On Friday, May 12, 2017, the world was alarmed to discover that cybercrime had achieved a new record. In a widespread ransomware attack that hit organizations in more than 100 countries within the span of 48 hours, the operators of malware known as WannaCry/WanaCrypt0r 2.0 are believed to have caused the biggest attack of its kind ever recorded.
The initial attack vector has been email, through spam. These messages are typically fake invoices, job offers and other lures which are sent to random email addresses. Within the email is a .zip file and once clicked, that initiates the WannaCry infection.
The attack is then spreading on internal networks using a P2P exploitation of SMB (Server Message Block) known as EternalBlue. The files are being dropped by a worm which abuses SMB, a network file sharing protocol. Other aspects of the malware leverages file-less exploitation techniques, and the malware is morphing rapidly in the wild with over a dozen variants seen thus far.
The file extension used is .wncry, which drops a ransomware notification named: @Please_Read_Me@.txt in common file and folder locations.
The best protection against ransomware attacks is to have all files backed up in a completely separate system. This means that if you suffer an attack you won’t lost any information to the hackers.
It is difficult to prevent determined hackers from launching a ransomware attack, but exercising caution can help. Cyber attackers need to download the malicious software onto a computer, phone or other connected device.
The most common ways of installing the virus are through compromised emails and websites. For example, hackers could send an employee a phishing email that looks like it comes from their boss asking them to open a link. But it actually links to a malicious website that surreptitiously downloads the virus onto their computer.
What to do if you’re a victim – should you pay the ransom?Victims are advised to never pay the ransom as it encourages the attackers. Even if victims do pay there is also no guarantee that all files will be returned to them in tact.Instead, the best thing to do is restore all files from a back up. If this isn’t possible, there are some tools that can decrypt and recover some information.
But unlike other ransomware, Wana Decryptor has been built to spread quickly. It does so by incorporating a hacking tool that security researchers suspect came from the NSA and was leaked online last month.
The hacking tool, dubbed EternalBlue, can make it easy to hijack unpatched Windows machines. Once Wana Decryptor has infected the first machine, it’ll attempt to spread to other machines on the same local network. Then it will scan the internet for vulnerable machines.
“It creates a snowball-like effect,” Segura said. “A few machines will be infected, then it’ll try to contact more.”
Wcry is spreading at an alarming rate, and while it was temporarily slowed down by the accidental discovery of a kill switch, that part of its code has already been removed.
The kill switch was based on the ransomware contacting a hardcoded domain before installing on the endpoint. That domain was not registered by the criminal, and was therefore snatched by a security researcher who found it, effectively turning it into a sinkhole.
CyberSecurity protection is a multi-layered approach. CHIPS’ Fully Managed Clients have security management layers and process in place to protec0t from this threat and ones like it.
If your corporate IT strategy needs updating to protect from the threats of today and meet your business needs, please contact us for no cost Business Technology evaluation.
About CHIPS Computer Services
CHIPS Computer Services is an award winning Managed Services Provider specializing in help businesses increase efficiencies and profits by levering properly managed technology. To learn how CHIPS can help your business, email us at firstname.lastname@example.org to schedule no cost business assessment.