12th may 2017 a global cyber attack happened WANNA CRY
basically Wannacry is a ransomware that encrypts the data of infected system and demands payments in order to decrypt it.
currently it hit in England's NHS and other 90 countries including India too .
below are the points which I come to know about from this incidence
1. worm which is to propagate through network
2. ransomware package
it can be spread internally inside LAN with the help of server message block(SMB) .
This is ETERNAL BLUE exploit.
If your antivirus anyhow tries to block it then another wallpaper is display telling that your files have been encrypted in -this message to scare the user
There is also certainly it contains draft file !pleasereadne.txt! which gives instruction to gain access to his own files so PLEASE DONT RUN this file if you doubt your system is infected or not.
It will encrypt almost all files with extension .mp4 .mkv .doct .backup etc etc and encrypt them with .WNCRY extension.
Indian government issued a webcast in order to warn the users about this threat : link
Ransomware will hide itself in /ProgramData under the name tacksche.exe or inside c:/windows with the name mssecsvc.exe and tasksche.exe. It will granting full access to all files by using command
Icacls ./grant Everyone: F/T/C/Q and dropping the batchscript .
there is full cover story of VICE on this issue on Youtube
basically Wannacry is a ransomware that encrypts the data of infected system and demands payments in order to decrypt it.
currently it hit in England's NHS and other 90 countries including India too .
below are the points which I come to know about from this incidence
HOW it spread through system ?
mainly it contain two components1. worm which is to propagate through network
2. ransomware package
it can be spread internally inside LAN with the help of server message block(SMB) .
This is ETERNAL BLUE exploit.
display screen after ransomware hits your system
If your antivirus anyhow tries to block it then another wallpaper is display telling that your files have been encrypted in -this message to scare the user
There is also certainly it contains draft file !pleasereadne.txt! which gives instruction to gain access to his own files so PLEASE DONT RUN this file if you doubt your system is infected or not.
It will encrypt almost all files with extension .mp4 .mkv .doct .backup etc etc and encrypt them with .WNCRY extension.
Indian government issued a webcast in order to warn the users about this threat : link
Ransomware will hide itself in /ProgramData under the name tacksche.exe or inside c:/windows with the name mssecsvc.exe and tasksche.exe. It will granting full access to all files by using command
Icacls ./grant Everyone: F/T/C/Q and dropping the batchscript .
Preventive measures:
- Understood once your system is encrpyted it is very hard to decrypt that's why you have to take the preventive measures
- Microsoft have provided different security patches here Microsoft security bulletin ms17010 or visit
- Visit CYBER SWACHTA KENDRA
- backup your data offline.
- If you're unable to install these patch it is advisable to disconnect the system from network and install offline and then only connect to network
- Segment your network by restricting TCP port 445 and disabling SMB protocols on LAN
- Deploy a good antivirus , disable macros in microsoft office products
- Free tools are provided on Indian government site ; here
- What to do if your system is affected :
- Immediately disconnect from network
- Never pay the ransom as this will encourage the criminal.
- DO NOT delete the encrypt the data just store it somewhere else because in future decrypted tools wiil be available.
there is full cover story of VICE on this issue on Youtube
