On Friday, a widely-spread ransomware named WannaCry ripped down more than 200,000 systems from all around the world–affecting more than 104 countries, including India. An anonymous cyber-criminal group “Shadow Brokers” have claimed that they had extorted a massive amount of ransom by only locking down the systems. By encrypting user’s data with the extension “.WCRY” added to their filenames, the attackers reportedly had received over $25,000 till Saturday morning.
Last year In August 2016, the mysterious online group claimed to have stolen US “cyber weapons” from a hacking team called “Equation Group”. The Equation Group is said to be operated by the NSA and the breach of its systems led the Shadow Brokers to claim it has access to some of the agency’s secretive tools.
Over a nine-month period, the mysterious group has leaked more than one gigabyte of software exploits alleged to be from the NSA. The most recent data dump came on April 14, 2017. Within the 300 megabytes of newly published exploits were a number of vulnerabilities that alleged to work against Microsoft products. However, Microsoft then claimed that these security flaws have already been fixed. WannaCry researchers said it uses an exploit called “EternalBlue” which was first made public last month by the Shadow Brokers. The “EtenalBlue” is a hacking tool which gives unprecedented access to all computers using Microsoft Windows, the world’s most popular OS. It had been developed by the NSA to gain access to computers used by terrorists and enemy states.
Russia and India were among the worst affected countries by the WannaCry/WannaCrypt attack, because Microsoft’s Windows XP and Windows 7 are still widely used in these countries. News agency IANS reported that, In India, police computers across 18 units in Andhra Pradesh’s Chittoor, Krishna, Guntur, Visakhatpatnam and Srikakulam districts were affected. However, there was no immediate information on how many companies in India were affected by the cyber attack.
How WannaCry works:
WannaCry/WannaCrypt encrypts the files on infected Windows systems. It spreads laterally between computers on the same LAN by using a vulnerability in the implementation of Server Message Block (SMB) in Windows systems. It also spreads through malicious email attachments. After infecting the system; WannaCry displays the following screen on the infected system:
It also shows a text file named “!Please Read Me!.txt” which contains text instructing how to pay the ransom:
The file extensions that the malware is targeting contain certain clusters of formats including:
1) Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
2) Less common and nation-specific office formats (.sxw, .odt, .hwp).
3) Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
4) Emails and email databases (.eml, .msg, .ost, .pst, .edb).
5) Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
6) Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
7) Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
8) Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
9) Virtual machine files (.vmx, .vmdk, .vdi).
How to prevent against WannaCry:
Users and administrators are advised to take the following preventive measures to protect their computer networks from ransomware infection/ attacks:
In order to prevent infection users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010
Microsoft Patch for Unsupported Versions such as Windows XP, Vista, Server 2003, Server 2008 etc. http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
To prevent data loss Users & Organisations are advised to take backup of Critical Data
Block SMB ports on Enterprise Edge/perimeter network devices [UDP 137, 138 and TCP 139, 445] or Disable SMBv1. https://support.microsoft.com/en-us/help/2696547