Has the Crying Stopped Yet? The WannaCry Attack Aftermath

WannaCryTwo weeks have passed since the global incident of WannaCry. The media coverage of WannaCry ransomware has been dwindling as emergency patches have been pushed out by Microsoft, antivirus and anti-malware software vendors, and even firmware for hardware such as firewalls. These patches, while arriving a little too late for older versions of Windows, have helped to prevent others from getting infected.

But what about the folks whose data might still be held at ransom?

Recently released tools have been made available for decrypting our files that we were locked out of. The first set of such tools were WannaKiwi and WannaKey. These were hand crafted solely for the WannaCry malware. The major caveat for both tools: once the infected systems have been rebooted, powered off or the malware processes killed, they will not work. Another caveat: WannaKiwi is shown to only work on older operating systems, which are Windows XP, Server 2003, Vista, Server 2008, Server 2008 R2 and Windows 7. Any newer operating systems are not supported. WannaKey is not so user friendly and is only confirmed to work on Windows XP and Windows 7.

Trend Micro, a major player in IT security and whose products we specialize in, has released a Ransomware File Decryptor Tool that, in addition to remediating a WannaCry infection, will assist in the decryption of data affected by other variants of ransomware. In addition to detailed steps and even a video how-to, the interface is user friendly and nicely thought out, and it supports all operating systems up to Windows Server 2012 R2.

So, all should be good now that we have a way to combat WannaCry, right? Nope!

While our guards are down and minds at ease about being protected against WannaCry, other ransomwares are still flying under the radar and infecting systems. While they do not get the fame and media coverage that WannaCry did with its signature move — slipping between systems like the slimy worm it is — some of these ransomware infections do not have a cure yet as of this writing.

Jaff Decryptor

For an example, I will use a ransomware I had the pleasure of looking at recently. While it does not swarm across networks like WannaCry did, this nasty piece of malware known as Jaff Decryptor uses AES 256-bit encryption. Just how hard is it to crack that encryption? Even with a significant amount of supercomputers on the case, it would take decades to crack that hash.

While WannaCry creators asked for $300 worth of Bitcoin in ransom, the Jaff creators are asking for roughly 1.82 Bitcoin. As of writing, the price of 1 Bitcoin equals $2,537.

JAFF comes to us by spam emails that contain malicious attachments. Jaff then targets all of the common and not-so-common file extensions, heavily encrypts them, and adds a .jaff (old version) or a .wlu (most recent version) extension. For example, your Excel spreadsheet named ‘report.xlsx’ will come out as ‘report.xlsx.jaff’ or, in the case of the newest strand, ‘report.xlsx.wlu’.

The older version surfaced around the same time as WannaCry, while the updated Jaff surfaced on May 23. The main difference, besides the extensions, is that while the old Jaff created both a readme text document and an unsightly bitmap image that looked like a rushed Microsoft Paint document that was justified to the right of the screen making it difficult to read, the latest version shows the ransom note in rich HTML.

Researching Jaff for countless hours has proven unfruitful in finding a fix. Every article states it cannot be cracked (I even tried with Trend Micro’s tool). Every article states the only permutant riddance is restoring from backup

Therefore, I cannot stress this enough: do your backups, folks! Always heed the best practices on web surfing, emails, social engineering and more. When in doubt, ask someone. Ask us! And, always ask yourself this: how much is your data worth to you? What aspect of your personal life or business would suffer with any amount of critical data loss?

Resources:

Contact us today if you need help putting the right cybersecurity safeguards in place, including a backup system. You can call us at 502-240-0404 or email us!