All Security Tips & Tricks Windows

The Fact of Ransomware

This article addresses some brief explanation about Ransomware type malware, common prevention suggestions, and possible effective solutions.

Ransomware is a special type of malware. The majority of Ransomware relies on some kind of social engineering such as luring the user of the system to perform some form of action. It could be anything from visiting a web page to executing programs that come as deceptive attachments in emails. The strategy is convincing the target that paying necessary fees a solution.

Crypto ransomware is the version of Ransomware that encrypts as much as a possible file with strong encryption algorithm after infection.

The AIDS Trojan is the first documented ransomware sample show up in 1989.  The AIDS Trojan was created by a biologist Joseph Popp who handed out 20,000 infected floppy disks to attendees of the World Health Organization’s AIDS conference.

The screen that you meet after insert the infected disk.


There are many types of ransomware like Reveton, CryptoLocker, CryptoLocker.F and TorrentLocker, CryptoWall, CryptoTear, Fusob and WannaCry.  These type of Ransomware attacked many hospitals, companies, universities and government organizations across at least 150 universities, having more than 2, 00,000 victims. It locked all computers and demanded ransom.

WannaCry Ransom: Win32/WannaCrypt) shows up in May 2017. Hundreds of thousands of computers worldwide have been hit and affected more than 150 countries.


“Eternal blue” exploit is the cause of spreading WannaCry rapidly. The exploit allows the remote code execution on Server Message Block/SMD with crafted messages on Windows machines.   The malware has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin.

The flow of the WannaCry ransomware:

  1. After infection WanaDecrypt0r(installer), will extract an embedded file into the folder.
  2. Wanacrypt0r will then download a TOR client.
  3. T0r client is used to communicating with Command and Control server.
  4. WanaCrypt0r execute the command “icacls . /grant Everyone: F /T /C /Q” to give every file located in the folder.
  5. Terminate database servers and email servers so it can encrypt as much as it can.
  6. Encryption of a file will add the WANACRY! String to the beginning of the encrypted file.
  7. It will append the .WNCRY extension to the encrypted file.

  1. Then, WanaCrypt0r will issue some commands that clear the Shadow Volume Copies, disable Windows startup recovery, clear Windows Server Backup history:

“C:\Windows\SysWOW64\cmd.exe /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet”

  1. Final step, installer execute “@WanaDecryptor@.exe “program so that the Wana Decryptor 2.0 lock screen will be displayed.


Common and effective recommendations for Prevention:

1-    Update, update, update. Especially apply all the Microsoft patch for the MS17-010 SMB vulnerability.

2-    Get some anti-virus and anti-malware solutions are set to automatically conduct regular scans.

3-    Create the user privileged accounts.

4-    Disable macro scripts from Microsoft Office files transmitted via email.

5-    Test your backups to ensure they work correctly upon use.


Concept Preventions for Ransomware:

First concept prevention technique is basically changing the name of “vsadmin.exe”. This effects to 8th step of the program flow and inhibits to execute necessary command for deleting recovery files. Even If all files are encrypted, it can be recoverable.

The second one is more complicated than first. Basically idea, changing all extension name of the files that imperilment by Crypto Ransomware. It is just adding a predefined string to the file extension after creation and when it’s requested to use the file the script return back the extension. (Maybe I’ll implement that idea with some analysis in future posts.)




Leave a Reply

Your email address will not be published. Required fields are marked *