Loading Now
Security , , , , ,

Eliminate Wannacry Ransomware: Effective Microsoft Solutions

As many of you are now aware, a major ransomware outbreak has impacted countless computers across the globe, affecting organisations and individuals alike.

If you ever receive an email that looks suspicious or you’re uncertain about it, please avoid opening any attachments. Forward such emails straight away to your IT administrator so they can be reviewed safely.

How to Spot a Suspicious Email:

  1. The email arrives unexpectedly or from an unknown sender
  2. Marked as ‘High Importance’ without a clear reason
  3. The sender’s address doesn’t look official or legitimate
  4. Links may direct you to fraudulent websites
  5. The message requests sensitive or personal details
  6. The text urges you to act immediately or respond quickly
  7. Check the sender’s signature for inconsistencies
  8. Use other techniques to confirm the website or email legitimacy

Microsoft has released patches for WannaCry ransomware. Please update your systems as soon as possible and inform your colleagues.

Windows XP SP3: http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe

Windows Vista x86: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x86_13e9b3d77ba5599764c296075a796c16a85c745c.msu

Windows Vista x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu

Windows 7 x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu

Windows 7 x86: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x86_6bb04d3971bb58ae4bac44219e7169812914df3f.msu

Windows 8: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu

Windows 8.1: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu

Windows 10: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4012606-x64_e805b81ee08c3bb0a8ab2c5ce6be5b35127f8773.msu

Windows 2003 x86: http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe

Windows 2003 x64: http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe

Windows 2008: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu

Windows 2008R2: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu

Windows 2012: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x64_b14951d29cb4fd880948f5204d54721e64c9942b.msu

Windows 2012R2: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu

Windows 2016: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x64_ddc8596f88577ab739cade1d365956a74598e710.msu

Understanding Ransomware

Ransomware is a type of cyber threat designed to block access to your files and devices in return for a payment. This often affects computers, tablets, and smartphones. The recent ‘WannaCry’ ransomware attack has become one of the largest ever, with systems around the world being hit – including several in India.

What is WannaCry?

WannaCry is a ransomware that targets Windows systems. Also known as WannaCrypt, WanaCrypt0r, WCrypt, or WCRY, it exploits a vulnerability in Windows known as ‘EternalBlue’. Any Windows system not updated with the MS-17-010 patch is at risk. Once infected, it encrypts your files and displays instructions to pay $300 in Bitcoin for recovery. If not paid within 3 days, it demands $600 and threatens to destroy your files. Additionally, it installs the DOUBLEPULSAR backdoor, posing further risk.

How does WannaCry Spread?

The ransomware spreads via EternalBlue (MS17-010) exploiting the SMB protocol in Windows. Infection can occur through malicious email links and attachments. If one computer is infected on a network, WannaCry searches for other vulnerable machines and self-propagates, rapidly moving across connected systems.

How to Stop WannaCry Ransomware Infection: Troubleshooting & Prevention Guide

  1. Install Security Updates: Apply the latest Microsoft security patches, particularly MS17-010, to all Windows devices.
  2. Decommission Unsupported Systems: Immediately remove Windows NT4, Windows 2000, and older XP or 2003 systems from your network or production environments.
  3. Block Vulnerable Ports: In your firewall settings, block ports 139, 445, and 3389 to prevent exploit attempts.
  4. Verify Emails Carefully: Never click suspicious links or open attachments from unknown senders.
  5. Disable SMB if Unnecessary: Go to Windows Settings and untick ‘SMB’ options if you do not need them on your network.
  6. Keep All Software Up-to-Date: Regularly update operating systems and installed applications to patch new vulnerabilities.
  7. Enable Pop-Up Blockers: Use browser pop-up blockers to prevent drive-by downloads.
  8. Back Up Data Regularly: Frequently save copies of your important files to an external drive or secure cloud service.
  9. Install Reliable Antivirus: Ensure you are running up-to-date antivirus and anti-ransomware protection.

How to Fix Common Issues After a Ransomware Attack

  • Disconnect Immediately: Unplug the device from the network to stop the infection spreading.
  • Run Full Security Scans: Use security software to scan and attempt to remove malicious files.
  • Restore Backups: If you have clean backups, erase the infected system and reinstall your data.
  • Seek Professional IT Support: For persistent infections, professional recovery services may be required.

