Categories: Life TechNews

How to protect your pc from wannacry

Nowadays you may be listening to update your windows pc/laptop. You may be hearing about WannaCry ransomware too. Don't worry…

Nowadays you may be listening to update your windows pc/laptop. You may be hearing about WannaCry ransomware too. Don’t worry I would some tips from experts on how to secure yourself from the ransomware. First of all, we must know that WannaCry is a ransomware.


Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse. More advanced malware encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. The ransomware may also encrypt the computer’s Master File Table (MFT) or the entire hard drive. Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files since it is intractable to decrypt the files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file.

The above paragraph is from Wikipedia you may learn more about ransomware here.


WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages. The attack has been described by Europol as unprecedented in scale.

The attack affected Telefónica and several other large companies in Spain, as well as parts of Britain’s National Health Service (NHS), FedEx, Deutsche Bahn and LATAM Airlines. Other targets in at least 99 countries were also reported to have been attacked around the same time.

Like previous ransomware, the attack spreads by phishing emails but also can infect directly across a network any exposed systems which have not installed recent security updates by using the EternalBlue exploit developed by the U.S. National Security Agency (NSA). Although a “critical” patch to remove the underlying vulnerability for supported systems had been issued by Microsoft on 14 March 2017, many organizations had not yet applied this.

Those still running exposed older, unsupported operating systems, such as Windows XP and Windows Server 2003 were initially at particular risk, but Microsoft has now taken the unusual step of releasing updates for these.

Shortly after the attack began a researcher found an effective kill switch, which slowed the spread of infection, but new versions that lack the kill switch have now been detected.

Basically, ransomware generally installs themselves through any media and they spread itself in a network. It has widely spread in the world like nothing. If you use Linux then you may be safe because it targets only the windows system. If you use Windows XP, Vista, Server 2003 or any same kind of system whose support has been shut down by the Microsoft, then also you can get the system patches as Microsoft has released system patches for the same.

Click the link below and install latest updates from the Microsoft official website.

This ransomware spreads by using a vulnerability in implementations of Server Message Block (SMB) in Windows systems. This exploit is named as ETERNAL BLUE.

Source: Symantec

It also drops a file named!P lease Read Me!.txt which contains the text explaining what has happened and how to pay the ransom.

Source: Symantec

Be aware it encrypts files with extensions:

The file extensions that the malware is targeting contain certain clusters of formats including:

  1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
  3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  6. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  9. Virtual machine files (.vmx, .vmdk, .vdi).

How to find if your system has been compromised.

Ransomware is writing itself into a random character folder in the ‘ProgramData’ folder with the file name of “tasksche.exe” or in ‘C:\Windows\’ folder with the file-name “mssecsvc.exe” and “tasksche.exe”.

Ransomware is granting full access to all files by using the command:

Icacls. /grant Everyone:F /T /C /Q

Using a batch script for operations:

hashes for WANNACRY ransomware:

Use endpoint protection/anti-virus solutions to detect these files and remove the same.

Network Connections
The malware use TOR hidden services for command and control. The list of .onion domains inside is as following:

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • Xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • sqjolphimrr7jqw6.onion

Note: For update on latest Indicators of Compromises, please see references to security vendors given in references section.

What to do next

Users and administrators are advised to take the following preventive measures to protect their computer networks from ransomware infection/ attacks:

In order to prevent infection users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010

Microsoft Patch for Unsupported Versions such as Windows XP,Vista,Server 2003, Server 2008 etc.

To prevent data loss Users & Organisations are advised to take backup of Critical Data

Block SMB ports on Enterprise Edge/perimeter network devices [UDP 137, 138 and TCP 139, 445] or Disable SMBv1.

