A growing list of countries around the world, including in Afrika, have been hit by the WannaCry ransomware worm. The ransomware attacks Microsoft Windows operating system based systems and encrypts their data and gives instructions of several Bitcoin wallets where those affected can pay $600 (at the time of publishing, ransom amount started at $300) in Bitcoins to have their files decrypted.

The list of Afrikan countries affected by the WannaCry ransomware includes, but is not limited to, South Africa, Angola, Mozambique, Tanzania, Nigeria and many more as the attack continues to spread globally.

WannaCry Geographical target distribution according to Kasperky Labs telemetry

Geographical target distribution according to Kasperky Labs telemetry for the first few hours of the attack.

More importantly, WannaCry also affects any systems running Windows server software. This would include banks, government organisations and many others as has already been witnessed thus far in many countries.

Once a Windows based system has been attacked, the computer's files are encrypted and given the extension β€œ.WCRY”.

![WannaCry message](/content/images/2017/05/wannacry_05-1024x774.png)
A message that appears after a system has been attacked.

Thus far, as per Kasperky Labs analysis, the WannaCry ransomware attacks and encrypts the following file types:

  • Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).

  • Less common and nation-specific office formats (.sxw, .odt, .hwp).

  • Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)

  • Emails and email databases (.eml, .msg, .ost, .pst, .edb).

  • Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).

  • Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).

  • Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).

  • Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).

  • Virtual machine files (.vmx, .vmdk, .vdi).

It is also interesting to note that the ransomware was published on the Internet on 14 April 2017 by a group called Shadow Brokers who said it, WannaCry, was part of a cache of cyber weapons it stole from the USA's National Security Agency (NSA).

Whoever is responsible for WannaCry has put some thought into it as demonstrated by the fact that the ransom messages can be displayed in various languages. Also, the ransom payment is raised after a specific countdown, along with another display raising urgency to pay up, threatening that the user will completely lose their files after the set timeout. Typically, according to Kaspersky Labs, not all ransomware provides this timer countdown.

Furthermore, to ensure that those affected don't miss the warning, the tool changes the affected Windows system's wallpaper with instructions on how to find the decryptor tool dropped by the malware along with other payment instructions.

There is however a solution to the WannaCry ransomware, however it needs to be applied before your system is affected. The solution to prevent against the WannaCey ransomware was released as a patch by Microsoft exactly a month before Shadow Brokers published the ransomware on 14 March 2017. This in turn indicates that the Windows systems being attacked are ones that do not have all the latest Microsoft Windows patches installed.

Share this via: