RE: How to Prevent WannaCry Ransomware ? [All Possible Methods] 12-12-2017, 11:20 AM
#3
I've reversed engineered the WannaCry ransomware myself and there are a couple of "unofficial" ways to stop it from encrypting your files.
1. Relocate all your files into directories such as the Windows or Program Files directory. WannaCry skips these directories when iterating through the file system probably for optimisation?
2. Hook the mutex creation of the value(s) that it uses. WannaCry will check the existence of a mutex to test whether it should start the actual ransomware executable for encryption. This is probably something an anti-virus c/would do. Of course this could change and is more of a vaccine for existing strains.
It might be interesting to note these methods because it could be common behaviour that span across generic ransomware. Unfortunately, ones like Petya still target the boot loader so no matter what you do, you'll still lose access to your files. Perhaps it's also a viable option to run the entire computer under a sandbox so that any changes made to the computer will be reset each reboot, something that would be used in a school environment. One that I've encountered is called "Deep Freeze" but it should be noted that there exists methods which could persist files to survive resets such as special directories and, of course, exploits (probably very unlikely for generic "shotgun"-approach malware; more for a targeted attack scenario).
1. Relocate all your files into directories such as the Windows or Program Files directory. WannaCry skips these directories when iterating through the file system probably for optimisation?
2. Hook the mutex creation of the value(s) that it uses. WannaCry will check the existence of a mutex to test whether it should start the actual ransomware executable for encryption. This is probably something an anti-virus c/would do. Of course this could change and is more of a vaccine for existing strains.
It might be interesting to note these methods because it could be common behaviour that span across generic ransomware. Unfortunately, ones like Petya still target the boot loader so no matter what you do, you'll still lose access to your files. Perhaps it's also a viable option to run the entire computer under a sandbox so that any changes made to the computer will be reset each reboot, something that would be used in a school environment. One that I've encountered is called "Deep Freeze" but it should be noted that there exists methods which could persist files to survive resets such as special directories and, of course, exploits (probably very unlikely for generic "shotgun"-approach malware; more for a targeted attack scenario).
(This post was last modified: 12-12-2017, 11:22 AM by reGEN.)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)