What is Ransomware?
Ransomware is a malicious software that encrypts the files and locks device, such as a computer, tablet or smartphone and then demands a ransom to unlock it. Recently, a dangerous ransomware named 'Wannacry' has been affecting the computers worldwide creating the biggest ransomware attack the world has ever seen, including India.
Ransomware is a malicious software that encrypts the files and locks device, such as a computer, tablet or smartphone and then demands a ransom to unlock it. Recently, a dangerous ransomware named 'Wannacry' has been affecting the computers worldwide creating the biggest ransomware attack the world has ever seen, including India.
What is WannaCry Ransomware?
WannaCry ransomware, also goes by the nameWannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY. WannaCry ransomware attacks windows based machines.
It leverages SMB exploit inWindows machines called EternalBlue to attack and inject the malware. All versions ofwindows before Windows 10 are vulneable to this attack if not patched for MS-17-010.After a system is affected, it encrypts the files and shows a pop up with a countdown andinstructions on how to pay the 300$ in bitcoins to decrypt and get back the original files. Ifthe ransom is not paid in 3 days, the ransom amount increases to 600$ and threatens theuser to wipe off all the data. It also installs DOUBLEPULSAR backdoor in the machine.
How WannaCry Ransomware spreads?
WannaCry Ransomware uses EternalBlue MS17-010 to propagate. The ransomware spreads by clicking onlinks and downloading malicious files over internet and email. It is also capable ofautomatically spreading in a network by means of a vulnerability in Windows SMB. Itscans the network for specific ports, searches for the vulnerability and then exploits it toinject the malware in the new machine and thus it spreads widely across the network.
Things to do to protect from WannaCry Ransomware Threat
Though as per reports, WannaCry Ransomware mostly affected old version of Windows such as Windows XP, Windows 2000 etc, do not take it for granted. The following actions may be taken to protect from WannaCry Ransomware threat:
- Microsoft has released a Windows security patch MS17-010 for Windows[1] machines. Update immediately.
- Also check - Microsoft has provided patches for various Windows Operating systems at "Microsoft Security Bulletin MS17-010 -Critical " at https://technet.microsoft. com/en-us/library/security/ ms17-010.aspx[2]
- Remove old version of Windows such as Windows NT4, Windows 2000 and Windows XP-2003 from production environments.
- Block SMB ports 139, 445 and 3389 in firewall.
- SMB is enabled by default on Windows. Disable smb service on the machine(see steps below)
- Have a pop-up blocker running on your web browser.
- Regularly backup your files.
- Install a good antivirus and a good anti-ransomware product for better security
- Avoid clicking on links or opening attachments or emails from people you don't
know or companies you don't do business with.
Security Update for Microsoft Windows SMB Server (4013389)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
The security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests.
Steps to Disable SMBv1:
- For those running Windows Vista and later, See Microsoft Knowledge Base Article 2696547[4] (How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server ).
- Alternative method for customers running Windows 8.1 or Windows Server 2012 R2 and later
- Open Control Panel, click Programs, and then click Turn Windows features on or off.
- In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
- Restart the system.
- Open Server Manager and then click the Manage menu and select Remove Roles and Features.
- In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
- Restart the system.
- Check out the Affected Software and Vulnerability Severity Ratings on Microsoft TechNet[5]
- MS17-010: Security update for Windows SMB Server: March 14, 2017[6]
Sponsored Links
References
- ^ MS17-010 for Windows (support.microsoft.com)
- ^ https://technet.microsoft. com/en-us/library/security/ ms17-010.aspx (technet.microsoft.com)
- ^ Microsoft Security Bulletin MS17-010 - Critical (technet.microsoft.com)
- ^ Knowledge Base Article 2696547 (support.microsoft.com)
- ^ Check out the Affected Software and Vulnerability Severity Ratings on Microsoft TechNet (technet.microsoft.com)
- ^ MS17-010: Security update for Windows SMB Server: March 14, 2017 (support.microsoft.com)