Sunday, May 14, 2017

WannaCry Ransomware

Ransomware .
Ransomware - a type of malicious software designed to encrypt all your files, which will not be decrypted by the attacker until a sum of money is paid.

Check out my other post relating to Ransomware Risk Mitigation


WannaCry Ransomware :
This ransomware spreads via known vulnerabilities, which was patched recently by Microsoft MS17-010 . Once the system is targeted the files are encrypted and a countdown appears. The popup demands $300 dollars of payment to be made via bitcoin.





Which files are encrypted?
Almost all common extensions.

What to do if you have been attacked by WannaCry?

For now, do not pay the ransom. Restore the files from your backup.
Most of the previous ransomware attacks have a  way to decrypt the files without paying the ransom. However for wannacry at this moment there is no way.

Has the infection been contained?

Yes the infection being spread has been halted for now. Thanks to the good intentions of a researcher called MalwareTech.

 but everyone seems sure that another such attack is imminent.


Precautions to be taken:
  

Windows Update MS17-010
The virus uses ETERNALBLUE exploit, which is closed by Microsoft security update MS17-010 released in March. I recommend that you check update center for presence of such an update (by code) on your computer (for example, code for Windows 7 will be KB4012212 or KB4012215).
If updates are not installed, you can download them from official Microsoft website:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx


Close ports 135 and 445
According to the reports of antivirus companies, wcrypt penetrates computers through SMB (Server Message Block) ports. To prevent penetration, we block the ports 135 and 445 through which the virus penetrates (in most cases they are not used by ordinary users).
To do this, open the console with administrator rights (cmd.exe -> run as administrator). And we execute in turn 2 commands (after each command there should be status OK).
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name="Block_TCP-135"

netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445"


Disabling SMBv1 support
The vulnerability can also be closed by completely disabling SMBv1 support. Run this command in cmd (run as administrator).
dism /online /norestart /disable-feature /featurename:SMB1Protocol
 
 




To prevent yourself from future Ransomware Attacks:


Back up necessary data from time to time. 

Update your OS to the latest. (the recent NSA exploit leaks about OS like XP will trigger more ransomware with different flavors)

Updating Antivirus or having the best, does not provide necessary protection against such attacks.

Do not open any emails from unknown senders.

Close the ports which you do not use.

Check out my other post relating to Ransomware Risk Mitigation
 


References:
For a detailed view on the attack:
https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/


 

No comments: