Recent ransomware attack has been very worst ever cyberattacks in the history. It attacked almost 150 countries very quickly which traumatized the whole world. In simple words WannaCry Ransomware made whole world cry and forced to pay ransom in exchange for important data. The hackers demanded for payments of $300to $600 in the form of bitcoin from various organizations and from individuals as well.
The unprecedented outbreak of Trojan ransomware WannaCry has created a worldwide plague affecting home users and businesses. We have already posted some basics about WannaCry, and in this post we will provide further advice particularly for businesses. It is urgent and critical to know what WannaCry is, how it spreads, what all threat it poses, and how to prevent this.
About WannaCry
Most of the Indian IT systems are running on legacy Operating Systems, with WindowsXP and Windows 2003 being one of the favored operating systems. According to Mr. Sachin Raste, Sr. Research Analyst, eScan, “Microsoft had stopped providing support for these two operating systems and had issued an End Of Life for these products. However, due to the recent WannaCry attack which specifically exploited a vulnerability related to SMB (File Sharing) protocol, and the worldwide outrage which has been caused by this Ransomware, Microsoft issued an urgent patch to address the vulnerability related to Windows XP and Windows 2003. India could be the most affected country, and more so in case of individual users due to pirated software usage. As per the reports, RBI has also issued an advisory as a precaution, to patch ATMs which incidentally are running on Windows XP and almost 70% of them are affected by this vulnerability.”
Mr. Nick FitzGerald, ESET says, “In terms of absolute numbers of detections, India is seventh in our detection statistics, but that may under-estimate WannaCryptor’s impact in India depending on the relative market share and penetration for our products in India compared to the countries higher in that list.”
“Ransomware WannaCry — which exploded across the globe on Friday — seems to combine the worst of the dangers implied by both warnings.The ransomware is distributed via spam and then spreads within an organization like a worm. The exploit is known as MS17-010 and was previously patched by Microsoft. However, Windows XP machines no longer receive updates, so are at particular risk. Machines using current Windows operating systems which have not been patched with March 15 updates are also at risk. This promotes the message that users should always update their software” said, Mr. Amit Nath, Head of Asia Pacific-Corporate Business, F-Secure Corporation
Mr. Amit Nath also said that “It’s spreading fast because the MS17-010 vulnerability allows the exploit to act as a “worm”. And worms spread fast by nature. WannaCry has worm functionality and is able to scan and locate other hosts and replicate itself to other exposed machines via the EternalBlue vulnerability. This doesn’t require any user interaction. Claims that it was initially distributed via spam have not yet been verified”.
Commenting on the attack Mr. Zakir Hussain Rangwala, Director of BD Software, Country Partner for Bitdefender in India says, “There are no confirmed reports coming in and what are coming are not sure if they are really infected. There are more of opinions and imagination rather than actual attacks. We will have to wait before the figures come out. Everyone seems to have become an expert in ransomware and are giving advices to everyone. We wish to inform that all our Bitdefender Gravity zone users are already protected from this ransomware family. Those with poor IT maintenance or not having proper security suites are going to be affected badly and sadly we have many SMB and institutions where they still do not take the need for a proper security software seriously”.
According to Mr. Aleks Gostev, Chief Security Expert, Kaspersky Lab, “India is one of the most affected countries, in number of victims. Also, we have Russia and China at top of this list.”
Whereas Mr. Sunil Sharma, Vice President – Sales at Sophos, India & SAARC says, “Sophos Labs analyzed the “WannaCry” attack on Friday and immediately issued a detection update for customers. We believe this to be the first example of a commercial malware attack using ransomware techniques that took advantage of an exploit allegedly leaked from the US National Security Agency (NSA) and uses a variant of the ShadowBrokers APT EternalBlue exploit. The ransomware spreads rapidly, like a worm, by exploiting a Windows vulnerability in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. It uses strong encryption on files such as documents, images, and videos. Microsoft addressed the issue in its MS17-010 bulletin.”
Major Targets
WannaCry does not differentiate between the business segments of the organizations, however every organization which has failed to patch their Windows System for which Microsoft had issued the patch update as on 14th March 2017 are at huge risk. Adding on that, Mr. Sachin says, “We have to also consider the fact that this worldwide outage was due to the sheer fact that Security Administrators failed to patch up their systems after 14th March 2017 advisory by MS.”
“Despite much of the early news coverage focussing on its impact on some NHS properties in the UK, with some reports even suggesting that the health sector was being targeted, that was not the case. WannaCryptor does not specifically target any sector says Mr. Nick. “It spreads through purely opportunistic mechanisms that involve randomly scanning internet IP addresses and checking those that respond for the presence of Microsoft networking protocols on port 445. A properly secured network would normally block that port (and others associated with these protocols) from being directly accessed over the internet. This makes such networks immune to infiltration in the manner WannaCryptor uses, even if many machines inside the network are unpatched and thus vulnerable to the exploit WannaCryptor uses.”
“WannaCryptor was also originally distributed through the more typical ransomware mechanism of a malicious attachment to email spam. If just one of these get through your border defences and the attachment is opened by a one of your users, all unpatched machines within your network will rapidly be infected and have their content encrypted. Thus, patching is still very important, even if your LAN is properly firewalled from the internet”, added Mr. Nick
“WannaCry exploits a flaw in the Server Message Block (SMB) in Microsoft Windows which can allow for remote code execution. Microsoft patched the vulnerability in March already (MS17-010), however many IT environments are still behind on patches and/or may run legacy operating systems such as XP which are no longer supported nor updated with security patches. There are also a large number of machines running pirated copies of Windows (especially in China and Russia) which, by their nature, do not receive official updates and so put the machines at risk.Due to the size of the outbreak, Microsoft provided a patch yesterday for XP and Server 2003” reveals Mr. Amit Nath
Government, Banks, hospitals, educational Institutions as per the latest reports coming in. We believe that the virus will spread further and more business will be affected” commented Mr. Zakir Hussain.
