WannaCry 2.0: a clear confirmation that you definitely need the right solution for a reliable backup

. There have not yet been any reports of massive problems with home users, apparently due to the fact that most home users use versions of Windows 7 and Windows 10 with automatic installation of security updates and received a fix for this problem from Microsoft back in March.
Despite the fact that a large number of companies and private users have suffered as a result of the cyber attack, there is good news. In the new version of Acronis True Image 2017 New Generation, we introduced the technology of proactive detection and neutralization of ransomware - Active Protection. All users who enabled Acronis Active Protection on their computers were protected in this critical situation. By the way, for business, such an opportunity to deal with ransomware programs already exists, while in the preliminary version of Acronis Backup 12 Advanced Beta and in the near future it will be available to all users.
Since backups are also attacked by WannaCry, we previously provided for reliable protection of our own files using Active Protection technology, which prevents malicious software from ruining the backup agent or created copies of files, including cloud ones.
What You Need to Know About WannaCry
WannaCry was one of the first ransomware worms. This malicious software not only works as a ransomware, but also tries to infect as many systems on the network as possible by scanning the network where it ended up and infecting neighboring computers. This attack is very difficult to detect with traditional security systems, because it covertly exploits a recently discovered vulnerability in Microsoft operating systems. After entering the system, WannaCry encrypts all local drives and network folders. It is the functionality of a computer worm that makes this attack so dangerous for companies and private users, because it spreads through two sources - an infected email attachment and distribution like a computer worm.
As we predicted earlier, today there is a new generation of ransomware that attacks both local file backups and deletes created shadow copies of the Volume Shadow Copy Service built into Microsoft Windows.
WannaCry uses a strong encryption algorithm that cannot be easily and quickly decrypted.
At the moment, the attack occurs only on computers running Windows, but similar vulnerabilities and programs for their implementation are possible for other operating systems. We expect that the appearance of an attack of the same scale on other OS and devices is a matter of time.
Victims from various industries are no coincidence
Cybercriminals specifically selected victims for the attack from companies that could not afford downtime and, most likely, would prefer to pay a ransom quickly: telecommunications, logistics and energy companies, public transport, hospitals, schools and universities. Attackers were not afraid to attack even the units of the Ministry of Internal Affairs of Russia! Short list of companies that are victims of the ransomware worm attack:
- NHS NHS reschedules patient admissions as cannot diagnose patients. ( List of affected hospitals )
- Nissan factory in the UK
- Telecommunications company Telefonica in Spain
- Energy companies Iberdrola and Gas Natural (Spain)
- Logistic company FedEx (USA)
- University of Waterloo ( USA )
- Ministry of Internal Affairs and Megaphone in Russia
- VTB (one of the largest Russian banks)
- Russian Railways (Russian Railways)
- Portuguese Telecommunications Company Portugal Telecom
- Sberbank Russia (the largest bank in Russia)
- Indian airline Shaheen Airlines
- German railway Deutche Bahn ( @farbenstau )
- Schools and universities in China (source)
- Library of Oman ( @ 99arwan1 )
- Public Security Bureau of Jaanshui Province of China
- Renault carmaker in France
- Schools in France
- University of Milano Bicocca (Italy)
- Shopping Center in Singapore
- ATMs in China
- Telecommunications company of Saudi Arabia and several other countries STC telecom ( Source )
The list of victims, which is constantly updated, is here .

How is the WannaCry ransomware distributed?
The WannaCry ransomware worm infiltrates private and corporate networks via spam emails, which contain malicious attachments, which, in turn, contain a macro or a link to a malicious program that initiates the initial infection. And although there are currently no examples of such letters, all analysts, including Microsoft experts, agree that this is how the infection occurred in the first stage.
Further activity of WannaCry depends on two leaked cryptoelement elements: the DOUBLEPULSAR backdoor and the ETERNALBLUE exploit.
When ETERNALBLUE is used, DOUBLEPULSAR is introduced into the system and DOUBLEPULSAR uses the kernel mode driver SRV.SYS (SMB file server) vulnerability, which allows you to embed and execute dangerous DLL code in any process on a compromised system.
After installing the malicious program, it starts acting like a worm program, scanning the network and connecting via port 445 to other computers to detect working DOUBLEPULSAR backdoors, transfers infected files that start the process on a new computer, spreading the infection like a fire in a forest. If the attacked system does not contain a DOUBLEPULSAR backdoor, then the worm first installs it through the ETERNALBLUE exploit, and the process continues.
Features of the worm propagation mechanism
Before starting its activity, WannaCry checks the existence of a special “switch” domain and if it finds it, the program stops its work. The first version of the worm was stopped precisely by activating such a “switch” domain. If the “switch” does not exist, then the worm starts loading its modules, registers the service, scans random IP addresses on port 445, checks for the presence of the DOUBLEPULSAR backdoor and prepares the package for implementation.
The process of preparing the package for implementation is implemented as a function, which we call initNetworkInjectingExecutables in the pseudocode below. initNetworkInjectingExecutables reads the DLL loader from the worm, creates a package for implementation, adds the worm to it, and forwards it to the compromised system port. On this system, the bootloader gains control through the DOUBLEPULSAR backdoor and launches the worm. This process is repeated again on the infected machine, fanning the forest fire further.
