HumanFirewall has released a document detailing everything about the ransonware attack of last week. First, a few updates:
Updates* WannaCrypt0r 2.0 has arrived. The kill-switch is not effective on this strain.
* A security researcher in the UK accidentally activated a kill-switch by buying the domain name used by the ransomware makers! That slowed down the attack tremendously.
* A security researcher put an SMB honey pot on the internet and it was infected by WannaCry in 3 minutes! That is how massive and lethal this attack is! (https://twitter.com/benkow_/status/863458632175898624)
* Russia and India are the two worst hit countries, because of extensive use of Windows XP.
* The price of Bitcoin has soared from $1499 on May 7th to $1809 on May 14th! That is a massive rise of 20 percent in 7 days! (https://www.investing.com/currencies/btc-usd)
* Shadow Brokers released a tool called EternalBlue, developed by the NSA which has caused this havoc!
The first line of protection is Backup, Backup, Backup! Then update with the MS17-010 patch and disable SMBv1 on your Windows machines. Even if the Ransomware affects you, the backup will protect your digital assets, and please keep the digital assets away from the Internet altogether.
“This is the largest ransomware attack seen to date, and it is growing exponentially. India will be among the top 3 worst hit countries, because of high Windows XP penetration and worse yet, pirated windows OS usage.”
“Phishing is at the heart of this ransomware attack. Humans are the weakest link is cyber security, and this ransomware attack proves that yet again.” says Ankush Johar, director at HumanFirewall.io, a Phishing Protection company.
Q. What is the name of the ransomware? Where did it originate from? How did it spread so fast?A: “WanaCrypt0r” or WannaCry appears to have attacked computers in Russia first, and then has affected Microsoft computers across 150+ countries at last count.
The malware - WannaCry is using the age old trick of spamming, and phishing. Email contains a malicious attachment, which when opened triggers the infection.
The second and more evident reason for the spread was a specially crafted worm (A malware that jumps from system to system in a network) that attacked a critical unpatched vulnerability in all windows based machines prior to windows 10.
This has allowed the ransomware to quickly attack all connected devices instantly and encrypt them leading to such a massive spread in such a short time.
Q. How many countries have been affected so far?A. 150+ at last count! Including India
Q. Which type of systems have been infected so far? Which OS's from Microsoft are vulnerable most to this ransomware?A. WannaCry is custom built for Windows only. Linux, Mac or any Unix-based OS are not affected. Microsoft computers that are not patched are at risk of being encrypted.
In a rare step, Microsoft issued a patch for non-supported OS versions as well, namely Windows XP, Windows Server 2003 and Windows 8.
The worst hit were likely to be Windows XP users, since India still has a lot of those. WORST though will be the huge population of pirated windows that are running in India.
Q. Does this affect Microsoft Windows 10 also?A: Windows 10 users can be affected as well if they are not patched and updated.
Q. Explain what kind of impact you have seen so far in India? Will ATMs, banks, IT companies be affected or are already affected by this?A: India is among the worst affected! Monday 15th is likely to be like dooms day in a lot of workplaces and homes, only because the attack gained traction after working hours on Friday May 12.
Banks, financial institutions, large enterprises, small enterprises will all be hit, and there is no doubt about it. When institutions like the UK’s National Health Service (NHS), Russian Interior Ministries, Spain’s telecom Telefonica, power firm Iberdrola, FedEx & Gas Natural in the US are hit, despite having ‘decent’ security postures, then you can well imagine what will happen in India.
Given the high number of Windows XP systems still being used in some government and even banking organisations, this could become very critical.
ATMs on the other hand run embedded XP, and SMB is mainly used for file sharing, and as such may be relatively safer, but we’ve seen installations are not always pristine!
The biggest issue is the rampant use of pirated windows software, and extensive use of Windows XP, and poor patch maintenance which will cause havoc for India!
As the attack started on Friday evening IST, most offices were almost closed and systems were down. A true state will surface out on Monday when major offices open.
Q. Are the government systems under attack because of this?A: In India, any government body that has not patched its systems yet will be affected Already, Andhra police has reported that their systems have been affected.
On the international front, multiple organisations have been hit by WannaCry. This includes the largest impacted organization - Britain's National Health Service (NHS), Russian Interior Ministries, Spain’s telecom company, Telefonica, power firm Iberdrola, FedEx and Gas Natural in the US.
Q. Explain how to defend against this attack? A: Ensure that any computer not patched since before March 14, 2017 is not allowed to go on to the network.*
FIRST THINGS FIRST, Patch all your computers using the MS17-010 security update. (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)
*
BACKUP, BACKUP, BACKUP! Backup your computers and store backup away from the network or the Internet, to ensure that the backup itself does not get infected.
* Disable SMBv1 on all Windows systems. Microsoft had issues a guidance back in 2016 for disabling SMBv1: https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
* How to disable SMBv1?: https://support.microsoft.com/en-us/help/2696547/how-to-enableand-
disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-
windows-server-2008-r2,-windows-8,-and-windows-server-2012
* There is a Kill-Switch domain, which should not be blocked because it is known to have helped kill the ransomware. The domain is iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
(This is a temporary whitelisting measure. More robust security needs to be in place)
General Hygiene for ProtectionDefending against this kind if attack is rather simple. Following are some key points.
FOR CONSUMERS
* Use the latest Operating System.
* Make sure automatic updates are enabled, and downloaded regularly.
* Ensure Firewall is enabled to block all network based attacks.
* Disable SMB service completely if required.
* Never Click/Download anything on Emails from untrusted sources. Make sure the mail is from a trusted party, only then download the attachments.
* Use a proper, regularly updated Antivirus.
FOR ORGANISATIONS
* Latest patches must instantly be deployed across the company.
* All pirated / un-patched / outdated devices to be removed (read unplugged) from the network instantly.
* Employees to be trained to detect and protect against Phishing and other such scams.
* Antiviruses ensured to be in place and updated.
Q. Microsoft patched this Windows exploit, then why did this ransomware still show the kind of impact?A: Microsoft issued patches in March 2017, and has given a rare patch for older OS versions also after the attack surfaced. Despite all this, any computers that are yet un-patched can get affected.
Case in point: A security researcher put an SMB honey pot on the internet and it was infected by WannaCry in 3 minutes! That is how massive and lethal this attack is! (https://twitter.com/benkow_/status/863458632175898624)
Q. Is this the biggest ransomware attack ever in recorded history?A: Yes, after the CoNFicker attack in 2008!
_20240911192319_original_image_15.webp)
