Ransomware "Wannacry" a cyber attack

WannaCry or WannaCrypt or WannaCrypt0r or WCRY

A Cyber attack which started  on Friday 12 May 2017, in major cities , infecting more than 230,000 computers in 150 countries.Well it also happens to destroyed most of the computers in India.

What's ransomware?

Ransomware is a kind of malicious software that, as its name implies, takes a computer hostage and holds it for ransom. In this case, the attackers are asking for at least $300 in bitcoins for each computer affected by the attack.

Bottom line: Make sure your device's software is up to date. Software updates often contain lots of patches that fix bugs and close security loopholes; regularly using Windows Update or the Software Update feature on a Mac will help insulate you from problems. But you can also set your devices to install those updates automatically so you don't even have to think about it. Hackers prey on complacency.

With ransomware attacks, the malware locks down a target machine, encrypting its data and preventing the owner from accessing it until he or she agrees to pay up.

 How can I protect myself?

A Ransomware Cyber Attack which is targeting only  Microsoft Windows operating system.

The attack affected most of large scale companies  such as, 

AFFECTED ORGANISATIONS :

1. Andhra Pradesh Police Station
2. Automobile dacia
3. Chinese Public Security Bureau
4. Cambrian College
5. Dharmais Hospital
6. FedEx
7. Government of Kerala
8. Government of West Bengal
9. Harapan Kita Hospital
10. Hitachi
11. Latam Airlines group
12. Ministry of Internal Affairs of Russian federation
13. Ministry of Foreign affairs - Romania
14. National Health Service - England
15. NHS Scotland
16. Nissan Motor Manufacturing 
17. Portugal Telecom
18. Q-park
19. Renaut
20. Russian Airways
21. Saudi Telecom Company
22. VIVO

Most of the ransomware occured through phishing email.

The purported infection vector, EternalBlue, was released by the hacker group The Shadow Brokers on 14 April 2017, along with other tools apparently leaked from Equation Group, believed to be part of the United States National Security Agency.

EternalBlue exploits vulnerability MS17-010 in Microsoft's implementation of the Server Message Block (SMB) protocol. This Windows vulnerability is not a zero-day flaw, but one for which Microsoft had had released a "Critical" advisory, along with a security patch to fix the vulnerability two months before, on 14 March 2017. The patch was to the Server Message Block (SMB) protocol used by Windows, and fixed several client versions of the Microsoft Windows operating system, including Windows Vista onwards (with the exception of Windows 8), as well as server and embedded versions such as Windows Server 2008 onwards and Windows Embedded POSReady 2009 respectively, but not the older Windows XP, according to Microsoft. According to Dona Sarkar, head of the Windows Insider Program at Microsoft, Windows 10 was not affected however, IT writer Woody Leonhard questioned if this is the case with all Windows 10 systems, or just builds 14393.953 and later.

Starting from 21 April 2017, security researchers started reporting that computers with the DoublePulsar backdoor installed were in the tens of thousands. By 25 April, reports estimated the number of infected computers to be up to several hundred thousands, with numbers increasing exponentially every day. Apparently DoublePulsar was used alongside EternalBlue in the attack.

Screenshot of Wana Decrypt0r 2.0 ( A screenshot note left in one of the affected computers)

On 12 May 2017, WannaCry began affecting computers worldwide. The initial infection might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack. When executed, the malware first checks the "kill switch" domain name. If it is not found, then the ransomware encrypts the computer's data, then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet, and "laterally" to computers on the same network. As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of around $300 in bitcoin within three days or $600 within seven days.

Organizations that had not installed Microsoft's security update were affected by the attack. Those still running the older Windows XP were at particularly high risk because no security patches had been released since April 2014 (with the exception of one emergency patch released in May 2014). However, the day after the outbreak Microsoft released an emergency security patch for Windows XP.

According to Wired, affected systems will also have had the DoublePulsar backdoor installed; this will also need to be removed when systems are decrypted

Ken Collins of Quartz wrote on 12 May that three or more hardcoded bitcoin addresses, or "wallets", are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the wallet owners remain unknown. To track the ransom payments in real time, a Twitterbot that watches each of the three wallets has been set up. As of 16 May 2017 at 12:00 UTC, a total of 238 payments totaling $65,970.35 had been transferred. 

British Prime Minister Theresa May take:

"This is not targeted at the NHS. It is an international attack. A number of countries and organizations have been affected."