ERA Technopolis, Neobit, Advanced System Technology (AST), Pasit and SVA

  • Government
  • 16 April 2021
University of Hertfordshire cancels live online teaching following cyber attack
University of Hertfordshire cancels live online teaching following cyber attack

Hertfordshire the latest in a series of cyber attacks on educational institutions in the UK over the past few months

  • Hacking
  • 16 April 2021
Does the choice of enterprise Linux really matter anymore?

We speak to Canonical, Red Hat and SUSE about the place of Linux in a cloud-based future - and what the CentOS EOL foretells

  • Open Source
  • 15 April 2021
US government to announce Russian sanctions in response to cyber attacks
US government to announce Russian sanctions in response to cyber attacks

The sanctions will target Russian diplomats in the USA, as well as threatening the country's wider economy by banning the purchase of ruble bonds

  • Security
  • 15 April 2021
blog comments powered by Disqus
Back to Top

Most read

Covid results emails may breach GDPR
Covid results emails may breach GDPR
Apple and Google block NHS Covid-19 app update over privacy issues
Apple and Google block NHS Covid-19 app update over privacy issues
University of Hertfordshire cancels live online teaching following cyber attack
University of Hertfordshire cancels live online teaching following cyber attack
Microsoft patches five zero-day bugs in April 2021 Patch Tuesday update
Microsoft patches five zero-day bugs in April 2021 Patch Tuesday update
Why humans are still an important part of AI at Dow Jones
Why humans are still an important part of AI at Dow Jones
  • Contact
  • Delta
  • Marketing solutions
  • Enterprise IT Events
  • Incisive Media
  • Terms & conditions
  • Policies
  • Careers
  • Privacy Settings
  • Twitter
  • LinkedIn
  • Newsletters
  • Facebook
  • YouTube

im_logo

© Incisive Business Media (IP) Limited, Published by Incisive Business Media Limited, New London House, 172 Drury Lane, London WC2B 5QR, registered in England and Wales with company registration numbers 09177174 & 09178013

Digital publisher of the year
Digital publisher of the year 2010, 2013, 2016 & 2017
Loading