TTO - WannaCry (WannaCrypt or Wcry) is causing a massive earthquake in the last few days (75,000 cases in 99 countries).
Map showing countries with computers infected with WanaCry, up to 03:00pm on May 15
To understand what ransomware is, we first learn a little about Malware in general. Accordingly, there are two important stages in the life cycle of Malware: spreading and executing malicious behavior.
Spreading is the way malicious code enters a victim's computer, such as spreading email messages with attached file that contain malicious files, downloading malicious files; Wanna.Cry uses both exploits of Windows security holes and send malicious email attachments.
Executing malicious behavior is very diversed, such as file deletion, denial of service attacks, identity theft and victim extortion.
As defined by TrendMicro, ransomware is a type of malware that restricts computer users from accessing their systems. It can lock the computer screen, or lock the files on the user's computer until the ransom is received.
Information screen on Wanna.Cry ransomware
According to Symantec statistics, the amount of malware is discovered as well as the amount of extorted money hacker’s requests increased constantly. Since malware information has only been spreaded on the mass media in recent times, it is easy to mistakenly believe that this is a new type of malware.
However, as mentioned above, extortion malware is different from the other malware is the way of malicious method. This largely depends on the attacker's intent and less technical barriers.
Indeed, the first malware AIDS Trojan appeared very early in 1989. To decrypt data the victim must send $ 189 to a mailbox in Panama. Even in 1996, two researchers at Columbia University published technical details that could be used to encrypt and blackmail users.
The main idea is that malicious code generates a symmetric key at random, and then uses this key to encrypt the user's data.
Next, the malware attempts to encrypt the key with the asymmetric key with the information contained in the malware. Wanna.Cry use RSA-2048.
With the characteristics of the asymmetric encryption algorithm, only the corresponding secret key holder (here is the bad guy) can decrypt.
With current calculating power, attacking algorithms such as RSA using a large key length (eg 2048 bits) is completely impossible (taking many years).
To be deciphered, the victim must pay the ransom demanded by the bad guys. The danger here is that the bad guys can choose to pay by anonymous means (the payer does not know who he pays for and who is not).
Statistics on Malware - Source: Symantec
As explained above, if the bad guys properly use the encryption algorithms, the effort to decrypt the data is almost impossible.
However, we can apply the following recommendations to minimize the possibility of this ransomware infection:
- Updated the latest patches of the operating system Windows is using from the Microsoft website.
- Check the operating system firewall to ensure that it is in "on" mode.
- Update the latest data for virus browser.
- Back up important data to external storage.
- Be cautious in opening attachments
- Look carefully before clicking on the paths of unknown origin, strange structure or shortened paths.
- Spreading to the community how to use computers responsibly.
How to run the Command Prompt with Administrator privileges
Run the command: dism /online /norestart /disable-feature /featurename:SMB1Protocol
How to turn off SMB with dism
In addition, users should also check the existing shared folders on their computer. This helps limit the possibility of copying malicious files from other computers on the network to your computer.
Check out the shared folders on your computer
Dr. PHẠM VĂN HẬU (Director of CNSC Information Security Center - University of Information Technology - VNU)