Wednesday, 18/10/2017 | 3:49 UTC+5
Mehta Websolution's Blog

What is Ransomware? What is WannaCry Ransomware? How it spreads? What can you do to prevent infection?

What is Ransomware?

Ransomware is a malicious software that encrypts the files and locks device, such as a computer, tablet or smartphone and then demands a ransom to unlock it. Recently, a dangerous ransomware named ‘Wannacry’ has been affecting the computers worldwide creating the biggest ransomware attack the world has ever seen. This has affected computers in India also.

What is WannaCry Ransomware?

WannaCry ransomware attacks windows based machines. It also goes by the name WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY.It leverages SMB exploit in Windows machines called EternalBlue to attack and inject the malware. All versions of windows before Windows 10 are vulnerable to this attack if not patched for MS-17-010. After a system is affected, it encrypts the files and shows a pop up with a countdown and instructions on how to pay the 300$ in bitcoins to decrypt and get back the original files. If the ransom is not paid in 3 days, the ransom amount increases to 600$ and threatens the user to wipe off all the data. It also installs DOUBLEPULSAR backdoor in the machine.

How it spreads?

It uses EternalBlue MS17-010 to propagate. The ransomware spreads by clicking on links and downloading malicious files over internet and email. It is also capable of automatically spreading itself in a network by means of a vulnerability in Windows SMB. It scans the network for specific ports, searches for the vulnerability and then exploits it to inject the malware in the new machine and thus it spreads widely across the network.

What can you do to prevent infection?

  • Microsoft has released a Windows security patch MS17-010 for Windows machines. This needs to be applied immediately and urgently.
  • Remove Windows NT4, Windows 2000 and Windows XP-2003 from production environments.
    Block ports 139, 445 and 3389 in a firewall.
  • Avoid clicking on links or opening attachments or emails from people you don’t know or companies you don’t do business with.
  • SMB is enabled by default on Windows. Disable smb service on the machine by going to Settings > uncheck the settings > OK
  • Make sure your software is up-to-date.
  • Have a pop-up blocker running on your web browser.
  • Regularly backup your files.
  • Install a good antivirus and a good anti ransomware product for better security
  • Below is a consolidated list that we need to block on your firewall/antivirus

IPs

116.0.5.10:135
16.0.5.10:49
10.132.0.38:80
1.127.169.36:445
1.34.170.174:445
74.192.131.209:445
72.251.38.86:445
154.52.114.185:445
52.119.18.119:445
203.232.172.210:445
95.133.114.179:445
111.21.235.164:445
199.168.188.178:445
102.51.52.149:445
183.221.171.193:445
92.131.160.60:445
139.200.111.109:445
158.7.250.29:445
81.189.128.43:445
143.71.213.16:445
71.191.195.91:445
34.132.112.54:445
189.191.100.197:445
117.85.163.204:445
165.137.211.151:445
3.193.1.89:445
173.41.236.121:445
217.62.147.116:445
16.124.247.16:445
187.248.193.14:445
42.51.104.34:445
76.222.191.53:445
197.231.221.221:9001
128.31.0.39:9191
149.202.160.69:9001
46.101.166.19:9090
91.121.65.179:9001
2.3.69.209:9001
146.0.32.144:9001
50.7.161.218:9001
217.79.179.177:9001
213.61.66.116:9003
212.47.232.237:9001
81.30.158.223:9001
79.172.193.32:443
38.229.72.16:443
Domains:

• iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
• Rphjmrpwmfv6v2e[dot]onion
• Gx7ekbenv2riucmf[dot]onion
• 57g7spgrzlojinas[dot]onion
• xxlvbrloxvriy2c5[dot]onion
• 76jdd2ir2embyv47[dot]onion
• cwwnhwhlz52maqm7[dot]onion

File Names:

•@Please_Read_Me@.txt
•@WanaDecryptor@.exe
•@WanaDecryptor@.exe.lnk
•Please Read Me!.txt (Older variant)
•C:\WINDOWS\tasksche.exe
•C:\WINDOWS\qeriuwjhrf
•131181494299235.bat
•176641494574290.bat
•217201494590800.bat
•[0-9]{15}.bat #regex
•!WannaDecryptor!.exe.lnk
•00000000.pky
•00000000.eky
•00000000.res
•C:\WINDOWS\system32\taskdl.exe

Sources :  Kerala Police Cyberdome

 

About

Mehta Websolution is a web development company based in Jamnagar, Gujarat, India. providing a full range of web services including web design, web development, web promotion, search engine optimization, web hosting and domain registration and all Internet services at accessible cost since it was established in 2007. A company which provides you a full range of web services Contact us for web design, web development, web promotion, search engine optimization, web hosting and domain registration at an affordable cost. IF you are looking for an IT Solutions Provider who can implement your Dreams in a reality form of exhaustive web applications, innovative software, and creative designs or for fastidious solutions and persistent services, you are at the right place. we provide you software development and web solutions all across the globe. Our strategic location and proven experience enables us to provide you with the best services and outsourcing for your Software Development, Web Development, E-commerce, Multimedia Presentations and Web Based Applications at the corporate level.

1 Comment

POST YOUR COMMENTS

Your email address will not be published. Required fields are marked *

7 − 2 =

Mehta Websolution Since 2007

Company is Government & Defence (Indian Navy, Army & Air Force) Approval I.T. Contractor, An ISO 9001:2008 Certified I.T. Company and Google Enterprise for Work Partner.