17 May Everything about Ransomeware cyber attack
What is a ransomware attack? What are the causes of the attack? What is WannaCry’s exploit?
What is WannaCry?
It is a malware Trojan virus which has been named “ransomware”. Ransomware is a type of malware that encrypts a user’s data, then demands payment in exchange for unlocking the data. Payment is demanded in the form of Bitcoins (Because bitcoin transactions cannot be traced). The WannaCry Ransomware specifically asks for $300 as bitcoins.
A Ransomware is a malicious piece of software that often gets downloaded to your system when you download stuffs from unauthorized links or unknown mails that may be present in your inbox.
Once downloaded, the ransomware gets full authority over your system and blocks your access in to the system.
Once your access is blocked, you are then displayed with a message on your desktop asking for a ransom, and you are required to pay the sum of money to get your access back in to the system.
It’s High time that we all start taking our cyber-security issues seriously. The Recent Ransomware attack which started spreading on Friday May 12th has hit a lot of hospitals, schools, shops, factories, organizations and government agencies affecting tens of hundreds of systems across the globe. This attack uses a malicious software called “WanaCrypt0r 2.0” or WannaCry which exploits the vulnerability in windows. Although Microsoft had already released the patched version in March but not everyone has updated their computers making it vulnerable to this attacks.
So Let’s Start with the basic knowledge of this malware and then look at how you can prevent yourself.
If you look into the Ransomware – there never was something like this before with great power of replicating themselves and spreading like a “Worm”.
More than 99+ countries are hit and so many organizations are suffering much including Hospitals, Police Department, IT farms and what not.
Windows XP is the most vulnerable OS and many institutes use this still although Microsoft said they are not going to give any more support.
The WannaCry attack could burst the bitcoin bubble. Governments around the world could respond to the recent ransomware attack by attempting to shut down bitcoin.
Bitcoin not only makes a large scale ransomware computer attack relativity easy and secure, but it makes other kinds of ransom much easier to perpetrate. Kidnap a family member of a wealthy person and demand payment in bitcoin. People have warned about this use of bitcoin from the beginning, and indeed I have been told that many previous ransoms have succeeded by demanded bitcoin payment. It makes it far more difficult to catch the kidnapper.
Probably most (99%?) of the people who received the ransomware attack had no idea how to obtain a bitcoin. My guess is that most of those attacked immediately decided to pay, and planned that once their system was restored, to upgrade it or put in the protection. But how to pay in bitcoin? To do this they had to contact a broker, someone who advertises bitcoin conversion for a fee.
I’m predicting that many governments around the world will try to make bitcoin exchanges illegal in order to make it very difficult to change dollars into bitcoins. There will always be back-doors (exchange in Nigeria or some other location that will keep them legal) but the governments can make convenient exchanges much more difficult.
And the following image is set as default wallpaper background:
Microsoft president blasts NSA for its role in ‘WannaCry’ computer ransom attack.
The fast-moving virus, which first hit Friday, exploits a vulnerability in the Windows operating system that had been discovered by the U.S. National Security Agency. That information was stolen by hackers and published online.
The fact that the NSA can have top secret information like that stolen from them is a problem.
icrosoft executive sharply criticized a U.S. spy agency Sunday for its role in weaponizing a weakness in Windows and allowing it to be stolen by hackers and used to launch history’s largest ransomware attack.
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Brad Smith, president and chief legal officer at Microsoft, wrote in the wake of the “WannaCry” computer virus attack, which crippled computers worldwide.
He compared it to the U.S. military having some of its Tomahawk missiles stolen. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action,” he added.
Britain’s National Health Service suffered one of the worst attacks because, in part, many of its systems were running Windows XP, an older version of the operating system that Microsoft had stopped supporting long ago. Over the weekend, the company took the extraordinary step of releasing security updates for XP and other versions it no longer supported.
But Smith saved his harshest words for the NSA and called on international governments and policymakers to rethink their approaches to cybersecurity and cyberspying. In doing so, he joined a chorus of critics who had been pointing fingers all weekend at the NSA.
The attack began on 12 May 2017, Friday and has so far hit 150+ countries affecting 230,000+ computer systems.
India, Russia, Taiwan, Ukraine are the countries that are badly affected by the WannaCry ransomware and the popular services affected by the ransomware include LATAM Airlines, FedEx and National Health Services of Britain.
The widespread of the ransomware was reduced when a internet security researcher who blogs by the name “MalwareTech” unknowingly pulled a kill switch against the WannaCry ransomware, thus reducing the effectiveness of the ransomware. The kill switch worked when MalwareTech registered a domain name that was found in the ransomeware code.
However, MalwareTech had warned that the attackers could bypass the kill switch, which is verified with the latest version of WannaCry that was detected, which lacked the kill switch.
WANNACRY RANSOMEWARE AND ATMS – ARE ATM’S VULNERABLE?
ATMs in India mostly run in Windows XP. So there were possible chances of getting the systems infected. But the banking officials were quick to react and have updated our ATMs with Ransomware patch. So, your money is all safe and you need not worry at all.
