Computer Security | 12 Min Read
Posted on: Wednesday May 17, 2017Reading Time: 12 minutes
Ransomware is causing major disruptions in recent years.
Recently leaked dump of NSA EternalBlue exploit is used by cyber criminals to spread WannaCry ransomware worldwide. Dump of MS-17-010 Windows OS Vulnerability was made public by the notorious Shadow Broker group on 14th April 2017. This vulnerability affects most of the desktop and server editions Microsoft Windows and Microsoft has released a patch for the same in March 2017. However, systems that have not applied this patch are affected by the WannaCry ransomware which uses worm-like behavior to affect vulnerable system on the network.
WannaCry Creating Havoc Worldwide
This ransomware has already affected high profile organizations in Spain, UK, China and other countries including India. These organizations include clinics and hospitals in UK, telecom, gas, electricity and other utility providers. Many universities in China have also been targeted.
How does WannaCry Ransomware work?
The attack is carried when systems are connected to a network using SMB services. These services are attacked and exploited by “EternalBlue” exploit, planting WannaCry Ransomware causing the file encryption after successful execution. When files are encrypted, it appends “.WNCRY” extension to all encrypted files.
Image 1: WannaCry Ransomware Encrypted files
After successful exploitation, it adds the below files to the system:
WannaCry adds below malicious registry entries to make persistence into the system so that it could launch the infection after each system reboot:
After successful encryption, it shows below warning message containing instructions to follow to recover the files. The countdown timer is shown to create panic so as to make the victim pay the demanded ransom. Otherwise, it threatens that all encrypted data would be deleted. WannaCry shows ransomware warning message in the language of the current region.
Pro Web Unisys – Dubai TIPS TO SAFEGUARD YOU FROM THIS ATTACK (INCASE YOU ARE A VICTIM FOR SAME)
As for removing WannaCry, you need to enter Safe Mode to do this, here’s how.
The following information is based on our research; however, we can Not Guarantee that WannaCry will be removed from you Windows PC.
However, there have been reports that the SpyHunter software does indeed manage the threat effectively. Although it will require you to purchase it, the free version will only inform you if you are infected.
As for the following tutorial, we advise that you either bookmark this page or read it on another device. Why? Because during the guide, you may need to exit your browser.
Windows XP and 7: Before Windows starts Hit The F8 Key. Once the Boot Menu appears, look for and select Safe Mode with Networking, followed by tapping Enter</strong.
Windows 8 and 8.1: Go to the Start Menu >> Control Panel, followed by Administrative Tools >> System Configuration. Next, find and tick Safe Boot and then select Networking followed by Restart. Your computer should now boot into Safe Mode.
Windows 10: Go to Start Menu >> Settings >> Update and Security >> Recovery Next under Advanced Startup click on Restart Now and allow your computer to restart.
When the Choose Option Screen is available, go to Troubleshoot >> Advanced Options >> StartupSettings. And then Enable Safe Mode with Networking Option followed by selecting Enter to boot into Safe Mode.
Note: Depending on your computer, there’s always the chance that some key other than F8 is the Boot Key, If that is so, look for advice from the manufacturer’s literature or online.
As with all tutorials, please read each step individually, and only act upon it when understood.
Usually, a malicious process will consume large amounts of resources, such as CPU and RAM. If you discover something which looks out of the ordinary, Right Click and Open The File. Next, Delete everything. Only do this if you are sure that the process is WannaCry related.
If you are a Windows 10 user, it’s Startup Programs can be seen in Task Manager. However, on all versions of Windows, if you feel that any have an unknown developer or just look wrong uncheck them and Click OK.
When the registry editor launches, press Ctrl +-F</em and type the name of the Virus Ransom.CryptXXX or WannaCry. Now, select Find Next and remove whatever is returned that relates to that name. This should be completed for all the search results.
When each opens sort their content folders By Date and Delete The Most Recent folders and files. Furthermore, when you access the Temp folder remove everything from it.
In this article, we’ve shown you how to protect yourself from this severe ransomware cyberattack. As for how to remove WannaCry, the above is not 100% guaranteed to do so, yes, it may eliminate some of the problems it causes. However, we prefer not to promise anything, instead, update your computer, antivirus, and firewall, plus complete the tutorial now.