:::: MENU ::::
Monthly Archives: May 2017

Some information about Ransomware & WannaCry Ransomware


What is Ransomware?


Ransomware is a malicious software that encrypts the files and locks device, such a

a computer, tablet or smartphone and then demands a ransom to unlock it. Recently, a

dangerous ransomware named ‘Wannacry’ has been affecting the computers worldwide

creating the biggest ransomware attack the world has ever seen.


What is WannaCry Ransomware?


WannaCry ransomware attacks windows based machines. It also goes by the name

WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY.It leverages SMB exploit in

Windows machines called EternalBlue to attack and inject the malware. All versions of

windows before Windows 10 are vulnerable to this attack if not patched for MS-17-010.

After a system is affected, it encrypts the files and shows a pop up with a countdown and

instructions on how to pay the 300$ in bitcoins to decrypt and get back the original files. If

the ransom is not paid in 3 days, the ransom amount increases to 600$ and threatens the

user to wipe off all the data. It also installs DOUBLEPULSAR backdoor in the machine.

What can you do to prevent infection?


 Microsoft has released a Windows security patch MS17-010 for Winodws machines.

This needs to be applied immediately and urgently.

 Remove Windows NT4, Windows 2000 and Windows XP-2003 from production


 Block ports 139, 445 and 3389 in firewall.

 Avoid clicking on links or opening attachments or emails from people you don’t

know or companies you don’t do business with.

 SMB is enabled by default on Windows. Disable smb service on the machine by

going to Settings > uncheck the settings > OK

 Make sure your software is up-to-date.

 Have a pop-up blocker running on your web browser.

 Regularly backup your files.

 Install a good antivirus and a good antiransomware product for better security.

File Names:

  • @Please_Read_Me@.txt
  • @WanaDecryptor@.exe
  • @WanaDecryptor@.exe.lnk
  • Please Read Me!.txt (Older variant)
  • C:\WINDOWS\tasksche.exe
  • C:\WINDOWS\qeriuwjhrf
  • 131181494299235.bat
  • 176641494574290.bat
  • 217201494590800.bat
  • [0-9]{15}.bat #regex
  • !WannaDecryptor!.exe.lnk
  • 00000000.pky
  • 00000000.eky
  • 00000000.res
  • C:\WINDOWS\system32\taskdl.exe


If you encounter an error during the imaging process, please note the error code generated by the Tssk Sequence Wizard. Please reboot the system and boot into the task sequence wizard using an available boot media or PXE function.

Once within the Task Sequence Wizard, select F8 to initiate the command prompt. Within the command prompt, please run the following commands depending on the error listed below:


For Microsoft Surfaces ONLY

  1. Enter the command “ipconfig /all” to verify that the machine has a network connection.
  2. Enter the command “time” to verify that the machine has the proper time set.
  3. Enter the command “date”, to verify that the machine has the proper date set. After verifying this information continue to the diskpart steps.

For Everything Else:

If you are not imaging a Surface Pro and receive a 0x8004005or 0x80070570 error, please use the Diskpart Steps that arebolded and listed below:

  1. Enter the command “diskpart”.
  2. Enter the command “list disk”, this will show a selection similar to the one listed below:

Disk ###  Status         Size         Free     DynGpt

——–  ————-      ——-       ——-    —      —

Disk 0    Online          238 GB     0 B        *(select the OS disk)

Disk 1    Online           28 GB      0 B


  1. Select the OS disk (Disk 0) with the following command: “select disk 0”.
  2. Once selected, enter the command “clean”.
  3. Once cleaned, enter the command “create partition primary”.
  4. Once the partition is created, select the partition with the command “Select partition 1”.
  5. Once selected, enter the command “active” to activate the partition.
  6. After selection, format the OS disk with the following command “format quick fs=ntfs”.
  7. After format, enter the command “assign” to assign a drive letter or mount point.
  8. After assigning the disk a mount point, enter the command “exit” to complete the processfollowed by a full reboot of the machine.

For an “0x8007005 or 0x80070070 error or an image where the primary drive isn’t imaged as C:”, please run the following diskpart steps:

  1. Enter the command “diskpart”.
  2. Enter the command “list disk”.
  3. Select the OS disk (Disk 0) with the following command: “select disk 0”.
  4. Once selected, enter the command “clean”.
  5. After cleaning the disk, enter the command “exit” to complete the process followed by a full reboot of the machine.