Below are key IP addresses you should block in your firewall or security software to reduce ransomware risk:

Block These IPs:

16.0.5.10:135

16.0.5.10:49

10.132.0.38:80

1.127.169.36:445

1.34.170.174:445

74.192.131.209:445

72.251.38.86:445

154.52.114.185:445

52.119.18.119:445

203.232.172.210:445

95.133.114.179:445

111.21.235.164:445

<p

199.168.188.178:445

102.51.52.149:445

183.221.171.193:445

92.131.160.60:445

139.200.111.109:445

158.7.250.29:445

81.189.128.43:445

143.71.213.16:445

71.191.195.91:445

34.132.112.54:445

189.191.100.197:445

117.85.163.204:445

165.137.211.151:445

3.193.1.89:445

173.41.236.121:445

217.62.147.116:445

16.124.247.16:445

187.248.193.14:445

42.51.104.34:445

76.222.191.53:445

197.231.221.221:9001

128.31.0.39:9191

149.202.160.69:9001

46.101.166.19:9090

91.121.65.179:9001

2.3.69.209:9001

146.0.32.144:9001

50.7.161.218:9001

217.79.179.177:9001

213.61.66.116:9003

212.47.232.237:9001

81.30.158.223:9001

79.172.193.32:443

38.229.72.16:443

 

Domains:

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com

Rphjmrpwmfv6v2e[dot]onion

Gx7ekbenv2riucmf[dot]onion

57g7spgrzlojinas[dot]onion

xxlvbrloxvriy2c5[dot]onion

76jdd2ir2embyv47[dot]onion

cwwnhwhlz52maqm7[dot]onion

 

File Names:

@[email protected]

@[email protected]

@[email protected]

Please Read Me!.txt (Older variant)

C:\WINDOWS\tasksche.exe

C:\WINDOWS\qeriuwjhrf

131181494299235.bat

176641494574290.bat

217201494590800.bat

[0-9]{15}.bat #regex

!WannaDecryptor!.exe.lnk

00000000.pky

00000000.eky

00000000.res

C:\WINDOWS\system32\taskdl.exe

WannaCry 3.0 Ransomware
Latest Information & Troubleshooting Guide

WannaCry 3.0 ransomware is actively infecting computers across the globe. Experts have traced this malware to the notorious Lazarus Group, with many sources attributing its origins to North Korea. The ransomware shares technical similarities with malware created by this group—the same group behind the Sony Pictures attack and the major cyber heist involving the Bangladesh Bank in 2014.

Cybersecurity researcher Marcus Hutchins played a pivotal role in slowing down the initial spread by locating and using WannaCry’s “kill switch” domain to temporarily halt infections. However, even this significant intervention hasn’t entirely stopped new variants from appearing. WannaCry 3.0 signals a further evolution, suggesting that version 2.0 was just a precursor for even more advanced attacks.

Recently, Matthieu Suchie, founder of Camaeio, discovered a new WannaCry variant that escaped detection by several major cybersecurity firms. This updated edition also utilises a kill switch, making it more challenging for security experts to track and mitigate ongoing infections.

How to Identify WannaCry 3.0 Infections
Watch out for the following:

  • Unusual files such as @[email protected] or @[email protected] appearing on your desktop.
  • Your files suddenly become inaccessible or have new extensions.
  • Popup messages demanding payment in Bitcoin or other cryptocurrencies.

How to Remove WannaCry 3.0 and Restore Your Files

  1. Immediately disconnect your computer from the internet to halt further file encryption or spreading to other devices on your network.
  2. Run a full antivirus and anti-malware scan in safe mode. Use up-to-date security tools such as Windows Defender, Malwarebytes or ESET.
  3. Restore your files from a backup, if possible. Never pay the ransom; it does not guarantee file recovery and encourages future attacks.
  4. If you are not able to remove it yourself, consult cyber security professionals who specialise in ransomware recovery.

How to Protect Your Computer from WannaCry Ransomware

  • Install the latest security updates for your Operating System, particularly the MS17-010 patch for Windows.
  • Regularly back up important documents to an external hard drive or cloud storage that is not connected to your main computer.
  • Do not open email attachments or click on suspicious links from unknown sources.
  • Enable your firewall and keep all software up to date.

Resources for Further Help and Live Ransomware Tracking:

How to Fix Issues with Port 445 and Ransomware Risks

  1. Block port 445 on your firewall to minimise exposure to network-borne threats.
  2. Disable SMBv1 protocol in Windows features to prevent exploitation of older vulnerabilities.
  3. Use network segmentation to limit the potential spread of infections within your organisation.
  4. Regularly review your system and network logs for signs of suspicious connections or access attempts.

Staying informed and following basic cyber hygiene practices is the best defence against ransomware like WannaCry.

Tag

Related Posts

Post Comment