Howdy! You must login or signup first!

Wanadecrypt0r

Submission   38,102

Part of a series on Ransomware. [View Related Entries]


Overview

The Wannacry Ransomware Attack was a global Microsoft Windows cyber-attack infecting upwards of 230,000 computers, which demanded victims pay ransoms in bitcoin to have access to their machines.

Background

In mid-April 2017, the hacker group Shadow Brokers released a collection of NSA hacking tools online, including a tool named EternalBlue exploiting a weakness in Microsoft Windows' Server Message Block protocol. On April 21st, Ars Technica[1] reported that upwards of 107,000 computers were infected with the DoublePulsar[2] backdoor exploit tool. On May 12th, computers around the world were infected with the WannaCry ransomware program, which may have been executed through a spear phishing attack according to some researchers. When executed, the program initially checks a domain name as a "kill switch" before encrypting the user's data and demanding a ransom of approximately $300 USD in bitcoin within 72 hours or $600 within one week.

Wana DecryptOr 2.0 Ooops, your files have been encrypted! English What Happened to My Computer? Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recoveryour files, but do not waste your time. Nobody can recover your files without our decryption service. Payment will be raised on Can I Recover My Files? Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time. You can decrypt some ofyour files for free. Try now by clicking <Decrypt>. But ifyou want to decrypt all your files, you need to pay You only have 3 days to submit the payment. After that the price will be doubled. Also, if you don't pay in 7 days, you won't be able to recover your files forever We will have free events for users who are so poor that they couldn't pay in 6 months. 5/16/2017 00:47:55 Time Left Your files will be lost on 5/20/2017 00:47:55 Time Left 15:23:57: 37 How Do I Pay? Payment is accepted in Bitcoin only. For more information, click <About bitcoin> Please check the current price of Bitcoin and buy some bitcoins. For more information, click<How to buy bitcoins>. And send the correct amount to the address specified in this window After your payment, click <Check Payments. Best time to check: 9:00am 11:00am Send $300 worth of bitcoin to this address: R bitcoin TED HERE 12t9YDPgwueZ9NyMgw519p7AA8isjr6 SMw Copy Contact Us Check Payment Decrypt

Developments

According to the European Union Agency for Law Enforcement Cooperation (Europol), WannaCry was unprecedented in scale compared other cyber attacks in history. In England and Scotland, the attack infected computers and medical devices at National Health Service hospitals, leading NHS to turn away all non-critical emergencies. According to the Russian multinational cybersecurity company Kaspersky Lab,[6] the largest number of the attacks occurred in Russia, Ukraine, India and Taiwan.

BETA ZOOM MODE

Online Reaction

On May 12th, Twitter published a Moments page titled "Cyber attack cripples UK hospitals, spreads to other countries."[7] In the coming days, several posts about the ransomware reached the front page of various subreddits, including /r/worldnews,[8] /r/YouShouldKnow[9] and /r/pcmasterrace.[10] Meanwhile, posts on 4chan referred to the attacks as "The Hackening."[11][12]

Kill Switch Discovery

According to an interview with The Guardian, Twitter user @MalwareTech[3] claimed to have discovered that the WannaCry malware was attempting to connect to a specific domain after hearing news reports about the cyber attack. He then registered the domain for $10.69, which immediately engaged the program's "kill switch," halting its spread.

Malware Tech @Malware TechBlog May 12 Replying to @Malware TechBlog So l can only add'accidentally stopped an international cyber attack" to my Résumé. A わ178 2.3K 5.7K Malware Tech @MalwareTechBlog May 12 I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental. わ336 £73.5K 7.7K

On May 13th, MalwareTech published a blog post titled "How to Accidentally Stop a Global Cyber Attacks," explaining how engaging the kill switch was initially accidental.[4] Additionally, a video showing the spread of the program was uploaded to the MalwareTech YouTube channel (shown below).

On May 13th, The Hacker News[5] reported that variations of the ransomware had been discovered with different kill switch domains and some that did not contain a kill switch at all.

Park Jin-hyok

On September 6th, 2018, The United States Department of the Treasury announced that they had charged North Korean man Park Jin-hyok (shown below), an alleged North Korean operative, with involvement in the 2014 Sony Pictures Hack and the WannaCry ransomware attack.[13] In a statement, First Assistant United States Attorney Tracy Wilkison said:[14]

“The complaint charges members of this North Korean-based conspiracy with being responsible for cyberattacks that caused unprecedented economic damage and disruption to businesses in the United States and around the globe. The scope of this scheme was exposed through the diligent efforts of FBI agents and federal prosecutors who were able to unmask these sophisticated crimes through sophisticated means. They traced the attacks back to the source and mapped their commonalities, including similarities among the various programs used to infect networks across the globe.”

According to FastCompany,[14] Park worked with the hacking group "sometimes referred to as the Lazerous Group," who would allegedly wage ""phising":/memes/phishing campaigns against victims by "impersonating potential job applicants, and posted links to malware on Facebook and Twitter."

Search Interest

External References



Share Pin

Related Entries 3 total

Cover3
2021 U.S. East Coast Gas Shor...
Maxresdefault
2017 Peyta Ransomware Attack
Cryptolocker_program
CryptoLocker Ransomware Attack

Recent Images 6 total


Recent Videos 1 total




Load 57 Comments
WannaCry Ransomware Attack

WannaCry Ransomware Attack

Part of a series on Ransomware. [View Related Entries]

Updated Sep 07, 2018 at 11:33AM EDT by Matt.

