The Internet of Tears or “WannaCry”

From the point of view of IT security, May 2017 is a very intense month. The ransom or malware “WannaCry” paralyzed many systems within a very short time on Friday, May 12th. Ransomware or encryption trojans are malicious programs with the help of which an intruder encrypts data on the foreign computer and thus prevents access to it in order to demand a ransom for decryption or unlocking. In the meantime, both fee-based and free modular systems, so-called crimeware kits, have appeared in underground forums that can be used to create ransomware. WannaCry (WanaCrypt, WanaCryptor or WCry) is also based on guidelines spread across the Internet.
The version from May 12, 2017 is actually the 2nd version of this malware. The first version appeared a few months ago and was distributed via phishing emails. As a result, the user had to read the email and open the insert to infect the computer. The new version from May 12th spread much faster than the original one. They also used ETERNALBLUE for distribution, a software exploit (a method to bypass the security mechanisms of software) that was developed a few years ago by the NSA (U.S. National Security Agency). In April of this year a group called “ShadowBrokers” published the source code of this software and some other tools of the NSA on the Internet, accessible to all.

To this day we do not know exactly how WannaCry initially spread on the Internet, only when it has settled somewhere, then via Microsoft’s SMB file sharing protocol. Microsoft knew about this weakness and released a patch on March 14, 2017 that prevents this weakness. But obviously there were still many older or not yet updated Windows systems that were defenseless against the malware. Microsoft even went a step further and has released patches for systems that are no longer supported, such as Windows XP.

If you see this picture it is too late…. . Your data has already been encrypted and the original files have been deleted. It is very questionable whether you will ever get it back. You may be able to restore some files using a tool called “Shadow Explorer”. This can restore “shadow” files (backups that are carried out by normal Windows processes) or some undelete software packages can restore the deleted files. An in-depth analysis by Symantec has shown, however, that the files in the Desktop and MyDocuments system folders have definitely been deleted and overwritten.

Welcome to the age of connectivity, welcome to the age of the internet of things and tears.