The world woke up with news of one of the largest ransomware attack of all time that had already infected over 200,000 Windows systems worldwide in the last 24 hours. This massive ransomware campaign hit computers of thousands of private companies, public organizations and the general public across the world – this attack is believed to be the most massive ransomware campaign to date. This ransomware is a variant of ransomware known as WannaCry (aka ‘Wana Decrypt0r,’ ‘WannaCryptor’, ‘WCRY’).

How do you protect your computer?

Microsoft just surprised all of us by the way they handled this issue. They just released an emergency security patch update for all version of Windows, including expired versions ( Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions).

If you are using any of the above-mentioned version of Windows then you are strongly advised to download and APPLY THE PATCH ASAP!
Also,

  • Avoid clicking on links/opening attachments/emails from people you don’t (spam)
  • Disable the outdated protocol SMBv1.
  • Block connections to the RDP or SMB protocol directly from the internet.
  • Isolate unpatched or unsupported systems from the internal network.
  • Make back-ups of your files and verify that they can be restored.
    Switch to Linux/Ubuntu 😉

I am using Windows 10, what to do?

You’re safe. Microsoft quoted:

 “The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack,”

How is it spreading?

Ransomware like these are usually propagated through spam emails and links. It tricks the users to download and execute a malicious attachment. When one machine gets infected it will scan the entire internal network and infect vulnerable machines.

Screenshot from an infected PC Source: Twitter

Once infected with the WannaCry ransomware, victims are asked to pay up to $300 in bitcoin in order to remove the infection from their PCs.

Some Facts about this ransomware

  • This ransomware campaign spreads itself through the internal network using a recently patched Windows vulnerability.
  • When one machine gets infected it will scan the entire internal network and infect vulnerable machines.
  • Machines are not required to be connected to the internet for the encryption process to take place.
  • Designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems.
  • Machines that have been patched with MS17-010 are not vulnerable to the exploit, but could still be infected through other infection methods such as phishing e-mails.
  • European Countries and Russia were the main victims, followed by USA and India.
  • Portugal Telecom, Spanish telecom giant Telefónica and Russia’s MegaFon were victims of the attack, but it did not affect their client/services.
  • Global Courier company Fedex was also affected
#WannaCry ransomware also hits German Train Station. Source: Twitter ~ The Hacker News
#WannaCry spreading in a University Lab Source: Twitter ~ The Hacker News
#WannaCry spreading in a University Lab -2 Source: Twitter ~ The Hacker News

In India, Andhra Pradesh Police Department got affected by this ransomware. More than 18 computers from different units of Andhra Pradesh’s police departments were affected.

A UK cyber security researcher @malwaretechblog, found and activated a “kill switch” in the malware. The switch was hard coded into the ransomware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name (hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com ) to which it sends a request like if it was looking up a normal website – and if the connection succeeds, the kill switch takes effect and the malware stops spreading.


@malwaretechblog found that this domain was not registered by the attackers so he quickly purchased that domain for $10.69. Then he saw the domain name was registering thousands of connections every second. Anyway, this accidentally (not accidental, he is a professional security researcher) triggered a “kill switch” that prevented the wide spread of the WannaCry ransomware, at least for now.

 

Read @malwaretechblog‘s article here

But, the kill switch will not help those computers which are already infected with the ransomware, and and it’s possible that there are other variants of the malware with different kill switches that will continue to spread.

Who is behind this?

The malware was made available on the web by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA).

More Updates Coming Soon

 

Leave a Reply