Added May 15, 2017 at 12:22PM EDT by Don.

PROTIP: Press 'i' to view the image gallery, 'v' to view the video gallery, or 'r' to view a random entry.

This submission is currently being researched & evaluated!

You can help confirm this entry by contributing facts, media, and other evidence of notability and mutation.

Overview

The Wannacry Ransomware Attack was a global Microsoft Windows cyber-attack infecting upwards of 230,000 computers, which demanded victims pay ransoms in bitcoin to have access to their machines.

Background

In mid-April 2017, the hacker group Shadow Brokers released a collection of NSA hacking tools online, including a tool named EternalBlue exploiting a weakness in Microsoft Windows' Server Message Block protocol. On April 21st, Ars Technica[1] reported that upwards of 107,000 computers were infected with the DoublePulsar[2] backdoor exploit tool. On May 12th, computers around the world were infected with the WannaCry ransomware program, which may have been executed through a spear phishing attack according to some researchers. When executed, the program initially checks a domain name as a "kill switch" before encrypting the user's data and demanding a ransom of approximately $300 USD in bitcoin within 72 hours or $600 within one week.


Wana DecryptOr 2.0 Ooops, your files have been encrypted! English What Happened to My Computer? Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recoveryour files, but do not waste your time. Nobody can recover your files without our decryption service. Payment will be raised on Can I Recover My Files? Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time. You can decrypt some ofyour files for free. Try now by clicking <Decrypt>. But ifyou want to decrypt all your files, you need to pay You only have 3 days to submit the payment. After that the price will be doubled. Also, if you don't pay in 7 days, you won't be able to recover your files forever We will have free events for users who are so poor that they couldn't pay in 6 months. 5/16/2017 00:47:55 Time Left Your files will be lost on 5/20/2017 00:47:55 Time Left 15:23:57: 37 How Do I Pay? Payment is accepted in Bitcoin only. For more information, click <About bitcoin> Please check the current price of Bitcoin and buy some bitcoins. For more information, click<How to buy bitcoins>. And send the correct amount to the address specified in this window After your payment, click <Check Payments. Best time to check: 9:00am 11:00am Send $300 worth of bitcoin to this address: R bitcoin TED HERE 12t9YDPgwueZ9NyMgw519p7AA8isjr6 SMw Copy Contact Us Check Payment Decrypt

Developments

According to the European Union Agency for Law Enforcement Cooperation (Europol), WannaCry was unprecedented in scale compared other cyber attacks in history. In England and Scotland, the attack infected computers and medical devices at National Health Service hospitals, leading NHS to turn away all non-critical emergencies. According to the Russian multinational cybersecurity company Kaspersky Lab,[6] the largest number of the attacks occurred in Russia, Ukraine, India and Taiwan.


BETA ZOOM MODE

Online Reaction

On May 12th, Twitter published a Moments page titled "Cyber attack cripples UK hospitals, spreads to other countries."[7] In the coming days, several posts about the ransomware reached the front page of various subreddits, including /r/worldnews,[8] /r/YouShouldKnow[9] and /r/pcmasterrace.[10] Meanwhile, posts on 4chan referred to the attacks as "The Hackening."[11][12]

Kill Switch Discovery

According to an interview with The Guardian, Twitter user @MalwareTech[3] claimed to have discovered that the WannaCry malware was attempting to connect to a specific domain after hearing news reports about the cyber attack. He then registered the domain for $10.69, which immediately engaged the program's "kill switch," halting its spread.


Malware Tech @Malware TechBlog May 12 Replying to @Malware TechBlog So l can only add'accidentally stopped an international cyber attack" to my Résumé. A わ178 2.3K 5.7K Malware Tech @MalwareTechBlog May 12 I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental. わ336 £73.5K 7.7K

On May 13th, MalwareTech published a blog post titled "How to Accidentally Stop a Global Cyber Attacks," explaining how engaging the kill switch was initially accidental.[4] Additionally, a video showing the spread of the program was uploaded to the MalwareTech YouTube channel (shown below).



On May 13th, The Hacker News[5] reported that variations of the ransomware had been discovered with different kill switch domains and some that did not contain a kill switch at all.

Park Jin-hyok

On September 6th, 2018, The United States Department of the Treasury announced that they had charged North Korean man Park Jin-hyok (shown below), an alleged North Korean operative, with involvement in the 2014 Sony Pictures Hack and the WannaCry ransomware attack.[13] In a statement, First Assistant United States Attorney Tracy Wilkison said:[14]

“The complaint charges members of this North Korean-based conspiracy with being responsible for cyberattacks that caused unprecedented economic damage and disruption to businesses in the United States and around the globe. The scope of this scheme was exposed through the diligent efforts of FBI agents and federal prosecutors who were able to unmask these sophisticated crimes through sophisticated means. They traced the attacks back to the source and mapped their commonalities, including similarities among the various programs used to infect networks across the globe.”



According to FastCompany,[14] Park worked with the hacking group "sometimes referred to as the Lazerous Group," who would allegedly wage ""phising":/memes/phishing campaigns against victims by "impersonating potential job applicants, and posted links to malware on Facebook and Twitter."

Search Interest

External References

Recent Videos 1 total

Recent Images 6 total


Top Comments


+ Add a Comment

Comments (57)


Display Comments

Add a Comment