WannaCry Ransomware : Know What You Are Dealing With
WannaCry , WannaCrypt , Wanna Decryptor
What happened on Friday, 12th May 2017?
On Friday, 12th May 2017, a massive cyber-attack hit more than 99 countries, infecting more than 200,000 computers internationally. The hackers utilized a specific type of ransomware known as WannaCry AKA WannaCrypt, Wanna Decryptor.
What is WannaCry and what does it do?
Once WannaCry is activated, the ransomware will encrypt files within an organisation’s network that uses Microsoft Windows for their operations; preventing any forms of access for intended users. The malware will then request for payment in bitcoin in exchange for the decryption of the files.
If payment is not made within the stipulated time, the ransom may increase and/or the files may even be deleted. What makes WannaCry unique is the fact that it spreads through vulnerabilities in Windows systems and subsequently installs ransomware payloads using the EternalBlue modules and DoublePulsar backdoor.
How does WannaCry infect your whole organization (through EternalBlue and DoublePulsar)?
Where is the entry gateway for WannaCry?
The WannaCry ransomware, similar to other known ransomware, infects in an accidental nature such as:
1. User clicking on malicious links from low security websites, phishing emails or even Dropbox links
2. User downloading free tools or software through websites or web adverts
In many cases, phishing emails contain a convincing subject line that pertains to your industry/line of work e.g. phishing emails targeted at the healthcare industry may contain “[Clinical Results]” in the subject line. This would entice users to click through and in turn, expose their computers to infection after visiting a compromised website.
How does WannaCry spread between systems after infecting my computer, that is in the same network?
Once the ransomware has entered one of the computers in an unpatched or legacy Windows systems network, it exploits an existing SMB vulnerability to spread to other computers. If successful, a backdoor is utilized to install the ransomware payload on each computer. The exploit and backdoor are known as EternalBlue and DoublePulsar respectively – generally believed to have been developed by the U.S National Security Agency (NSA) to target Windows computers.
However, on 14 April 2017, a shady group known as The Shadow Brokers leaked EternalBlue along with DoublePulsar to the public. The WannaCry attackers have since, made effective use of this exploit and backdoor to develop their ransomware to spread and infect whole networks of organisations - ultimately causing massive disruptions and discontinuity in business.
The First Thing to Do & Future Concerns
The first thing to do NOW would be to install the latest patch, MS17-010 for Microsoft Windows SMB Server. The patch will prevent:
1) any lateral spreading of WannaCry to other computers and/or systems in the network
2) WannaCry from activating in the source: The source being the first infected computer in the system
However, this will not prevent the malware from entering computers via human triggers e.g. clicking on malicious links in phishing emails.
In addition to this recent WannaCry attack, the likelihood of another similar yet more vicious attack is highly probable. Hacker groups are constantly looking out for vulnerabilities to exploit so you must enhance your organisation’s defenses and internal policies to prevent any hacking attempts at infiltrating your network and system environment.
Preventing Future Ransomware Attacks
Here are some highly recommended preventive measures you can take to prep your organization for the next attack – whether you are a current victim of WannaCry or not:
- If you are infected, do NOT pay the ransom! – You are only encouraging the hackers when you do so; and there is no guarantee that you will get all your files back
- Install patches early and regularly as according to best practices
- Keep your operating systems as up-to-date as possible
- Have a robust backup strategy for all your files – In the event that you are infected, your files are as good as gone so back up your files!
- Improve the range and accuracy of spam filters to avoid receiving malicious emails
- Incorporate awareness and email security discipline in all users in the organization – a HUGE majority of attacks start from phishing emails and one infected device is all it takes!
These measures are crucial in preventing WannaCry and other ransomware to date from performing malicious activities in your environment. However, they may not be able to prevent new threats that utilizes newfound vulnerabilities and exploits.
With Quantiq, we can keep you secured – Ensuring a worry-free work environment for your organisation right from the get-go. Included below, are our recommendations to enhance your security posture – mapped as accordingly to our versatile range of solutions:
Contact us now by email at email@example.com
Back to Press Releases