WannaCry ransomware protector tool (Beta version)

WannaCry ransomware protector tool (Beta version) description

 

WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting Microsoft Windows operating system.

Here is a detailed article about the Ransomware:  How to protect yourself from WannaCry Ransomware 

EthioCert has developed WannaCry ransomware protection tool so the tool is explicitly to be run on a clean (not-infected) system because for its beta version we simply designed it to create decoy artifacts of the ransomware to make the malware think it has already infected that machine.

Here are the artifcat types our tool installs on systems

 

1. Mutexes (MsWinZonesCacheCounterMutexA, MsWinZonesCacheCounterMutexW, MsWinZonesCacheCounterMutexA0, MsWinZonesCacheCounterMutexW0

2. Windows services named "mssecsvc2.0" and randomly generated string (like "tmldvhrekhwa375"). 

3. The file named "tasksche.exe" in "windows" directory and another directory named similar to the service name (like "tmldvhrekhwa375" ) 

 

Download the tool from here: WannaCry ransomware protector tool (Beta version) 

Instructions

1. Download the WannaCry_Ransomware_Protector.zip file and extrat it

2. Then doudle click WannaCry_Ransomware_Protector.exe file. After it finishes click on minimize to tray

 

Tool features

  • creates the above mentioned mutexes in the Global namespace of windows
  • checks whether the above services are installed or not and if they are, it queries their target path. If the target path is different from the string "Ethiocert" (which shows probability of infection) it deletes them and recreate the services with a target path of "Ethiocert"
  • check whether the above file is created in the directories and deletes if it exists and then create it again with "write protected" and "read-only" attributes inorder to avoid overwrite by the malware.
  • registers its self in windows task scheduler inorder to automatically start when the operating reboots
  • it stays in RAM to keep the created mutexes alive because if the application is closed the mutexes will die which gives the malware ability to run partially. Even if the decoy services and files fail to be implanted the mutex guarantees protection for this malware variant so users are advised not to exit the program but to minimize it to tray using the button

 

Update

  • it will be updated per the ransomware's variants
  • it will include the features mentioned in the drawbacks section

 

N.B

If the tool displays mutex creation failed notice, contact Ethiocert (ethiocert@insa.gov.et) because if the mutex is not created by the tool the malware can infect the system or it could be a possiblity that the system is already infected