WannaCry was a global phenomenon, reached more than 200 thousand computers in 150 countries, caused financial losses by stopping the production of factories, suspending store processes and even impairing the operation of hospitals. But the real impact of this threat in Latin America and Brazil was less than in Europe, where the threat first spread. According to ESET, which held the Foro de Seguridad Informática in San Jose, Costa Rica, WannaCriptor had greater reach in other territories. Which does not leave Latin Americans free from dangerous ransomware.
Miguel Mendoza details ransmoware for Latin America – Photo: Melissa Cruz Cossetti / TechTudo
«The real impact of WannaCry was small in the region,» said Miguel Mendoza, a security analyst at the company in Mexico. According to the survey, other names make up the list of the most dangerous ransomware in Latin America.
«WannaCry reached 6% of detections [entre os clientes do antivírus ESET] and is only in seventh position in all of Latin America «, completed Mendoza.
What is ransomware: five tips to protect yourself
Still according to Mendoza, there is no ransomware-free operating system. There are families of viruses of this type not only for Windows and Android, but also for Linux distributions and even macOS, from Apple. In the list of the most popular ransomware detections on the ESET platform – manufacturer of NOD32 – for the region that included Brazil, are TeslaCrypt, CryptoWall and other names.
Most popular ransomware detections in Latin America in 2017
ESET survey reveals malware that blocks most common data in the region
In 2016, without WannaCry, the list consisted of: TeslaCrypt, CryptoWall, Locky, Cerber, CryptProjectXXX, Crysis and CTBLocker – with a larger share each.
TeslaCrypt is a gamer malware. Instead of blocking ordinary files on the computer, it encrypts sections that prevent machine owners from playing their favorite titles unless they pay a ransom. On infected machines, look especially for saved games. A key to unlocking encrypted files was offered if victims paid at least $ 500 in Bitcoins. The malware targets 40 games including Call of Duty, World of Warcraft, Minecraft and World of Tanks. In a surprising move in the history of malware, the cybercriminals behind the attack ended their operations and released a master key to unlock all victim files.
- Secure sites with keys to unlock PCs with ransomware viruses
Although the same families repeat themselves and vary little by year, what stands out is the creation of new viruses that block data in the most different ways. From 2009 to 2017, there was a jump of over 1,140 thousand variants in the world.
Variants of ransomware in the world over the years
Survey shows increase in malware families from 2009 to 2017
WannaCry brings worm to ransom
WannaCry, however, took the news in all countries for presenting unique characteristics. It was named as a ransomworm because it combined the power of a well-built ransomware with that of spreading the network attack, in a frightening and fast way, and also unprecedented.
«The method of infection added to a greater spread represents greater risk», explains Mendoza. In other words, it was something new, unexpected and that added experience from other types of attacks with worms and a special ingredient: Microsoft flaws stolen years before the NSA (United States).
Matías Porolli, a malware analyst at the antivirus company, performed a live demonstration of WannaCry infection on a virtual machine with three computers connected to the network. The first (patient zero) was infected by an attachment containing the malware. The other two did not have to do anything to get the virus to start encrypting the disk in minutes. As for most victims, PCs had no antivirus and Microsoft’s patch patches – which released an update before the attack – were out of date.
«The ransomware does not hide. It wants to show itself so that they can pay the ransom. The malware shows on the screen that it is encrypting all the files that it considers interesting», he detailed. «The other victims, even without doing anything, will be infected,» he adds. WannaCry searches the network for information about other connected computers with more frequently used files to block.
Matías Porolli shows WannaCry infection step by step – Photo: Melissa Cruz Cossetti / TechTudo
On the fact that WannaCry did not receive «many payments» – the amount of the bitcoin wallet associated with the attack is around $ 300,000 – Porolli points to global reach as a dilutive factor of success. «It was a very low percentage of people paid in view of the amount of people infected in the world,» he said. The amount charged in bitcoins to recover an infected computer was around $ 300. Bitcoin, however, continues to rise in price.
Features of WannaCry
In addition to the already traditional countdown, file lockout warning (which get other extensions) in several languages and tutorial explaining how to buy bitcoins, WannaCry still provided a fake decrypt function of just three files – supposedly to prove that criminals have the key. encryption and deliver it against payment. After decrypting the three files, he charged again for the ransom. There is still no key to WannaCry.
Porolli also recalled that WannaCry is capable of detonating shadow copies of Windows (Volume Shadow Copies Service – VSS function) and kills all backups.
With an eye on the «small fish»
Attacks that took over the world in 2017 like WannaCry and Petya can wreak havoc, just as Equifax can breach data of great importance. But it is not just these threats that security professionals, Web users and business owners must focus their attention on to prevent further damage.
Gartner has warned companies and institutions with large machine parks to focus on the biggest threats, not the most popular ones. «It’s like worrying more about great white sharks than about a single mosquito. Mosquitoes kill millions of people each year, while sharks cause the same number of deaths as lightning,» said Craig Lawson, Vice President of Research at Gartner . For Lawson, «99% of the vulnerabilities exploited until the end of 2020 will continue to be known by security and IT professionals only at the time of the incident,» he added. Therefore, it is important to monitor the «small fish» and, mainly, correct flaws.
* The journalist traveled at the invitation of ESET