Why the ONION & WNCRY Ransomware Hit 70 Countries – Protection Tips

Ransomware Attack Overview

Since May 12, a ransomware wave spread globally, first striking the United Kingdom where more than 25 hospitals were compromised, demanding 300 BTC per hospital and threatening to double the ransom after three days and delete data after a week.

The infection quickly expanded to mainland China, affecting many universities; files on students' and staff computers were encrypted, and only payment could restore them. Even prestigious institutions such as Shandong University were hit.

The active ransomware families are ONION and WNCRY. Infected machines have their files renamed with new extensions, rendering images, documents, videos and archives unreadable. Ransom demands are 5 BTC (≈ ¥50,000) for ONION and $300 (≈ ¥2,000) for WNCRY.

Origin of the Attack

The outbreak traces back to a conflict between two elite hacker groups: the NSA‑affiliated Equation Group and the Shadow Brokers, a market for stolen cyber‑weapons.

In August 2016, Shadow Brokers claimed to have stolen a large cache of Equation Group tools and released some publicly. Subsequent leaks included dozens of exploits such as EternalBlue, which later became the core payload for the ransomware.

Ransomware Mechanism

The ransomware propagates via the NSA‑leaked EternalBlue exploit, which targets the Windows SMB port 445. Systems lacking the March‑year Microsoft patch can be compromised without any user interaction; the exploit can execute arbitrary code, install the ransomware, and encrypt files.

Why Victims Are Mainly Universities and Hospitals

Many Chinese ISPs have blocked port 445 for residential users, but educational networks often leave the port open, making universities and research labs prime targets for the attack.

How to Remove Infection

Currently there is no reliable decryption method; paying the ransom does not guarantee recovery.

How to Prevent Ransomware

1. Backup important files. Regular backups allow recovery without paying the attackers.

2. Apply patches. Install the latest Microsoft updates, which include fixes for EternalBlue, even for legacy systems such as Windows XP.

3. Close network ports (emergency). Verify that port 445 is not listening and disable it if necessary.

net stop rdr net stop srv net stop netbt

4. Block the malicious domain. The ransomware attempts to contact www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com before encrypting files. Adding this domain to a local hosts file pointing to a safe address can halt the attack, though the method may be short‑lived.

Who Is Not Affected

To date, no non‑Windows systems have been reported as victims; Linux users are largely unaffected.

Lessons Learned

1. Information security is an ever‑evolving field; defenses must keep pace with new exploits.

2. Prompt ISP action to block vulnerable ports can limit the spread.

3. Migrating critical workloads to alternative operating systems can reduce risk.

4. Security education and regular patch management are essential components of any IT strategy.