WannaCry Screenshot
Screenshot of the ransomware that struck computers across Europe last week.
WannaCry, via Wikimedia Commons
On Friday, some hospitals in the United Kingdom were struck with a peculiar attack: computers taken over, data inside encrypted and held ransom, all for the measly payment of just $300. The attack spread rapidly, hitting 150 countries and shutting down everything from telecoms in Spain to the Interior Ministry in Russia. And then, through a stroke of luck, the WanaCryptor attack was stalled in its tracks, a killswitch discovered by happenstance just in time for the weekend. What, exactly are we to make of the largest ransomware attack in history?
It was based on a leaked NSA "cyber-weapon"
The worm, known variously as WannaCry, WanaCryptor, and WannaCrypt, targets computers running Microsoft operating systems. It is built on an exploit named EternalBlue, one of many NSA “cyber-weapons” released by a group known as the Shadow Brokers, who first started leaking NSA tools late last summer.
How This Ransomeware spreads
It spread without exploiting user interactions
Unlike phishing or spearphishing attacks, where a computer is compromised because a user clicks a link in a targeted email, WannaCry works without exploiting any human error.
The killswitch was a simple URL check
Before WannaCry spreads, it checks to see if it can connect to a specific domain. If the domain is registered and occupied, it’s done, and proceeds no further. If it fails to connect, then WannaCry spreads as it was designed to do, infecting machines and demanding ransom.
The killswitch was discovered by a young computer security researcher in the United Kingom, who registered the domain specified in the WannaCry programming, and then routed traffic to it to a sinkhole server, meant for trapping botnets. This security researcher wrote a great write-up of the experience of catching WannaCry, which is here.
For his trouble, the pseudonymous researcher then had his identity revealed by British tabloids. One reason to be pseudonymous is to make it easier to get security work done without becoming a specific target for the kind of people whose attacks he is trying to stop. That matters especially with WannaCry, because future versions of the ransomware (some of which may already be live and in the wild) may not include the killswitch, which will make them harder to stop.
It preyed upon un-patched computers
Microsoft released patches for the vulnerable operating systems that can prevent the present version of WannaCry from infecting patched computers. The first patch that protects against attacks like this was released in March, though not every user automatically downloads and installs all patches or software updates. Microsoft reactively released a patch for Windows XP, a 16-year-old operating system that is no longer officially supported, yet still used in many computers. (Microsoft also released patches for two other operating systems still only in “customer support,” Windows 8, and Windows Server 2003). In customer guidance released about the attack, Microsoft recommends automatically updating as a proactive measure.
Cisco’s Talos threat monitoring and protection team also recommends blocking TOR exit nodes so that WannaCry cannot spread into an organization through the routing anonymization tool. Beyond that, the Talos recommendations include industry best practices like only using operating systems that are actively supported and receive security updates, timely security patching, running anti-malware software, and especially, having a plan for disasters with data regularly backed up and stored in devices that are kept offline. The more redundant data stored where hackers can’t access it, the less compelling it is for people to pay ransom.
1. Instead of ‘Passwords’, Use ‘Passphrases’ for Different websites
Use different user ID/password combinations for different accounts and avoid writing them down. you can create more complicated passwords by combining letters, numbers, special characters (minimum 8 characters in total) and change them on a regular basis.
2. Activating your firewall
A Firewall works exactly as the name suggests. it monitors all the incoming and outgoing traffic towards your computer. If your antivirus doesn’t include a firewall, make sure you have windows firewall ‘Activated’.
3.Using Anti-Virus/Anti-Malware software:
Prevent viruses from infecting your computer by installing and regularly updating Licensed anti-virus software.
4. Prevent spyware from getting into your computer by NOT installing ‘cracked’ softwares
Do not install cracked softwares or apps, as they may install some other malicious softwares too!
5.Never upload your personal data ‘unencrypted’ to dropbox,google drive or any online file sharing services. It takes not more than 5 minuts to encrypt a zip file or any single file such as a photo, video or a document with AES-256 bit encryption.
