Will Wana Decrypt0r Ransomware Attack Again?
It is almost impossible to ignore the infamous Wana Decrypt0r Ransomware even if you do not follow virtual security news because this malicious infection has transcended security-related news sites. The infection was reviewed via all forms of media, including news channels, newspapers, and, of course, the Internet. That is because the infamous WannaCry is no ordinary threat. While malicious hijackers, Trojans, and ransomware infections emerge every day, not many of them are as aggressive as this one. In the first few days that it was active, Wana Decrypt0r managed to infect hundreds of thousands of operating systems, some of which belonged to the NHS, universities, national governments, big car manufacturers, etc. According to the latest data provided by @actual_ransom on Twitter, the developers of the malicious ransomware have already collected over 51 Bitcoins. The number does not seem big, but if you convert it into, for example, US Dollars, you can see that that is nearly 140,000 USD. Although the attacks of the malicious ransomware – which, by the way, was spread by a worm – were believed to be halted, there is new information suggesting that the infection could be revived.
A UK-based security researcher discovered and enabled a kill-switch function mere days after the infection started spreading. Although the infection had already spread across the world by that point, this prevented further attacks. The kill-switch was activated when a domain name that was found in the ransomware code was registered. Due to this, every time the infection would attack a system, it would cease to encrypt files when the connection to the said domain was not denied. If the connection was denied, the infection would be executed. Soon after the kill-switch was discovered, attacks targeted at the domain were recorded. It is believed that hackers could target the domain using DDoS (distributed denial of service) attacks where heavy traffic is used to bring the domain down, and, simultaneously, disable kill-switch so that the ransomware could be executed successfully. According to research, botnets similar to the infamous Mirai botnet were used to attack the domain, and armies of “zombies” (systems and devices that are compromised to perform malicious tasks) were used to flood the domain with heavy traffic. So, who is responsible for these attacks? Although it would seem that these attacks are performed by the developers of the WannaCry ransomware, it appears that unrelated parties might be involved. Their incentive is not clear, considering that they are unlikely to get any profit from doing that.
Due to continuous DDoS attacks, the kill-switch domain got an upgrade, and since it can deal with heavy traffic loads, it is far less likely to be brought down. That, however, does not mean that the infection is dead. The developers of the malicious ransomware already know how to successfully launch file-encrypting malware, and they can learn from their own mistakes to make the next version of the threat much more powerful and unbeatable. In the meantime, there is another issue that Windows users are facing: Wana Decrypt0r Ransomware lookalikes. Darkodercrypt0r Ransomware is one example, and the notification that this infection displays via its own window is identical to the notification you see in the “Wana Decryptor 2.0” window that the devious WannaCry ransomware displays. Obviously, the copycats are not as aggressive, and they are not spread by worms, but they can confuse more gullible and less experienced users who might have already heard about the malicious WannaCry infection. Similar graphics have also been used by Android ransomware known by the name “WannaLocker” that is also capable of encrypting files and demanding a ransom.
It seems like ransomware is everywhere. It can be executed by silent worms or Trojans, or you can execute it yourself by interacting with malicious installers or opening corrupted spam email attachments. While some users can evade ransomware by being more cautious, that is not always enough. Employing reliable anti-malware software and installing all Windows updates as soon as they become available is also crucial. The malicious Wana Decryptor successfully infected thousands of systems worldwide because of a Windows security vulnerability that was patched several months before the first attacks in May 2017. What that means is that users are still careless, and they do not learn from their own mistakes. This particular infection was mostly found on Windows 7 operating systems – possibly because this version is still the most popular – but all versions of the Windows OS can be vulnerable. Nonetheless, if you patch security vulnerabilities in time, and employ reliable security software to help you guard your operating system, you have much better chances at keeping your operating system malware-free.