WannaCry Ransomware: UPDATE
Update Published: Thursday, May 18, 2017
Update Published: Tuesday, May 16, 2017 5:04PM IST
How it all started?
During the first week of February 2017, a security researcher publicly disclosed a zero-day vulnerability in Windows 10, Windows 8.1 and Server editions after Microsoft failed to patch it in the past three months.
- Microsoft Security Bulletin MS17-010 – Critical
- Windows SMB Remote Code Execution Vulnerability – CVE-2017-0143
- Windows SMB Remote Code Execution Vulnerability – CVE-2017-0144
- Windows SMB Remote Code Execution Vulnerability – CVE-2017-0145
- Windows SMB Remote Code Execution Vulnerability – CVE-2017-0146
- Windows SMB Remote Code Execution Vulnerability – CVE-2017-0148
The zero-day memory corruption flaw resides in the implementation of the SMB (server message block) network file sharing protocol that could allow a remote, unauthenticated attacker to crash systems with denial of service attack, which would then open them to more possible attacks.
According to US-CERT, the vulnerability could also be exploited to execute arbitrary code with Windows kernel privileges on vulnerable systems, but this has not been confirmed right now by Microsoft.
“By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys.”Current Day Scenario
WannaCry Ransomware: 22-year-old ‘accidentally’ stops attacks, warns against more to come. WannaCry ransomware has affected more than 200,000 victims in 150 countries, which also includes India.
Very recently, a 22-year-old came in as a blessing in disguise when he accidentally put a halt to a vast number of attacks by the devastating WannaCry ransomware by buying a domain name hidden in the program for about £8.29 (Rs 700 approximately). WannaCry ransomware essentially locks a user out of their computer and demands a ransom paid in BitCoin to return control. The young analyst, whose identity is still concealed, tweets by the name of MalwareTech on Twitter, and works for a security firm called Kryptos Logic. He admitted that he had not realized that buying the domain name would have this fortunate effect.
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental. — MalwareTech (@MalwareTechBlog) May 13, 2017
How he basically disabled the ransomware attack
The attack was that a particular domain name which was purchased by him, is believed to have been written into the software by the hackers to act as a kill switch. Therefore, each time the program tried to infect a computer, it would try to contact the web page; if it failed, WannaCry would carry on with the attack, but if it succeeded it would stop.
In an interview with the Daily Beast, MalwareTech said he noticed the domain name, a string of nonsensical letters ending in gwea.com, in the code. He saw that the domain wasn’t registered and thought of purchasing it. After buying the domain name, he pointed it to a ‘sinkhole’ server, which is used as a safe place to dump malicious web traffic, hoping simply to get more information about WannaCry.
“Immediately we saw five or six thousand connections a second.” He said that appeared to have stopped large numbers of attacks, but confessed he had done this “completely by accident.” However, he warned that despite this accidental save, people need to be precautious because the hackers could simply alter the program to carry on making attacks again. “If we did stop it, there’s like a 100 per cent chance they’re going to fire up a new sample and start that one again,” he said.
The WannaCry ransomware is spread by taking advantage of a Windows vulnerability that Microsoft released a security patch for in March. But computers and networks that didn’t update their systems remained at risk. Russia and Britain were among the worst-hit countries by the attack. The programme takes control over a user’s system and brings up a message telling users they can recover their files only if they send $300 (which has now believed to be increased to $600) in bitcoins to a specific address.
So far, Criminals behind WannaCry Ransomware have received nearly 100 payments from victims, total 15 Bitcoins, equals to USD $26,090.
Reported incidents from India
- Till now, the global cyber-attack has affected more than 200,000 victims in 150 countries, which also includes India
- Four computers of two village panchayats in Kerala were hit, at the Thariyode panchayat office in the hilly district of Wayanad
- A section of computers of Andhra Pradesh’s police departments were affected too
- Computers in 18 police units in Chittoor, Krishna, Guntur, Visakhapatnam and Srikakulam districts were affected
What should you do to be safe?
- Keeping a back up is the safest and most effective way to deal with the threat
- India’s Computer Emergency Response Team (CERT-In) has advised users to back up all their essential files offline, in a hard disk or pendrive
- Individual users as well as organisations have been asked to apply patches to their Windows system(s) as mentioned in the Microsoft Bulletin MS17-010, which is marked critical
- Don’t open emails or links in e-mails from people even in your contact list. E-mail has proven to an effective carrier in the case of ‘Wannacry’ ransomeware
- Avoid downloading from websites that are not trustworthy; even attachments from unsolicited e-mails
- Update Antivirus on all your systems and download Microsoft’s latest software patches. For unsuported Windows versions such as XP, Vista etc, the user can download the necessary patch from this link. http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
- While browsing, one should steer clear from unsafe websites and employ essential filters on your browser.
- Use security tools on IT ministry website for higher safety
What can be done if you are an victim to ransomware cyber attack?
- Though there is no way out, there are a few loopholes one could use to either minimise the damage or stop it from spreading. According to CERT-In, the user should immediately disconnect the affected system to stop it from spreading.
- Since the encryption does not happen instantly, the user should immediately try to back-up the essential files as soon as possible. This will help minimise the damage.
- According to CERT-In, victims of the ransomware are advised not to pay the ransom as there is no gaurantee that the files will be returned. Instead, report any such case with CERT-In at Incident@cert.org.in and other law enforcement agencies.
- WannaCry Ransomware: 22-year-old ‘accidentally’ stops attacks, warns against more to come
- Wannacry Ransomware cyber attack: How vulnerable is India? What should you do to stay safe?
- No, I don’t WannaCry, but we’re all collectively responsible for a lot of pain around us
- Global cyber attack hits hospitals, schools and companies; India among countries hit
- WannaCry ransomware: CERT-In explains measures to prevent infection, how to tackle the aftermath
- Andhra Pradesh’s police departments affected by ‘WannaCry’ ransomware