Trend Micro explains the features and countermeasures of "WannaCry" that requires a PC ransom

On May 15th, Trend Micro held a seminar for the press regarding the ransomware "WannaCry", which is becoming a threat even in Japan. Mr. Katsuyuki Okamoto, the company's security evangelist, summarized and explained the information of the company's research.

Damage spreads mainly in Europe Trend Micro confirms 9 infection reports

Mr. Katsuyuki Okamoto, Security Evangelist, Trend Micro Corporation

At the beginning, we explain the damage situation of WannaCry (also known as WannaCrypt, WannaCryptor, Wcry, etc.). WannaCry is a ransomware that is threatening mainly in the United Kingdom, and has spread to various parts of the world such as Europe, Russia, and the United States. Even in Japan, the terminals of Hitachi and JR East have been damaged.

In the first place, Ransomeware is a coined word by Ransom and Software, which means ransom. Also known as a ransom-requesting malicious program, it breaks in in some way, encrypts the data or the PC itself to make it unusable, and demands a ransom in exchange for decrypting them.

Trend Micro's Smart Protection Network has detected WannaCry in the UK, Taiwan, Chile, Japan, the US and India.

Ransomware itself has been damaged since 2015

The biggest feature of WannaCry is that it invades and spreads via the network like a worm. Trend Micro detected WannaCry in February of this year, and in April it spread by exploiting the cloud-based storage service "Dropbox." And this time, an infection using a vulnerability related to an old communication protocol called SMBv1 included in a tool leaked from the US National Security Agency has been reported.

This vulnerability has been fixed if the patch (MS17-010) distributed on March 15 is applied for Windows Vista or later. From May 15th, similar patches were distributed to Windows XP SP3 and Windows Server 2003.

In addition, Mr. Okamoto also pays attention to the supported languages ​​of WannaCry and the requested amount. When infected with WannaCry, you will be prompted to deposit $ 300 in Bitcoin in return for recovering your data. The screen display supports 28 languages ​​including Japanese. In addition, in the April case where Dropbox was abused, the request amount was $ 400 and it was discounted, so we can assume that we are targeting more people, regions, and groups.

Features of WannaCry.From May 12th to May 15th, 16:00, the company received 175 inquiries about WannaCry, including corporate individuals, and 9 of them were actually reported to be infected.

"Trial" of demo restoration of WannaCry also works in the experimental environment

At the venue, we demonstrated the actual behavior of WannaCry in an experimental environment and confirmed the phase from infection to ransom demand.

Immediately after infection, WannaCry impersonates Microsoft's legitimate service "Microsoft Security Center (2.0)", downloads malicious software for encryption from a malicious server, and executes it. Once the encryption is complete, the wallpaper will be changed to one with a black-based warning text and you will see a screen with a threatening text saying "Wana Decrypt 0r 2.0".

On the left side of Wana Decrypt0r 2.0 is a countdown of "until the ransom doubles" and "until the file is deleted". On the right side, the message in multiple languages ​​and the Bitcoin transfer destination are specified.

There are "Check Payment" and "Decrypt" buttons at the bottom of the screen, and you can restore some files by so-called "trial" by pressing the decrypt button. .. The point is to make the user aware that "the data can be restored if you pay the ransom" and make the payment.

According to Mr. Okamoto, "There is no description to send data to the outside in the WannaCry code currently on the market", so at the moment, encrypted data will be sent to the criminal's hand. There seems to be nothing.

The flow of operation of WannaCry on the market this time

Demonstration conducted in an experimental environment.Launch WannaCry encryption software on your desktop

Sample photos etc. become infeasible one after another. The executable file "@ WanaDecryptor@.exe" is a software that displays threatening text and automatically starts after encryption is completed.

The threatening text message app is displayed.In addition, the transfer destination of the criminal's Bitcoin is displayed in the mosaic part

Even if the message is hidden, it will be redisplayed after a certain period of time.In addition, the wallpaper is not multilingual, but warns you to read the message.

Effective countermeasures are to keep the latest version and prepare for infection.

Finally, Mr. Okamoto explained the countermeasures. As mentioned above, the vulnerabilities exploited this time have already been patched for Windows during the support period and, with the exception of Windows XP SP3. At the same time, considering that it will invade by another method in the future

"Make the OS during the support period and keep it up to date"

"Review the settings of PCs and networks exposed to the Internet"

Is listed.

In addition, we introduced security products such as the company's "Virus Buster" and recommended countermeasures. Compared to the current WannaCry, the company's products can be detected and blocked at the time of intrusion or encryption execution, so it is possible to take countermeasures.

Also, when considering the introduction from now on, in preparation for the appearance of WannaCry variants and further evolving new species, the "behavior detection" function that judges threats by the movement of the program will be important. It seems that some free or cheap antivirus software may not have this function, so it seems to be one of the criteria when choosing.

Now, what is even more worrisome is what to do if you are infected with WannaCry. As an individual, I would like to know if the PC can be restored by paying 300 dollars (about 34,000 yen) of Bitcoin, but Trend Micro has a policy of "not giving money to cyber criminals", and in fact It has not been confirmed whether the data will be decrypted by paying to.

Paying the ransom to the user himself is in the interests of the criminal, so he said "should refrain" and recommends that you reinstall the OS if you get infected. Therefore, it can be said that important files need to be backed up to external devices and cloud services on a regular basis.

In this case, the number of damages seems to be still smaller in Japan than in other countries because firewalls and network routers with security functions are being developed.

However, in the future, it is possible to exploit another unknown vulnerability or invade users by tricky means. In order to protect yourself from ransomware other than WannaCry and other threats, we would like to take the above measures firmly.

■ Purchase at Amazon.co.jp