Ransomware attacks, going by the name of WannaCry, were reported worldwide by Cyber security experts on Friday and multiple warnings have been issued to imply increased security measures across web-connected devices as a second wave of attacks is expected this week.
The ransomware attacks — a decade-old hacker trick — have majorly hit Russia, Ukraine, Spain, UK, and India.
Other countries including USA, Brazil, China, among others from North America, Latin America, Europe and Asia have been hit by the ransomware attack.
The ransomware encrypts files on a device using the ‘.wcry’ extension and is initiated via an SMBv2 (Server Message Block Version 2) remote code execution.
Kaspersky Lab’s Global Research and Analysis team pointed out that ‘unpatched Windows computers exposing their SMB services can be remotely attacked’ and ‘this vulnerability appears to be the most significant factor that caused the outbreak’.
Hacking group Shadow Brokers are reported to be responsible for making the malicious software to carry out this attack available on the internet on April 14.
How Widespread is the Attack?
The full impact of this attack is still unknown as cyber security experts are expecting additional waves of the attack to hit more systems.
According to a report in the New York Times, the attack has taken over control of over 200,000 computers in over 150 countries.
Companies and government agencies including Russian ministries, FedEx, Deutsche Bahn(Germany), Telefonica (Spain), Renault (French), Qihoo (China) and U.K.’s National Health Service have been affected.
Spanish Computer Emergency Response Team (CCN-CERT) has also called for a high alert in the country as it says organisations might have been affected by the ransomware.
“The malicious WannaCrypt software quickly spread globally and is drawn from the exploits stolen from the NSA in the USA. Microsoft had released a security update to patch this vulnerability but many computers remained unpatched globally,” Microsoft stated.
The following software have been affected till now:
- Windows Server 2008 for 32-bit systems
- Windows Server 2008 for 32-bit systems service pack 2
- Windows Server 2008 for Itanium-based systems
- Windows Server 2008 for Itanium-based systems service pack 2
- Windows Server 2008 for x64-based systems
- Windows Server 2008 for x64-based systems service pack 2
- Windows Vista
- Windows Vista service pack 1
- Windows Vista service pack 2
- Windows Vista x64 Edition
- Windows Vista x64 Edition service pack 1
- Windows Vista x64 Edition service pack 2
- Windows 7
- Windows 8.1
- Windows RT 8.1
- Windows Server 2012 and R2
- Windows 10
- Windows Server 2016
How Does it Affect the Systems?
The malware encrypts files containing office extensions, arhives, media files, email databases and emails, developer source code and project files, graphic and image files and much more.
A decryptor tool is also installed alongwith the malware which assists in making the $300 worth of ransom demanded in Bitcoins as well as decrypt the files once the payment is made.
The decryptor tool runs two countdown timers — a 3-day timer, after which it’s indicated that the ransom will increase and a 7-day timer which indicates the amount of time left before the files are lost forever.
Given the software tool has the ability to translate its text into multiple languages, it’s evident that the attack is being aimed globally.
In order to ensure that the decryptor tool is found by the user, the malware also changes the wallpaper of the affected PC.
How to Stay Safe?
- Make sure that your antivirus software’s database is updated and it’s protecting your system in real-time and run a scan.
- If the malware: Trojan.Win64.EquationDrug.gen is detected, ensure it gets quarantined and deleted and restart the system.
- If you haven’t already, it’s recommended to install Microsoft’s official patch — MS17-010 — which mitigates the SMB vulnerability being exploited in the attack.
- You can also disable the SMB on your computer using this guide by Microsoft.
- Organisations can isolate communication ports 137 and 138 UDP and ports 139 and 445 TCP.
US-based Systems Were Secured Accidentally
A 22-year old British security researcher accidentally shut down the malware from spreading to networks in the USA when he bought the malware’s kill switch domain which wasn’t registered yet.
As soon the site was live, the attack was shut down. You can read his full report here about how he unveiled the kill switch for the malware and eventually shut it down.
“There has already been another variant of the ransomware which does not have a kill switch, making it difficult to contain. It has already started infecting countries in Europe,” said Sharda Tickoo, Technical Head, Trend Micro India.
It’s still unclear who is responsible for the attack and speculations have pointed towards Shadow Brokers — who are also responsible for releasing the malware online — or multiple hacking organisations.
Watch GT Hindi’s video for Wannacry/Wannacrypt Ransomware below.