Nearly 100 countries, including India, have been hit by a massive cyber-attack, which, according to experts, was carried out with the help of "cyber weapons" stolen from the US' National Security Agency. The cyber attack was first reported from Sweden, Britain and France, US media outlets reported. Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.
It has been reported that a new ransomware, "Wannacry", is spreading widely. Wannacry encrypts the files on infected Windows systems. This ransomware spreads by using a vulnerability in implementations of Server Message Block (SMB) in Windows systems. This exploit is named ETERNALBLUE.
The ransomware WannaCrypt or WannaCry encrypts the computer's hard disk drive and then spreads laterally among computers on the same LAN. The ransomware also spreads through malicious attachments to emails.
An increase in activity of the malware was noticed on Friday, security software company Avast reported, adding that it "quickly escalated into a massive spreading".
Within hours, over 75,000 attacks have been detected worldwide, the company said. Meanwhile, the MalwareTech tracker detected over 100,000 infected systems over the past 24 hours.
According to cyberswachhtakendra, the file extensions that malware 'Wannacry' is targeting contain certain clusters of formats like: Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
Less common and nation-specific office formats (.sxw, .odt, .hwp).
Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
Emails and email databases (.eml, .msg, .ost, .pst, .edb).
Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
Developers' sourcecode and project files (.php, .java, .cpp, .pas, .asm).
Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
Virtual machine files (.vmx, .vmdk, .vdi).
After infecting, this Wannacry ransomware displays following screen on infected system: Ransomware is writing itself into a random character folder in the 'ProgramData' folder with the file name of "tasksche.exe" or in Windows folder with the file-name "mssecsvc.exe" and "tasksche.exe".
Ransomware is granting full access to all files by using the command:
Icacls . /grant Everyone:F /T /C /Q
Using a batch script for operations:
176641494574290.bat
It also drops a file named !Please Read Me!.txt which contains the text explaining what has happened and how to pay the ransom.