Apply following signatures/rules at IDS/IPS

alert tcp $HOME_NET 445 -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)
alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)"; flow:to_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;) alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)


Yara: rule 1

wannacry_1 : ransom { meta: author = "Joshua Cannell" description = "WannaCry Ransomware strings" weight = 100 date = "2017-05-12" Strings: $s1 = "Ooops, your files have been encrypted!" wide ascii nocase $s2 = "Wanna Decryptor" wide ascii nocase $s3 = ".wcry" wide ascii nocase $s4 = "WANNACRY" wide ascii nocase $s5 = "WANACRY!" wide ascii nocase $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase Condition: any of them } rule wannacry_2{ meta: author = "Harold Ogden" description = "WannaCry Ransomware Strings" date = "2017-05-12" weight = 100 strings: $string1 = "msg/m_bulgarian.wnry" $string2 = "msg/m_chinese (simplified).wnry" $string3 = "msg/m_chinese (traditional).wnry" $string4 = "msg/m_croatian.wnry" $string5 = "msg/m_czech.wnry" $string6 = "msg/m_danish.wnry" $string7 = "msg/m_dutch.wnry" $string8 = "msg/m_english.wnry" $string9 = "msg/m_filipino.wnry" $string10 = "msg/m_finnish.wnry" $string11 = "msg/m_french.wnry" $string12 = "msg/m_german.wnry" $string13 = "msg/m_greek.wnry" $string14 = "msg/m_indonesian.wnry" $string15 = "msg/m_italian.wnry" $string16 = "msg/m_japanese.wnry" $string17 = "msg/m_korean.wnry" $string18 = "msg/m_latvian.wnry" $string19 = "msg/m_norwegian.wnry" $string20 = "msg/m_polish.wnry" $string21 = "msg/m_portuguese.wnry" $string22 = "msg/m_romanian.wnry" $string23 = "msg/m_russian.wnry" $string24 = "msg/m_slovak.wnry" $string25 = "msg/m_spanish.wnry" $string26 = "msg/m_swedish.wnry" $string27 = "msg/m_turkish.wnry" $string28 = "msg/m_vietnamese.wnry" condition: any of ($string*) }

Best practices to prevent ransomware attacks:

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser
  • Restrict execution of powershell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations.
  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses, block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Maintain updated Antivirus software on all systems
  • Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools.
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  • Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)
  • Keep the operating system third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.
  • Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
  • Network segmentation and segregation into security zones – help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.
  • Disable remote Desktop Connections, employ least-privileged accounts.
  • Ensure integrity of the codes /scripts being used in database, authentication and sensitive systems, Check regularly for the integrity of the information stored in the databases.
  • Restrict users’ abilities (permissions) to install and run unwanted software applications.
  • Enable personal firewalls on workstations.
  • Implement strict External Device (USB drive) usage policy.
  • Employ data-at-rest and data-in-transit encryption.
  • Carry out Vulnerability Assessment and Penetration Testing (VAPT) and information security audit of critical networks/systems, especially database servers from CERT-IN empaneled auditors. Repeat audits at regular intervals.
  • Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report such instances of fraud to CERT-In and Law Enforcement agencies

Generic Prevention Tools:


Content Credits: CERT IN

Further Readings:

Click Here



View Comments

  • I just updated my site with a new list. I’ve also come to a new
    conclusion about how many of these links exist out there.
    I’m not too sure if my conclusion is right or not. Read all about it
    in my latest blog post. See you there!

Recent Posts

The story of Simply Blood

Recently, we had a chat with Kiran Verma, Founder of Simply Blood also LinkedIn Power Profile 2018. Today we will…

1 month ago

Things to know before starting a startup

Since I have been working with/on startups since the last couple of years, I have noticed that many of the…

2 months ago

How Infrastructure as a Service (IaaS) Meets Blockchain

Cloud computing has enabled many companies to outsource much of their IT operations. Doing so eliminates the need for enterprises…

2 months ago

Stay Updated With The Technology Trends Around You

Photo By: Either a huge admirer or a technophobe, one can simply not deny the fact that it is the…

2 months ago

Getting and giving the right help

A caterpillar lives in a cocoon. If it is told, 'There is a butterfly that flies wherever it wishes. It…

2 months ago

Blockchain Technology Job Market and Salary Trends so Far

There were close to 2,000 blockchain technology-related job openings during the month of August in the United States alone. This…

3 months ago