How to protect Wannacry ransomware attacks from your computer

ransomware

What is WannaCry Ransomware?

It’s the name for a prolific hacking attack known as “ Wannacry ransomware,” that holds your computer hostage until you pay a ransom.

The attackers targeting top countries around the globe, its has been brought computer systems from Russia to China and then the UK and US, which blocks entire system and demands huge pay a ransom or lose everything.

According to the reports by Cnet, So far 200,000 computers has been affected by this new malware in 150 countries. The victims of ransomware attack include hospitals, banks, telecommunication, and warehouses.

How does it work?

When a computer is infected, the Wannacry ransomware typically contacts a central server for the information it needs to activate and then begins encrypting files on the infected computer with that information. Once all the files are encrypted, it posts a message asking for payment to decrypt the files – and threatens to destroy the information if it doesn’t get paid, often with a timer attached to ramp up the pressure.

ransomware

How does it spread?

Most  Wannacry ransomware is spread hidden within Word documents, PDFs and other files normally sent via email, or through a secondary infection on computers already affected by viruses that offer a back door for further attacks.

What are the affected products?

All Windows versions before Windows 10 are vulnerable if not patched for MS17-010. Windows XP and Windows Vista users are completely vulnerable as both these operating systems no longer receives updates and security patches. As a special case, Microsoft has pushed updates for older operating systems and promised more. Refer the listed CVEs in IOCs – WANNACRY RANSOMWARE.xlsx

How does it impact you?

Once the initial worm module is introduced to a system it creates two threads. The one that scans hosts on the LAN, and another that gets created 128 times and scans hosts on the wider Internet. The LAN-based scanning happens using the port 445 and attempts to exploit the discovered systems using MS17-010/ETERNALBLUE.

The second thread scans the Internet by generating random IP addresses. If the connection to port 445 on that random IP address succeeds, the entire /24 range is scanned, and if port 445 is found open, exploit attempts are made. So, if the target network has the vulnerability unpatched, then there is a high chance it will get affected.

How much are they asking for?

WannaCry ransomware is asking for $300 worth of the cryptocurrency Bitcoin to unlock the contents of the computers.

Will paying the ransom really unlock the files?

Sometimes paying the ransom will work, but sometimes it won’t. For the Cryptolocker ransomware that hit a few years ago, some users reported that they really did get their data back after paying the ransom, which was typically around £300. But there’s no guarantee paying will work, because cyber criminals aren’t exactly the most trustworthy group of people.

There are also a collection of viruses that go out of their way to look like Wannacry ransomware such as Cryptolocker, but which won’t hand back the data if victims pay. Plus, there’s the ethical issue: paying the ransom funds more crime.

How can this be prevented?

Despite the exploits/vulnerabilities being exposed a month back, so many systems are still unpatched. To protect from this ongoing mass exploit and propagation one can do the following:

1. You can Install all available OS updates including to prevent getting exploited

2. Manually disable SMBv1 via modifications made to Windows Registry by following these steps:

a. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

b. Look for Value: SMB1

c. Modify Data: REG_DWORD: 0 = Disabled

3. Restrict inbound traffic to open SMB ports (ports 139, 445) which are publicly accessible/open to the Internet.

4. Block the IPs, Domains, Hash values that are involved in spreading this malware. Please refer the attachment – IOCs – WANNACRY RANSOMWARE.xlsx for details.

5. Implement endpoint security solutions. The ‘AV Signature Name’ section under IOCs – WANNACRY RANSOMWARE.xlsx can be referred.

6. Keep an offline backup of critical data on desktops and servers.

7. Organizations should block connections to TOR nodes and TOR traffic on the network (IOCs – WANNACRY RANSOMWARE.xlsx).

What action should the Bank/User/Customer take?

Install all critical patches.

Review any traffic towards ports 139, 445. Block if not required.

It is highly recommended that the provided list of threat indicators (IOCs – WANNACRY RANSOMWARE.xlsx) should be blocked at perimeter devices such as firewall, proxy etc. and Email Security Gateway immediately.

You shall act upon this advisory/IOC-list at your own discretion after conducting the risk analysis in your specific environment.

The advisory/IOC-list is time sensitive in nature and may be overridden in subsequent updates from our side as new information is received on the threats.

What should be done if a node is infected?

1.Disconnect the infected system(s) from the production network.

2.Perform a full Antimalware scan on the system(s) by adhering the following:

F-SECURE-http://www.f-secure.com/en/web/home_global/online-scanner

MCAFEE-http://www.mcafee.com/uk/downloads/free-tools/stinger.aspx

MICROSOFT-http://www.microsoft.com/security/scanner/en-us/default.aspx

SOPHOS-http://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx

TREND MICRO-http://housecall.trendmicro.com/

You can refer IOCs -WANNACRY RANSOMWARE.xlsxfor identifying additional Antimalware tools with successful detection for further scanning and disinfection.

You can refer IOCs -WANNACRY RANSOMWARE.xlsxfor identifying additional Antimalware tools with successful detection for further scanning and disinfection.

3. Block the supplied indicators (IPs, domains, and hash values)at the gateway devices.

4. Try attempting to decrypt any encrypted files using decryption tools such as Trend Micro Ransomware File Decryptor, nomoreransom.org/decryption-tools.html

5. Removal script for DoublePulsar impant (if found): github.com/countercept/doublepulsar-detection-script

6. Restore data from the most recent backup made

Article Reference: https://www.cnet.com/https://www.theguardian.com/international

Hi myself Muthukrishnan. My Profession is Technical writing and doing blogging as passion. I love to explore new trends in Technologies and write articles about Recent Technologies..

5 thoughts on “How to protect Wannacry ransomware attacks from your computer

Leave a Reply

Your email address will not be published. Required fields are marked *