WannaCry 2.0: visual confirmation that you definitely need the right solution for a reliable backup

As we have already said , last week, on Friday, May 12, more than 75,000 computers on Windows around the world suffered from an ransomware attack worm known as WannaCry, WCry, or WanaCrypt0r 2.0. This attack was pretty well planned by cybercriminals and carried out on Friday just before the weekend at major telecommunications and transportation companies, government and law enforcement agencies, hospitals and educational institutions.


The WannaCry epidemic of the ransomware program affected more than 100 countries last week and became the largest in history . There have been no reports of massive problems for home users, apparently due to the fact that most home users use versions of Windows 7 and Windows 10 with automatic installation of security updates and received a fix for this problem from Microsoft back in March.

Despite the fact that a large number of companies and private users suffered as a result of a cyber attack, there is good news. In the new version of Acronis True Image 2017 New Generation, we have implemented the technology of proactive detection and neutralization of ransomware programs - Active Protection . All users who enabled Acronis Active Protection on their computers were protected in this critical situation. By the way, for businesses such an opportunity to fight extortionists is already there too, while in the preliminary version of Acronis Backup 12 Advanced Beta and in the near future will be available to all users.
')
Since WannaCry attacks and backups, we have foreseen the reliable protection of our own files with the help of Active Protection technology, which does not allow malicious software to corrupt the backup agent program or the created copies of the files, including the cloud ones.

Briefly about what you need to know about WannaCry

WannaCry was one of the first extortion worms. This malicious software not only works as an extortionist, but also tries to infect as many systems on the network as possible by scanning the network where it happened to be and infecting neighboring computers. This attack is very difficult to detect with traditional security systems, because it secretly exploits a recently discovered vulnerability in Microsoft operating systems. After entering the system, WannaCry encrypts all local drives and network folders. It is the functionality of a computer worm that makes this attack so dangerous for companies and private users, because it spreads through two sources - an infected attachment to an email and spread like a computer worm.

As we predicted earlier , today there is a new generation of ransomware who are attacking both local backup copies of files and deleting the created shadow copies of the Volume Shadow Copy Service service built into Microsoft Windows.

WannaCry uses a strong encryption algorithm that cannot be easily and quickly decrypted.

At the moment, the attack occurs only on computers running Windows, but similar vulnerabilities and programs for their implementation are possible for other operating systems. We expect that the appearance of an attack of the same scale on other operating systems and devices is a matter of time.

Victims from various industries are no coincidence.

Cybercriminals specifically chose victims to attack from companies that can’t stand idle and most likely prefer to pay the ransom quickly: telecommunications, logistics and energy companies, public transport, hospitals, schools and universities. The attackers were not afraid to attack even the units of the Ministry of Internal Affairs of Russia! A short list of companies-victims of the extortion worm attack:

• The National Health Service of the United Kingdom NHS postpones the admission of patients, because can not diagnose patients. ( List of affected hospitals )
  
• Nissan plant in the UK
  
• Telecommunications company Telefonica in Spain
  
• Energy companies Iberdrola and Gas Natural (Spain)
  
• FedEx Logistics Company (USA)
  
• University of Waterloo ( USA )
  
• MIA and Megafon in Russia
  
• VTB (one of the largest Russian banks)
  
• Russian Railways (RZD)
  
• Portuguese telecommunications company Portugal Telecom
  
• Sberbank Russia (the largest bank in Russia)
  
• Indian airline Shaheen Airlines
  
• German railway Deutche Bahn ( @farbenstau )
  
• Schools and universities in China (source)
  
• Library of Oman ( @ 99arwan1 )
  
• Jaanshui Province Public Security Bureau in China
  
• Automaker Renault in France
  
• Schools in France
  
• University of Milano-Bicocca (Italy)
  
• Singapore Mall
  
• ATMs in China
  
• Telecommunications company of Saudi Arabia and several other countries STC telecom ( Source )
  

The list of victims, which is constantly updated, is here .

How does a WannaCry extortionist spread?

The WannaCry ransomware worm penetrates private and corporate networks with spam e-mails that contain malicious attachments, which in turn contain a macro or a link to a malicious program that starts the initial infection. And although there are currently no examples of such letters, all analysts, including Microsoft experts, agree that it was in this way that the infection occurred at the first stage.

Further activity of WannaCry depends on two leaked elements of cryptoelements: the DOUBLEPULSAR backdoor and the ETERNALBLUE exploit.

When using ETERNALBLUE, DOUBLEPULSAR is introduced into the system and DOUBLEPULSAR exploits the SRV.SYS kernel mode driver vulnerability (SMB file server), which allows you to embed and execute a dangerous DLL code in any process on a compromised system.

After installing the malware, it starts acting like a worm, scanning the network and connecting on port 445 to other computers to detect DOUBLEPULSAR backendrs, transfers infected files that run the process on a new computer, spreading the infection like a forest fire. If the attacked system does not contain DOUBLEPULSAR backdoor, then the worm first installs it via the ETERNALBLUE exploit, and the process continues.

Features of the worm propagation mechanism

Before starting its activity, WannaCry checks for the existence of a special “switch” domain and if it finds it, the program stops its work. The first version of the worm was stopped precisely by activating such a “switch” domain. If the “switch” does not exist, then the worm starts loading its modules, registers the service, scans random IP addresses on port 445, checks for the DOUBLEPULSAR backdoor, and prepares the package for deployment.

