The appearance of .wcry file extension can make you cry. Why?

WannaCry attack marks the biggest ransomware attack in 2017

The massive cyber attack of the WannaCry ransomware has shaken cyber community on Friday, 12 May 2016. During the weekend, more than 200,000 computer users in 150 countries lost access to their files and were asked to pay $300-$600 Bitcoins to get them back.

The virus attacked home computers users, hospitals, universities, various companies, governmental organizations, such as FedEx, Telefónica, State Governments of IndiaDespite, etc.[1] Despite the high infiltration rate, cyber criminals managed to receive only $80,000.[2]

The file-encrypting virus has been updated several times. It is known under the names of WCrypt, WannaCryptor, Wanna Decryptor, and others. However, they all behave similarly. After the infiltration, malware encrypts files using strong cryptography and appends either .wcry, .wncryt or .wncry file extensions.

After the attack, ransomware also downloads a ransom note named either Please Read Me!.txt or @Please_Read_Me@.txt where cyber criminals ask to transfer the demanded sum of money within seven days. Otherwise the size of the ransom doubles.

Sophisticated infiltration method made ransomware successful

The success of the ransomware is based on its distribution and infiltration. Authors of the ransomware use EternalBlue exploit kit that has been stolen from US National Security Agency and posted online on April 2017.

This exploit uses Windows CVE-2017-0145 vulnerability in SMB protocol.[3] Thus, all outdated Windows operating systems are in danger. Only Windows 10 users might feel safe. WannaCry does not attack the latest version of Windows OS.

The massive distribution campaign has been slowed down by 22-year-old malware researcher who managed to find kill switch.[4] While online community felt relieved that dangerous cyber threat has been stopped, cyber criminals were looking for new ways to continue the cyber attack.

Thus, they released a WannaCry 2.0 virus that continues encrypting files and causing problems to computer users all over the world. Currently, cyber criminals are expected to launch the DDoS attack.[5]

Data recovery might be possible without paying the ransom

Undoubtedly, data backups are extremely useful after the WannaCry attack. Unfortunately, computer users rarely back up their files and ransomware attack becomes a disaster. The virus is designed to delete Shadow Volume Copies that are crucial for data recovery.

However, malware researchers are working on safe decryptor that would help victims of the ransomware to restore their files without paying the ransom to cyber criminals. Currently, there are two tools that might help to restore encrypted files – Wannakey and Wanakiwi.

However, if you do not have backups and these tools fail to retrieve your files, please do not act desperately and do not pay cyber criminals for decrypting your files. There’re no guarantees that they are willing to keep their promise after they receive your money.

Ugnius Kiguolis