Computers across the world were hit by a ransomware attack over the weekend, that left over 200,000 users locked out of their systems in over 150 countries. WannaCry, as it’s been dubbed, is one of the largest cyberattacks in recent history, one that largely targets Windows users. So here’s everything you need to know about it.
WannaCry is a ransomware module that uses a Windows leaked by the Shadow Brokers in April this year, purportedly as part of a set of tools used by the US National Security Agency (NSA) to spy on targets. Ransomware is a type of malware that infects a device and then encrypts the data. It then displays a message demanding the user pay a fee (or ransom) to an individual or group online before they can use the computer or even access their data again. Transactions are typically requested in Bitcoin, to remain untraceable, in this case approximately $300 worth of it.
Experts believe the initial infection might have been either been carried out by an advance phishing attack, using emails loaded with the ransomware. Once WannaCry worms its way into a system, it encrypts the data, and then exploits a vulnerability in Microsoft’s Server Message Block (SMB) protocol to spread the infection. While ransomware is usually considered a rudimentary attack tool, this particular version was supercharged by its creators using secrets leaked from the NSA’s spy book. This is why it was so effective, shutting down hundreds of thousands of computers across the US, Europe, and even India, apart from others.
A month before WikiLeaks published its Vault 7 data of the spying tactics used by the NSA, Microsoft released an update in March with a critical advisory, to try and fix the security hole. This patch fixed several versions of Windows, including Vista and Windows 8.1, as well as server versions of the OS, though not WIndows XP. Windows 10 remained unaffected by the bug. However, when WannaCry began infecting computer across the globe, Microsoft released an emergency patch for Windows XP, an operating system is ceased update services for in 2014. The moved likely saved countless users from the malware attack, but there was another bit of good luck to help as well.
A security researcher going by the name MalwareTech was attempting to reverse-engineer WannaCry on Friday, in order to understand it, when he noticed a bit of code in the module that instructed it to check whether a bogus URL was live. Curious to find out why the ransomware’s creators had put that in, he registered the domain name himself for about $10. What happened next astounded him, as he managed to singlehandedly shut down the spread of the malware.
It seems the website check was a form of kill switch built into the malware in case the attackers ever needed to quickly stop its spread. As long as the link led nowhere, WannaCry would continue to spread. But since it now led to a valid page, the malware stopped its epidemic-like spread. While that doesn’t fix any systems already affected by the ransomware, it does buy security researchers time, as they at least managed to stop more people from being affected. Unfortunately, reports are now coming in that there are newer version of the malware, now completely lacking the original kill switch.
“Simple hygiene of taking regular backups and not opening unknown attachments will have saved users from being affected,” says Kiran Deshpande, Co-founder & President of Mojo Networks and President of The Indus Entrepreneurs Association (TiE) Pune. “However, this is like asking people to eat non-fatty food and do Yoga.”
“Most vulnerable will be the users in small to medium enterprises, startups and professionals like lawyers, doctors, architects who don’t have the cushion of IT services. Nevertheless, one should never pay the ransom as it will encourage attackers.”
Meanwhile, Kaspersky Labs has a few everyday practices that can help keep you safe from being locked out of your devices.
1. Install the official patch from Microsoft that closes the vulnerability used in the attack (there are also patches available for Windows XP, Windows 8, and Windows Server 2003
2. Ensure that security solutions are active on all nodes of the network i.e. endpoints and servers
3. Reboot the system after detecting MEM: Trojan.Win64.EquationDrug.gen or similar mlaware files.
4. WannaCry is also targeting embedded systems. Ensure that dedicated security solution for embedded systems are installed, and that it has Default Deny functionality enabled.
5. If you’re using a Kaspersky Lab’s security solution is used,the company suggests you ensure that it includes the System Watcher, a behavioral proactive detection component, and that it is switched on. Run the Critical Area Scan task to detect a possible infection as soon as possible
“While this attack may have potential to grow bigger, a lot of work has already gone in to try and mitigate that possibility,” says Mr. Srinivasan C.R. – Senior Vice President, Global Product Management & Data Centre Services at Tata Communications. He further says “It is always advisable to have a service provider, no matter the size of your business, because when such situations arise, businesses need expert skills and backing for immediate remediation.”
— input : Technology today