How does it work?
Windows had a certain security problem that allowed this kind of attack to happen. Microsoft has since released an update to plug this security hole. However, not all computers are patched. The WannaCry Ransomware writes itself into a random folder in the “ProgramData” folder with the file name “tasksche.exe” or in “C:\Windows\” with filename “mssecsvc.exe” and “tasksche.exe”. It grants itself full access to all files using batch script. Then finally it will encrypt all your local data and change the extension to “.WCRY”.
The country’s cyber security agency Computer Emergency Response Team of India (CERT-In) has issued a red-coloured ‘critical alert’ in connection with the WannaCry attack, and warned users to not pay the ransom.
“Individuals or organisations are not encouraged to pay the ransom as this does not guarantee files will be released. Report such instances of fraud to CERT-In and law enforcement agencies,” CERT-In said.
The Massive Cyber Attack was slowed down on Sunday when a researcher accidently triggered the kill-switch for the virus, but the hacker group responsible updated the virus soon and had it spread again
Once a victim is infected with the WannaCry virus, the following screen is displayed on infected PC:
HOW TO PROTECT WINDOWS SYSTEMS FROM WANNACRY RANSOMWARE ATTACK?
If you own a Windows powered system and if you are in any one of the affected countries, then it is a wise choice to opt to safeguard your Windows system from the WannaCry Ransomware attack. And if you are in search on ways to protect PC from WannaCry attack, then below are some of the easiest and most effective ways:
- The first and foremost way to protect your system from the WannaCry cyber attack is to update your Windows to the latest patched version. As soon as the WannaCry ransomware started spreading, Windows came up with a Security Patch for Windows 10 to safeguard your system from the attack. If you haven’t updated your Windows system yet, then do it as soon as possible.
- Be sure not to download anything from any unauthorized websites. Unauthorized downloads are the main way how ransomware spread. Also, check the things you download from your email inbox as well. Make sure that the download you make are of things that are sent by people you know.
- Have a regular backup of all the data stored in your Windows PC. This way, you will be able to perform a complete data wipe to start your Windows PC clean and then restore the last backup of all your content, in case your Windows system is infected by WannaCry.
How to Prevent Myself?
- The first basic step you should do right now is apply patches to your windows system.
If you are on the latest supported version then visit the link below to apply the patch.
- If you are on an Unsupported version such as Windows XP, Vista OR Server 2003/2008 then visit this link:
- Take a backup of your critical data and store it offline on some portable disk.
- Update your antivirus to the latest version.
- Disable macros on all Microsoft office products.
- Don’t open any sort of attachments sent to you on the mail, even if it from your closest friend. Also don’t click on any url’s in the mail.
- Make sure you don’t connect to WiFi networks that you don’t know or trust.
- The first basic step you should do right now is apply patches to your windows system.
How can we stop cyber attacks like the (May 2017) WannaCry ?
- Keep systems patched and up-to-date – at least for security patches
- Segment networks and harden critical resources – don’t just rely on a perimeter firewall. Someone’s office desktop should not be able to talk to a process control computer, let alone have write access
- Isolate unpatchable machines. You need XP to control an old milling machine or MRI scanner ? Fine. Put them both inside a firewall and only sanitized packets get in or out, JPEGs for instance.
Hospitals have a problem, because patches can be unstable and can break systems. If critical systems break, patients lives can be at risk. Most of the time, that’s more likely than a cyberattack. Sometimes, people refuse to install even security patches because they believe that will void the certification. In the US, that’s not true – a patch will not void FDA approval, which is required only for new equipment. Conversely, the FDA has no mandate to enforce security patching or ensure devices are still compliant. Interestingly enough, we got burned by just this mentality with theworm in 2003 – we had bought a turnkey door access control system which included an MS SQL server, and the vendor had disabled the normal automated patching in case it “broke their software”. The resulting infection knocked our entire campus off the internet for a few hours.
What to do if You are already infected by WannaCry Ransomware?
- Immediately Isolate your system from the network, this prevents the malware from spreading to other systems.
- Preserve your Data, even though it is encrypted don’t delete it.
- Report the incident to CERT-in and local law enforcement agency.
Install the latest security patches MS17-010
MS17-010 is available to:
Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2008 R2,
And for Windows 2003 and XP, since there is no official security update, we recommend upgrading to Windows 10 or any other patched version MS17-010.
Close ports 445, 135, 137, 138, 139
Wanna Cry is infecting from machine to machine through the network port of the Windows operating system like 445, 135, 137, 138, 139 running high risk and network sharing. Therefore to avoid Wanna Cry viruses, we recommend that you close ports 445, 135, 137, 138, and 139 by the Windows Firewall.
Install the latest Windows Defender antivirus
Microsoft released a Windows Defender update that detects Wanna Cry as Ransom: Win32 / WannaCrypt, so install the latest version of this antivirus, enable and run it to detect this ransomware.
Do not open email attachments or click on links from unknown source
Avoid opening emails with suspicious attachments that appear to alert you to legal fees, claims or similar. Do not open messages or attachments from unknown senders.