On Friday, some hospitals in the United Kingdom were struck with a peculiar attack: computers taken over, data inside encrypted and held ransom, all for the measly payment of just $300. The attack spread rapidly, hitting 150 countries and shutting down everything from telecoms in Spain to the Interior Ministry in Russia. And then, through a stroke of luck, the WanaCryptor attack was stalled in its tracks, a killswitch discovered by happenstance just in time for the weekend. What, exactly are we to make of the largest ransomware attack in history?
It was based on a leaked NSA "cyber-weapon"
The worm, known variously as WannaCry, WanaCryptor, and WannaCrypt, targets computers running Microsoft operating systems. It is built on an exploit named EternalBlue, one of many NSA “cyber-weapons” released by a group known as the Shadow Brokers, who first started leaking NSA tools late last summer.
How This Ransomeware spreads
It spread without exploiting user interactions
Unlike phishing or spearphishing attacks, where a computer is compromised because a user clicks a link in a targeted email, WannaCry works without exploiting any human error.
The killswitch was a simple URL check
Before WannaCry spreads, it checks to see if it can connect to a specific domain. If the domain is registered and occupied, it’s done, and proceeds no further. If it fails to connect, then WannaCry spreads as it was designed to do, infecting machines and demanding ransom.
The killswitch was discovered by a young computer security researcher in the United Kingom, who registered the domain specified in the WannaCry programming, and then routed traffic to it to a sinkhole server, meant for trapping botnets. This security researcher wrote a great write-up of the experience of catching WannaCry, which is here.
For his trouble, the pseudonymous researcher then had his identity revealed by British tabloids. One reason to be pseudonymous is to make it easier to get security work done without becoming a specific target for the kind of people whose attacks he is trying to stop. That matters especially with WannaCry, because future versions of the ransomware (some of which may already be live and in the wild) may not include the killswitch, which will make them harder to stop.
It preyed upon un-patched computers
Microsoft released patches for the vulnerable operating systems that can prevent the present version of WannaCry from infecting patched computers. The first patch that protects against attacks like this was released in March, though not every user automatically downloads and installs all patches or software updates. Microsoft reactively released a patch for Windows XP, a 16-year-old operating system that is no longer officially supported, yet still used in many computers. (Microsoft also released patches for two other operating systems still only in “customer support,” Windows 8, and Windows Server 2003). In customer guidance released about the attack, Microsoft recommends automatically updating as a proactive measure.
Cisco’s Talos threat monitoring and protection team also recommends blocking TOR exit nodes so that WannaCry cannot spread into an organization through the routing anonymization tool. Beyond that, the Talos recommendations include industry best practices like only using operating systems that are actively supported and receive security updates, timely security patching, running anti-malware software, and especially, having a plan for disasters with data regularly backed up and stored in devices that are kept offline. The more redundant data stored where hackers can’t access it, the less compelling it is for people to pay ransom.
Steps To Recover From WanaCry Ransomware
1. Instead of ‘Passwords’, Use ‘Passphrases’ for Different websites
Use different user ID/password combinations for different accounts and avoid writing them down. you can create more complicated passwords by combining letters, numbers, special characters (minimum 8 characters in total) and change them on a regular basis.
2. Activating your firewall
A Firewall works exactly as the name suggests. it monitors all the incoming and outgoing traffic towards your computer. If your antivirus doesn’t include a firewall, make sure you have windows firewall ‘Activated’.
3.Using Anti-Virus/Anti-Malware software:
Prevent viruses from infecting your computer by installing and regularly updating Licensed anti-virus software.
4. Prevent spyware from getting into your computer by NOT installing ‘cracked’ softwares
Do not install cracked softwares or apps, as they may install some other malicious softwares too!
5.Never upload your personal data ‘unencrypted’ to dropbox,google drive or any online file sharing services. It takes not more than 5 minuts to encrypt a zip file or any single file such as a photo, video or a document with AES-256 bit encryption.
Comments
Post a Comment