WannaCry Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 06 Oct 2023 05:32:35 +0000 en-US hourly 1 https://wordpress.org/?v=62770 200474804 WannaCry 3.0 Ransomware Aims At Enlisted Russian-speaking Players https://gridinsoft.com/blogs/russian-speaking-enlisted-players/ https://gridinsoft.com/blogs/russian-speaking-enlisted-players/#respond Fri, 16 Jun 2023 10:48:50 +0000 https://gridinsoft.com/blogs/?p=15387 A previously unknown payload of ransomware, that call itself WannaCry 3.0, targets Russian-speaking players of the Enlisted game. Hackers reportedly use a modified game installer and a spoofed official site to confuse unsuspecting users. You might also be interested in this article One Year of Russian-Ukrainian War in Cybersecurity, or this: Stabbed in the back:… Continue reading WannaCry 3.0 Ransomware Aims At Enlisted Russian-speaking Players

The post WannaCry 3.0 Ransomware Aims At Enlisted Russian-speaking Players appeared first on Gridinsoft Blog.

]]>
A previously unknown payload of ransomware, that call itself WannaCry 3.0, targets Russian-speaking players of the Enlisted game. Hackers reportedly use a modified game installer and a spoofed official site to confuse unsuspecting users.

You might also be interested in this article One Year of Russian-Ukrainian War in Cybersecurity, or this: Stabbed in the back: Chinese Mustang Panda Cyberspies Attack Russian Officials.

Also information security specialists noted that Due to the sanctions, Russian hackers are looking for new ways to launder money.

How hackers mimic the Enlisted game

Trojanized versions of the game are distributed through fake sites, where the game installer comes with a ransomware that pretends to be the third version of the sensational WannaCry malware (the malware even changes the extensions of the affected files to .wncry).

Russian-speaking Enlisted players
Fake site that mimics the official page of the game

Enlisted was released by Gaijin Entertainment in 2021 and has between 500,000 and a million active players every month. Since the game is free-to-play, the attackers were able to easily download the installer from the publisher’s website and modify it to distribute the malware to players.

WannaCry 3.0 Payload analysis

According to Cyble analysts who analyzed the threat, this supposedly new variant of WannaCry is actually based on an open-source Python locker Crypter created for educational purposes. The game installer downloaded from the fake site is named “enlisted_beta-v1.0.3.115.exe“, and when run, it dumps two executable files on the user’s disk: ENLIST~1 (the actual game) and enlisted (the malware’s Python launcher).

Russian-speaking Enlisted players
Game setup launched window

Upon initialization, the ransomware creates a mutex to avoid multiple running instances on the infected machine. It then parses its JSON config file to determine which file types to target, which directories to skip, which ransom note to generate, and which wallet address to enter to receive the ransom.

Json config malware
JSON configuration file used by malware

As a result, the ransomware scans the working directory looking for the key.txt file to use in the encryption step (if it does not exist, it creates it). The AES-256 algorithm is used for encryption, and as mentioned above, all locked files receive the .wncry extension.

WannaCry ransom note
Ransom note of WannaCry 3.0, that tries to resemble the original WannaCry’s notes

Interestingly, the malware does not attempt to terminate processes or services, which is standard practice in modern lockers, but goes the usual way for ransomware and removes shadow copies to prevent data recovery.

After verifying the process of encrypting files, the ransomware shows the victim a ransom note using a special application with a graphical interface for this and giving the victim three days to make a decision. In case the victim’s antivirus blocks the display of the ransom note, the ransomware also changes the background image on the user’s work slot.

Russian-speaking Enlisted players

What then?

The researchers note that the hackers do not use the Tor website, instead suggesting that victims use a Telegram bot to contact them. According to experts, many popular online shooters may now be unavailable to Russian users, so Enlisted has become an alternative for them. If the attackers have already paid attention to this, they can probably create other fake sites for similar games with Russian localization.

Well, what can I say? Being Russian-speaking now is not something that is not fashionable, but also dangerous. However, cybercriminals must be detected and punished, despite extenuating circumstances.

The post WannaCry 3.0 Ransomware Aims At Enlisted Russian-speaking Players appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/russian-speaking-enlisted-players/feed/ 0 15387
Microsoft recommends Exchange administrators to disable SMBv1 https://gridinsoft.com/blogs/microsoft-recommends-exchange-administrators-to-disable-smbv1/ https://gridinsoft.com/blogs/microsoft-recommends-exchange-administrators-to-disable-smbv1/#respond Thu, 13 Feb 2020 16:45:01 +0000 https://blog.gridinsoft.com/?p=3458 Microsoft strongly recommends administrators disable the SMBv1 protocol on Exchange servers to protect against threats that exploit its vulnerabilities. Let me remind you that Microsoft has been implementing a systematic refusal to use the outdated SMBv1 for a long time. So, since 2016, the company has advised administrators to withdraw from SMBv1 support since this… Continue reading Microsoft recommends Exchange administrators to disable SMBv1

The post Microsoft recommends Exchange administrators to disable SMBv1 appeared first on Gridinsoft Blog.

]]>
Microsoft strongly recommends administrators disable the SMBv1 protocol on Exchange servers to protect against threats that exploit its vulnerabilities.

