Ransomware attack called WannaCry

  Posted in Cyber Security on

  by Suman Tiwari

Ransomware attack called WannaCry

Quick walk-through of Ransomware attack called WannaCry


Ransomware is a malicious software/malware that encrypts the files/folders and locks device (computers, Laptops, smartphones and then demands a ransom money to unlock it. Ransomware named ‘Wannacry’ has affectted numerous computers worldwide and had created the biggest ransomware attack the world has ever seen till date.


Note that Linux machines are not affected by WannaCry. WannaCry ransomware attack is applicable only to Windows based machines.
WannaCry is also known as WannaCrypt, WannaCry, WCrypt, WanaCrypt0r and WCRY.


This ransomware exploits Window’s network file sharing protocol called SMB(Server Message Block). Its also described as “EternalBlue” attack which injects the malware. All versions of windows before Windows 10 are vulneable to this attack if not patched for MS-17-010 (EternalBlue MS17-010).


After a system is affected, it encrypts the files and a pop up message appears with a countdown and instructions on how to pay the 300$ in bitcoins to decrypt and get back the original files. If the ransom amount is not paid within 3 days, the amount doubles to 600$ and it threatens the user to wipe off all the data. Meanwhile, It also installs DOUBLEPULSAR backdoor in the machine.

This is what Kerala Police Cyberdome, India recommends to prevent infection:


  1. Microsoft has released a Windows security patch MS17-010 for Winodws machines. This needs to be applied immediately and urgently.Remove Windows NT4, Windows 2000 and Windows XP-2003 from production environments.
  2. Block ports 139, 445 and 3389 in firewall.
  3. Avoid clicking on links or opening attachments or emails from people you don’t know or companies you don’t do business with.
  4. SMB is enabled by default on Windows. Disable smb service on the machine by going to Settings > uncheck the settings > OK
  5. Make sure your software is up-to-date.
  6. Have a pop-up blocker running on your web browser.
  7. Regularly backup your files.
  8. Install a good antivirus and a good anti-ransomware product for better security

Below is a consolidated list that we need to block on your firewall/antivirus




• iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

• Rphjmrpwmfv6v2e[dot]onion

• Gx7ekbenv2riucmf[dot]onion

• 57g7spgrzlojinas[dot]onion

• xxlvbrloxvriy2c5[dot]onion

• 76jdd2ir2embyv47[dot]onion

• cwwnhwhlz52maqm7[dot]onion



File Names:

• @Please_Read_Me@.txt

• @WanaDecryptor@.exe

• @WanaDecryptor@.exe.lnk

• Please Read Me!.txt (Older variant)

• C:\WINDOWS\tasksche.exe

• C:\WINDOWS\qeriuwjhrf

• 131181494299235.bat

• 176641494574290.bat

• 217201494590800.bat

• [0-9]{15}.bat #regex

• !WannaDecryptor!.exe.lnk

• 00000000.pky

• 00000000.eky

• 00000000.res

• C:\WINDOWS\system32\taskdl.exe



Leave a Reply

Your email address will not be published. Required fields are marked *