“There is no direct target. WannaCry is a worm and spreading by sending malicious code to randomly selected IP-addresses” confirms Mr. Aleks Gostev.
According to Mr. Sunil Sharma, “The ransomware has used sophisticated techniques from the NSA data dump to drive an “outbreak,” meaning only one infection is required for it to spread across an entire network. The outbreak element explains why large organizations such as utilities and healthcare providers have been impacted most, despite it not being specifically targeted at a particular industry. No one is immune to ransomware / malware attacks. For this particular attack, businesses across all industry verticals have suffered with National Health Service being the primary victim.”
How to Protect
Mr. Sachin Raste tells the way we can protect our PCs and stay secure. “First of all you should download and implement MS17-010 patch, from the link https://technet.microsoft.com/en-us/library/security/ms17-010.aspx , make sure thatadministrators should block all executable files from being transmitted via emails and administrators should isolate the affected system in the Network.Administrator can restore the encrypted files from the backup or from system restore point (if enabled) for affected systems.It is very important that users shouldn’t enable macros in documents.As far as we talk about the organizations so an organizations should deploy and maintain a backup solution.And the most important thing, Organizations should implement Mail Security Product at the Gateway Level for mail servers, to contain the spread of suspicious attachments.”
Mr. Nick says, “First, if your Windows PCs are not fully updated with the latest security patches, install those updates.
“Second, there is some good news if you still have PCs running Windows XP, Windows 8.0 or Windows Server 2003, which are now out of standard support and thus do not receive standard, regular updates. If you really cannot upgrade the OS to a more recent version, or replace the machine, Microsoft has made patches available for those OSes that fix the so-called EternalBlue vulnerability that WannaCryptor exploits for its network worm functionality. Obtain and install these updates.Third, fourth, fifth et seq. – be very cautious about email messages with attachments, or embedded links that you are urged to click. Email is easily forged, or faked, to look like it is from people or organisations you might normally trust, so if you have doubts about any claims in an email, check them ‘out of band’ – phone the apparent sender to double-check, or use a different device if possible and manually type the URL of the site’s homepage or click a bookmark that you have previously recorded, rather than clicking a link in the email. And finally, although when it comes to planning all this, this should be the highest priority, ensure that you have good backup procedures in place and that you have tested that you can restore all your data from the system. This does nothing to prevent an attack, but it means you will not have to pay any ransom, and your files will be safe from various other kinds of disaster too” added by Mr. Nick.
Mr. Amit Nath reveals the best way to defend against WannaCry Ransomware. He says, “Make sure you’re running a robust security solution that covers all your devices (PCs, Macs, smartphones, and tablets) and provides protection. As new ransomware variants keep popping up lately, this is important. If you don’t want to lose your important data so take regular backups of your data. Store the backups offline, so that they can’t get infected. And test restoring them from time to time to make sure that they really work. With good backups, if you do get hit, you can get back on your feet faster without having to fork over cash to the criminals.Keep the software on all your devices up to date to prevent exploits. If you are uncertain how to keep everything up-to-date, you may consider utilizing a tool that identifies old software versions and suggests updates.You should be extra careful with email attachments, especially with ZIP files and Office documents (Word, Excel, and PowerPoint). Don’t open email attachments that are sent by someone you don’t know. Also disable macro scripts from any Office files you receive via email and Limit the use of browser plugins. Disable commonly exploited ones, such as Flash Player and Silverlight, when you’re not using them. You can do this through your web browser under the plugin settings.
Mr. Aleks Gostev recommends the measures to reduce the risk of infection. To prevent cyber attack on your PC Install the official patch from Microsoft that closes the vulnerability used in the attack. Ensure that security solutions are switched on all nodes of the network. If Kaspersky Lab’s solution is used, ensure that it includes the System Watcher, a behavioral proactive detection component, and that it is switched on. Also run the Critical Area Scan task in Kaspersky Lab’s solution to detect possible infection as soon as possible (otherwise it will be detected automatically, if not switched off, within 24 hours). Then Reboot the system after detecting MEM: Trojan.Win64.EquationDrug.gen and use Customer-Specific Threat Intelligence Reporting services".
Mr. Sunil Sharma says, “There were three key factors that caused this attack to spread so quickly and, here is how it could have been avoided.The inclusion of code that caused the threat to spread across networks as a worm quickly without needing further user action after the initial infection had taken place.It exploited a vulnerability that many organizations had not patched against. Patching operating systems is the first line of a security strategy, yet many still struggle to achieve regular updates across their environments.Organizations are still running Windows XP. Microsoft had discontinued support for Windows XP and not issued a patch for this system, but subsequently issued a patch for Windows XP in light of this attack. Microsoft does support legacy versions of Windows, but at extra cost”.
“It is imperative that businesses everywhere update their operating systems, their security software and educate their users against phishing attacks. This is a best practice to reduce the risk from any attack. For home users (i.e., consumers), Sophos advises they ensure their Windows operating system has been updated with the latest Microsoft updates and that their security software is also up to date” Mr. Sunil Sharma added.
Commenting on the techniques to avoid such attack, Mr. Zakir Hussain says The best practice is to always make sure that the OS and the antivirus are always updated on time. This itself will make sure that you are safe from most of the threats. Use a reputed security suite having worldwide presence, since such products detect and fight more threats and are able to provide better prevention and cure”.
