Over the past couple of months, WannaCry has struck the entire world as a massive ransomware attack that has made hundreds of thousands of victims worldwide, including hospitals, government agencies, and telecom operators. Yet many questions remain unanswered about the attack, but it is mainly the apparent amateurism of the hackers that has left security experts puzzled.
Initially, everyone thought it was an advanced attack. But now, because of the code used, the bitcoin addresses, and the manual refund process, the cybersecurity world is beginning to see this attack in a new light. No one has recovered their files, even though they have paid. That's strange, even for cyber criminals, because it's bad marketing.
Sometimes ransomware developers make programming errors. These errors can help victims regain access to their original files after an infection (of course, without paying). For some cybersecurity experts, there were several errors in the development of, almost certainly, the most famous ransomware to date. So, let’s discuss them and find out what experts have learned.
Errors in File Erase Logic
When WannaCry encrypts your victim's files, it creates an encrypted copy of the original files, which themselves are simply hidden. Each file with the extension .WNCRY corresponds to one of the original, now hidden, files. This implies that the files are easily recoverable by restoring their standard attributes. It has been reported that this process depends on the location of the archive concerned within the computer and its attributes.
Files That Are Located on the System Drive:
If the archive is in a "key" folder (from the point of view of malicious program developers, for example, Desktop and Documents), the original file will be overwritten with random data before disposal. In such cases, there is simply no way to restore the contents of the original file.
If the data is stored outside of "key" folders, the original file will be moved to “% TEMP% \% d.WNCRYT.” These files hold the original data and aren’t overwritten, only deleted from the disk, which means that there are many possibilities that they can be restored with some data recovery software.
Ransomware creates the "$ RECYCLE" folder and sets the 'hidden' and 'system' attributes in that folder. This makes this folder invisible to Windows File Explorer if you have the default settings. The malware moves the original files to this directory after encryption. However, due to synchronization errors in the code, sometimes, the original files remain in the same directory and are not moved to $ RECYCLE. The original files are removed in an unsafe way, so it is possible to restore deleted files using data recovery software.
Read-Only File Processing Error
When analyzing WannaCry, we also discovered that this ransomware had an error in its read-only file processing. If there are files of this type on the infected machine, the ransomware will not encrypt them. It will just create an encrypted copy of every original file, while the original data will only get the "hidden" attribute. When this happens, it's easy to find them and restore their normal attributes.
The Bottom Line
Researchers have revealed that WannaCry was less sophisticated than originally thought. And the fact that a large number of computers were still infected indicates that many organizations do not implement proper security and updating/patching policies. It will not be long before a WannaCry variant appears, which will not be countered by a simple 'kill-switch.' Hackers learn from their mistakes, and they will again come up with something that haunts us, the security agencies and organizations, for some time before we figure out how to deal with it. Organizations with a high level of network security have nothing to fear. Just keep your computers and software up to date.