When installed, the worm names itself Wanna Cry in attempt to evade security experts.
You will probably have to reboot at this point, you can choose to reboot, usually I just log off ;) (As im sure most IT pro's do) Finally just re-enter the update credentials into the Sophos program and re-check for updates.“Wanna Cry” ransom program (tasksche.exe) analysis: The sample itself has an encrypted original RSA public key, and the attacker retains the decrypted RSA private key.
Before encrypting the files, the Crypto API that calls Windows generates a new pair of RSA key, known as the sub-public key and sub-private key.
Main program (mssecsvc.exe) file analysis: The sample main program is the main spread program of this event that is responsible for spreading itself and releasing the "Wanna Cry" ransom program, and then "Wanna Cry" encrypts user files and execute malicious behavior.
And then, the sample encrypts the sub-private key with the original RSA public key and saves it as "00000000.eky" and the sub-public key is saved as "00000000.pky".
The sample generates an AES key for encrypting the file, the contents of the encrypted file are M2, and the AES key is encrypted with the sub-public key "00000000.pky".