WannaCry Ransomware is still there! Kill-Switch failed to stop #WannaCry

If you are a Windows user, you might be reading a lot about #WannaCry Ransomware which is spreading like fire. According to the earlier news, the situation was settled by a security researcher via ‘Kill Switch’ to stop WannaCry Ransomware.

But Wait! It’s not over yet, because WannaCry 2.0 is out and has started infecting Windows machines again.

For the first time readers, here’s a little background for WannaCry Ransomware which is spreading like fire. WannaCry is a Ransomware which attacks Windows machines with SMB exploit, which are running on old versions of Windows or Windows machines which have not installed the Security Patch.

Once your Windows machine is infected by WannaCry, it’s not confined to your system only, but it will scan all the other connected systems by LAN or Wider Internet.

The major thing about this WannaCry Attack is that even if you don’t click on anything or don’t perform any activity, attacker just need to know your IP Address, and you are vulnerable to WannaCry as Windows by default opens port for SMB.

Kill Switch is not able to stop WannaCry

Kill Switch fails in following scenarios:

  • If instead of SMB Protocol, you inadvertently welcome WannaCry via an email, a malicious torrent, or other vectors
  • If by chance your ISP or antivirus or firewall blocks access to the sinkhole domain.
  • If the targeted system requires a proxy to access the Internet, which is a common practice in the majority of corporate networks.

MalwareTech however gave a break to WannaCry fire by registering a domain name hidden in the malware.

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

The above mentioned domain was found to be responsible for spreading WannaCry. Logic behind the WannaCry Ransomware was that if the above domain returns http status code 200, then it will not start encrypting files in the infected system. If any other status code is returned, then it will start encrypting the files and locking them. Fortunately, this domain was not bought by anybody, so MalwareTech bought this domain and made a quick logic to return http status code 200, and stopped WannaCry according to the following Blog post

Ready, Get Set, and Go for Patching WannaCry

Upgrade, Patch OS & Disable SMBv1

Microsoft took an unusual step to protect its customers with an unsupported version of Windows — including Windows XP, Vista, Windows 8, Server 2003 and 2008 — by releasing security patches that fix SMB flaw currently being exploited by the WannaCry ransomware.

Please do not think that disabling SMB is a permanent solution, It’s only a temporary solution.

All are recommended to upgrade their Windows systems, if they are on unsupported Windows machines, or install the security patch for their current Windows systems.


Originally published at www.techpillar.com.