The process of preparing a package for implementation is implemented as a function, which we call initNetworkInjectingExecutables in the pseudo-code below. initNetworkInjectingExecutables reads the bootloader from the worm, creates a package for the deployment, adds the worm to it and forwards it to the compromised system port. On this system, the loader gains control through the DOUBLEPULSAR backdoor and starts the worm. This process is repeated on the infected machine, inflating the forest fire further.

HGLOBAL initNetworkInjectingExecutables() {    //...    do    {      v2 = g_exeBody0;      if ( v1 )        v2 = g_exeBody1;      v3 = *(&g_exeBuffer0 + v1);      *(&exeBuffer + v1) = (int)v3;      qmemcpy(v3, v2, v1 != 0 ? 51364 : 16480);      *(&exeBuffer + v1) += v1 != 0 ? 51364 : 16480;      ++v1;    }    while ( v1 < 2 );    v4 = CreateFileA(g_moduleFileName, 0x80000000, 1u, 0, 3u, 4u, 0);    v6 = GetFileSize(v4, 0);    v7 = (const void *)exeBuffer;    v9 = (void *)(exeBuffer + 4);    *(_DWORD *)exeBuffer = v6;    ReadFile(v4, v9, v6, &NumberOfBytesRead, 0);    CloseHandle(v4);    result = (HGLOBAL)1;    //    return result; } 

New worm options.

Since the first attack, two new worm variants have appeared.

Circuits (sh) Interestingly, the domain "switch" was replaced in the form of a patch by zeroing the URL string, therefore, the attackers most likely did not have access to the source code, which suggests that other attackers are trying to reuse the malware to easily cash in on its success. It is also possible that extort was simply ordered by the developer, and the distributor is not strong at programming or has no source codes, and tries to solve the problem in a similar way, without contacting the malware developer one more time.

The malicious part in this sample from tasksche.exe has been slightly modified:

Comparing MSSECSVC.EXE_3 and MSSECSVC.EXE_2 Files

 0032BBF3: AA 27 0032BBF4: 19 68 … 00359FFE: C2 4E 00359FFF: 03 47 

This led to the inoperability of the cryptor. Whether this was done by mistake or for some other purpose is not completely clear.

If you do not have a modern backup system, your files will be lost.

Malicious software on an infected system deletes all shadow copies of VSS using all available methods:

 Vssadmin delete shadows /all /quiet Wmic shadowcopy delete Wbadmin delete catalog –quiet 

The recovery console on the compromised system is also disabled:

 Bcdedit /set {default} bootstatuspolicy ignoreallfailures Bcdedit /set {default} recoveryenabled no 

How WannaCry encrypts files

The malicious part of the worm runs the taskche.exe program , which it extracts from the boot package. The cipher scans all drives and network folders on the system, searches for files with extensions from the internal table and encrypts them with the RSA algorithm with a 2048-bit key. In the new folder called Tor / it creates tor.exe and related files. Two files are copied there: taskdl.exe and taskse.exe. The last program removes traces of the worm’s work and then launches @ wanadecryptor @ .exe . This program shows a screensaver with a ransom demand and communicates through the Tor network .

The cipher encrypts files with over 160 different extensions:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks , .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt,. xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z , .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg,. djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl , .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf,. ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx .der

If the system is not protected, the user will see an unpleasant message:



One can only hope that the files can be decrypted after the payment of the ransom, or accept the loss of data if there is no secure backup.

How to protect your systems from WannaCry and other ransomware attacks

First of all, all users who have upgraded their Windows computers since March of this year. protected from this vulnerability.

• Enable automatic installation of Windows updates. If you have not updated the OS for a long time or are using an old version of the OS, check for the availability of a Microsoft patch program as soon as possible. Hotfixes are available even for versions removed from support for Windows XP and Windows Server 2003. All home and office computers that do not have fresh updates may be infected.
  
  
• Install on computers modern system of protection against malicious software. This can significantly reduce the risk of infection and potentially stop ransomware programs.
  
  
• We recommend using Acronis products for backup and data protection by Active Protection technology. The use of heuristic algorithms and instant recovery from a backup copy of damaged files will protect user data. Screenshots show how Active Protection technology successfully prevented WannaCry from working. In business solutions, Acronis Active Protection works in the same way.
  

Acronis True Image 2017 New Generation installed on the user's computer with the Acronis Active Protection feature activated detects the operation of WannaCry and other ransomware programs.

• Make it a rule not to open any suspicious attachments or email links. Do not click on suspicious links in a web browser, do not go to websites that you do not know. Always hover over the link to see the real link and do not fall for phishing.
  
  
• Pay attention only to emails that are sent to you and your address is in the "To" and "Cc" fields, otherwise do not open such a letter and certainly do not open attachments and links from it!
  
  
• Make sure the sender's email address is familiar to you, even if the name seems similar to you. Sometimes attackers use spoofing mechanisms to spoof addresses.
  
  
• Regularly back up your system and all important files. As you know, WannaCry requires a ransom for data recovery of $ 300, which is much more expensive than a backup solution like Acronis True Image 2017 New Generation or Acronis Backup, which can protect your data. In the screenshot below, you can clearly see how Active Protection automatically repairs damaged files.
  

All corrupted files are almost instantly restored by Acronis Active Protection without paying a ransom to cybercriminals.

If you do not believe us, then here is a detailed video on the popular youtube channel:



→ Download the trial version or buy a license of Acronis True Image 2017 New Generation please click here .

→ This article can be read in English in our blog .