Let me remind you that Microsoft has been implementing a systematic refusal to use the outdated SMBv1 for a long time. So, since 2016, the company has advised administrators to withdraw from SMBv1 support since this version of the protocol is almost 30 years old and does not contain the security improvements that were added in later versions.

Security enhancements include encryption, integrity checks before authentication to prevent man-in-the-middle (MiTM) attacks, blocking insecure guest authentication, and more.

To make sure that your Exchange organization is better protected against the latest threats (for example Emotet, TrickBot or WannaCry to name a few) we recommend disabling SMBv1 if it’s enabled on your Exchange (2013/2016/2019) server. There is no need to run the nearly 30-year-old SMBv1 protocol when Exchange 2013/2016/2019 is installed on your system. SMBv1 isn’t safe and you lose key protections offered by later SMB protocol versionsrecommend in Microsoft

Now the Exchange Team has once again reminded administrators of the insecurity of using SMBv1 because various malware still actively abuses them. Some vulnerabilities in SMB are exploited by EternalBlue and EternalRomance, as well as by TrickBot, Emotet, WannaCry, Retefe, NotPetya, Olympic Destroyer, and so on. In addition, known SMB problems can be used to spread the infection to other machines, perform destructive operations, and steal credentials.

In this regard, Microsoft experts strongly recommend disabling the obsolete version of SMB on Exchange 2013/2016/2019 servers.

Before disabling SMBv1, you should make sure you use a correctly configured and supported DAG witness server which supports at least SMBv2. You should make sure that the witness server is running a supported version of Windows Server, which is Windows Server 2012/2012R2/2016 or 2019recommended in Microsoft

The company says they did not check if the Exchange 2010 server was working correctly with SMBv1 disabled. And they are advised to upgrade from Exchange 2010 to Office 365 or a newer version of Exchange Server.

On this week, as part of the “Tuesday of updates” Microsoft fixed 99 bugs in its relatively products, including the sensational 0-day in Internet Explorer, but at the same time, the discontinuation of support for old products causes a very mixed reaction from users.

The post Microsoft recommends Exchange administrators to disable SMBv1 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-recommends-exchange-administrators-to-disable-smbv1/feed/ 0 3458
How to protect your PC from a virus, that has infected systems all around the world? Be careful, WannaCry may come for you! https://gridinsoft.com/blogs/protect-pc-virus-infected-systems-around-world-careful-wannacry-may-come/ https://gridinsoft.com/blogs/protect-pc-virus-infected-systems-around-world-careful-wannacry-may-come/#comments Sat, 13 May 2017 10:25:08 +0000 https://blog.gridinsoft.com/?p=328 I think you’ve already heard about this virus. For the past few days, it spread to computers in 74 counties! The biggest impact we can see is in China, Russia, Peru, France, and Canada. In only one day it infected German rail stations, Chinese Universities, the Russian Interior Ministry, British hospitals, and other government institutions.… Continue reading How to protect your PC from a virus, that has infected systems all around the world? Be careful, WannaCry may come for you!

The post How to protect your PC from a virus, that has infected systems all around the world? Be careful, WannaCry may come for you! appeared first on Gridinsoft Blog.

]]>
I think you’ve already heard about this virus. For the past few days, it spread to computers in 74 counties! The biggest impact we can see is in China, Russia, Peru, France, and Canada. In only one day it infected German rail stations, Chinese Universities, the Russian Interior Ministry, British hospitals, and other government institutions. Impressive, isn’t it?

Train station hacked
German train station

How WannaCry (or Wanna Decrypt0r 2.0) is spreading and what is it capable of?

You can infect a PC by downloading some pirate programs, clicking on suspicious pop-ups with fake “update” links, and via emails. Be careful before clicking on some attachments and running programs from an unknown source.

Wanna Cry in the university
Wanna Cry in the university

When it infects your PC it will scan all files and encrypt them with WNCRY extension. Access is blocked to images, documents, music, and system files. After that, you will see the message on the screen “Oops, your files have been encrypted” and demand to pay $300 in Bitcoins to decrypt your files. However, no one guarantees that after paying the ransom the files will be decrypted.

Wannacry virus demand
Wannacry virus

To ensure that this epidemic bypasses you immediately need to install the patch MS17-010 from Microsoft. After installation, restart the computer. You need to scan your PC and in the case of detection of malicious attacks (Trojan.Win64.EquationDrug.gen) – reboot the system again and make sure that the patch MS17-010 is installed.

If you are already infected follow the steps below to eliminate the virus.

  1. It is necessary to enable the safe mode with the network drivers loaded.
  2. Then you need to scan the system with a strong antivirus program and remove all detected files

The final step for the user is to restore the encrypted files, you can only do this after Wannacry is uninstalled. Otherwise, system files and the registry can be damaged. For this, you can try different decryption programs, but they don’t guarantee to restore files.

So as we can see viruses don’t sleep and are evolving every day. WannaCry will be on our next list of the top 10 viruses.

How to protect your PC from a virus, that has infected systems all around the world? Be careful, WannaCry may come for you!

The post How to protect your PC from a virus, that has infected systems all around the world? Be careful, WannaCry may come for you! appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/protect-pc-virus-infected-systems-around-world-careful-wannacry-may-come/feed/ 1 328