What is ransomware?
Ransomware is a kind of cyber attack that involves hackers taking control of a computer system and blocking access to it until a ransom is paid.
What is Wanna Decryptor?
Wanna Decryptor, also known as WannaCry or wcry, is a specific ransomware program that locks all the data on a computer system and leaves the user with only two files: instructions on what to do next and the Wanna Decryptor program itself.
When the software is opened it tells computer users that their files have been encryted, and gives them a few days to pay up, warning that their files will otherwise be deleted. It demands payment in Bitcoin, gives instructions on how to buy it, and provides a Bitcoin address to send it to.
HOW DOES YOUR COMPUTER BECOME INFECTED WITH RANSOMWARE?
In most cases, the software infects computers through links or attachments in malicious messages known as phishing emails.
“The age-old advice is to never click on a link in an email,” said Jerome Segura, a senior malware intelligence researcher at Malwarebytes, a San Jose-based company that has released anti-ransomware software. “The idea is to try to trick the victim into running a malicious piece of code.”
The software is usually hidden within links or attachments in emails. Once the user clicks on the link or opens the document, their computer is infected and the software takes over.
WannaCry ransomware – How can this be prevented?
Download the relevant patch for your desktop and laptop to start with…
Download English language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64
Download localized language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64
General information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx
MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Despite the exploits/vulnerabilities being exposed a month back, so many systems were still unpatched. To protect from this ongoing mass exploit and propagation one can do the following:
1. Install all available OS updates including to prevent getting exploited
2. Manually disable SMBv1 via modifications made to Windows Registry by following these steps:
a. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
b. Look for Value: SMB1
c. Modify Data: REG_DWORD: 0 = Disabled
3. Restrict inbound traffic to open SMB ports (ports 139, 445) which are publicly accessible / open to Internet.
4. Block the IPs, Domains, Hash values that are involved in spreading this malware. Please refer the attachment – IOCs – [XLS]xls – US-CERT for details.
5. Implement endpoint security solutions. The ‘AV Signature Name’ section under IOCs – [XLS]xls – US-CERT can be referred.
6. Keep an offline backup of critical data on desktops and servers.
7. Organisations should block connections to TOR nodes and TOR traffic on network (IOCs –[XLS]xls – US-CERT).
Read additional information here