Types header

Name  WannaCry ransomware
Type Crytpo-Ransomware 
Short Description This ransomware comes under crypto variant family. Specific instigators are not found yet for this ransomware. More than 150 countries were affected by this variant of ransomware. This is also known as WCRY,WANACRYPT0R, WNCRY.
Distribution Method This Ransomware is spread through Phishing mails and once infected it uses the SAMBA vulnerability to propagate within the network.
Image

wallet1 wallet2

More Details

This Ransomware infected around 150 countries globally and more than 1,26,000 companies got infected by this ransomware. This ransomware demands 300$ once infected if the victim fails to pay the ransom on the demanded time frame then the ransom gets doubled to 600$. WannaCry was most successful because this variant affects the windows users through the windows exploit known as Eternal Blue. This exploit was basically derived NSA exploit leaked by the Shadow broker community back in April 2017. This attack started spreading in a massive rate on 12th May 2017.

This ransomware is spread through Phishing mail, Once the victim clicks and runs the executable file then the infection starts to take place but before proceeding to the infection stage this ransomware checks for a pre-registered domain. If the domain is registered the infection does not happen it gets dropped if not the infection starts. Next stage is this searches for files with specific extensions and starts to encrypt. Once encrypted this ransomware drops down a note, a wallpaper and a application file which instructs the victim on how to make the payment and how to decrypt the files. This application also has a time clock which demands the ransom to be paid before it gets to Zero. If the victim fails to pay the ransom 300$ on the given time then the clock stops and the attacks doubles the rate to get the files decrypted. This ransomware also executes a command in the command prompt which deletes the shadow copy files (backup files) in the victim’s device, which make things worse.

The list of extensions that are targeted are as given below.

wallet3

One fascinating process by this ransomware is this, ransomware only targets some specific file locations. For more details about this process refer: http://vinransomware.com/blog/wannacry-ransomware-initial-analysis
The payment process is carried out in Tor which makes it untraceable. There are 3 families for this ransomware current. The kill switch was found for the first 2 families of Ransomware. Currently there are no decryptors available for this ransomware but there are some mitigation process available for this ransomware.
For more technical details and mitigation process refer the below given links:
http://vinransomware.com/blog/wannacry-ransomware-technical-analysis
http://vinransomware.com/blog/wannacry-ransomware-initial-analysis
http://vinransomware.com/blog/how-to-disable-smb-on-windows-machines-to-prevent-wannacry-ransomware