HGLOBAL initNetworkInjectingExecutables()
{
//...
do
{
v2 = g_exeBody0;
if ( v1 )
v2 = g_exeBody1;
v3 = *(&g_exeBuffer0 + v1);
*(&exeBuffer + v1) = (int)v3;
qmemcpy(v3, v2, v1 != 0 ? 51364 : 16480);
*(&exeBuffer + v1) += v1 != 0 ? 51364 : 16480;
++v1;
}
while ( v1 < 2 );
v4 = CreateFileA(g_moduleFileName, 0x80000000, 1u, 0, 3u, 4u, 0);
v6 = GetFileSize(v4, 0);
v7 = (const void *)exeBuffer;
v9 = (void *)(exeBuffer + 4);
*(_DWORD *)exeBuffer = v6;
ReadFile(v4, v9, v6, &NumberOfBytesRead, 0);
CloseHandle(v4);
result = (HGLOBAL)1;
//
return result;
}New worm options.
Since the first attack, two new versions of the worm have already appeared.
The first one (SHA256: 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf) uses a different name for the “breaker” domain, and the other version (SHA256: 07c44729e2c570bc5a5c5a5a5aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Interestingly, the “switch” domain was replaced in the form of a patch by zeroing the URL string, therefore, the attackers most likely did not have access to the source code, which suggests that other attackers are trying to reuse the malware to easily profit from its success. It is also possible that the extortion was simply ordered by the developer, and the distributor is not good at programming or does not have source codes, and is trying to solve the problem in a similar way, without contacting the malware developer once again.
The malicious part in this sample from tasksche.exe has been slightly modified:
Comparison of the MSSECSVC.EXE_3 and MSSECSVC.EXE_2 files
0032BBF3: AA 27
0032BBF4: 19 68
…
00359FFE: C2 4E
00359FFF: 03 47This led to the inoperability of the cryptor. Whether this was done by mistake or for some other purpose is not yet completely clear.
If you do not have a modern backup system, your files will be lost.
Malicious software on the infected system deletes all shadow copies of VSS in all available ways:
Vssadmin delete shadows /all /quiet
Wmic shadowcopy delete
Wbadmin delete catalog –quietThe recovery console on a compromised system is also disabled:
Bcdedit /set {default} bootstatuspolicy ignoreallfailures
Bcdedit /set {default} recoveryenabled noHow WannaCry Encrypts Files
The malicious part of the worm starts the tasksche.exe ransomware program on schedule , which it unpacks from the boot package. The ransomware scans all disks and network folders on the system, searches for files with extensions from the internal table and encrypts them with the RSA algorithm with a 2048-bit key. In a new folder called Tor / it creates tor.exe and related files. Two files are copied there: taskdl.exe and taskse.exe. The last program removes traces of the worm and then runs @ wanadecryptor @ .exe . This program displays a screensaver with a ransom demand and communicates via the Tor network .
The encryptor encrypts files of more than 160 different extensions:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt,. xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .arc, .paq, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg,. djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf,. ibd, .myi, .myd, .frm, .odb, .dbf,.db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem .p12, .csr, .crt, .key, .pfx, .der
If the system is not protected, the user will see an unpleasant message:
One can only hope that the files can be decrypted after the payment of the ransom, or put up with the loss of data if there is no secure backup.
How to protect your systems from WannaCry and other ransomware attacks
First of all, all users who have updated their Windows computers since March of this year protected from this vulnerability.
- Turn on the automatic installation of Windows updates. If you have not updated the OS for a long time or are using an old version of the OS, check for the Microsoft patch program as soon as possible. Corrections are available even for discontinued versions of Windows XP and Windows Server 2003. All home and office computers that do not have the latest updates can be infected.
- Install a modern anti-malware system on computers. This can significantly reduce the risk of infection and potentially stop ransomware.
- We recommend using Acronis products for backup and data protection using Active Protection technology. Using heuristic algorithms and an instant recovery system from the backup of damaged files will protect user data. The screenshots show how Active Protection technology successfully prevented WannaCry from working. Acronis Active Protection works similarly in business solutions.
Acronis True Image 2017 New Generation installed on Acronis Active Image's user computer with the Acronis Active Protection feature activated detects the work of WannaCry and other ransomware.
- Make it a rule not to open any suspicious attachments or links from email. Do not click on suspicious links in a web browser, do not go to websites that you do not know. Always hover over a link to view a real link and don't fall for phishing.
- Pay attention only to emails that are sent to you and your address is in the “To” and “Copy” fields, otherwise do not open such an email and certainly do not open attachments and links from it!
- Make sure the sender’s email address is familiar to you, even if the name seems similar to you. Sometimes, attackers use spoofing mechanisms to spoof addresses.
- Back up your system and all important files regularly. As you know, WannaCry requires a ransom for data recovery of $ 300, which is much more expensive than a backup solution such as Acronis True Image 2017 New Generation or Acronis Backup, which can protect your data. The screenshot below shows how Active Protection technology automatically repairs damaged files.
All damaged files are restored almost instantly by Acronis Active Protection without paying a ransom to cybercriminals.
If you do not believe us, then here is a detailed video on the popular youtube channel:
→ You can download the trial version or buy the Acronis True Image 2017 New Generation license here .
→ This article can be read in English on our blog .