Ransomware Trojans are a type of cyberware that is designed to extort money from a victim. Often, Ransomware will demand a payment in order to undo changes that the Trojan virus has made to the victim's computer. Code for exploiting that bug, known as "Eternal Blue", was released on the internet in March by a hacking group known as the Shadow Brokers. The group claimed it was stolen from a repository of NSA (National Security Agency) hacking tools. The agency has not responded to requests for comment.
- How WannaCry Works
- In the News
Traditional ransomware is still one of the most common threats for small to large businesses across the world. While it usually spreads via malicious e-mail attachments, browser or third-party exploits, WannaCry attack automated the exploitation of a vulnerability which is present in most versions of Windows.
Why does it make it so dangerous? Simply because this allows a remote attacker to run code on the vulnerable computer and use that code to plant ransomware without any human and local action. This never before seen behavior makes it the perfect tool to attack specific environments or infrastructures, such as servers running a vulnerable version of the Server Message Block (SMB protocol).
⇒ Day 1: OutCry - WannaCry targeted over 90,000 computers in 99 countries.
⇒ Day 2: The Patch Day - A security researcher successfully found a way to slow down the infection rate, and meanwhile, Microsoft releases emergency patch updates for unsupported versions of Windows.
⇒ Day 3: New Variants Arrives - Just yesterday, some new variants of WannaCry, with and without a kill-switch, were detected in the wild would be difficult to stop for at least next few weeks.
8 Ways to Protect Yourself from WannaCry Ransomware Attack:
Currently, there is no WannaCry decryption tool or any other solution available, so users are strongly advised to follow prevention measures in order to protect themselves. Here are some simple tips you should always follow because most computer viruses make their ways into your systems due to lack of simple security practices:
- Always Install Security Updates
- Using Unsupported Windows OS?
- Patch SMB Vulnerability
- Disable SMB
- Enable Firewall & Block SMB Ports
- Use an Antivirus Program
- Be Suspicious of Emails, Websites, and Apps
- Regular Backup your Files
- Keep Your Knowledge Up-to-Date
If you are using any version of Windows, except Windows 10, with SMB protocol enabled, make sure your computer should always receive updates automatically from the Microsoft, and it's up-to-date always.
If you are using unsupported versions of Windows, including Windows XP, Vista, Server 2003 or 2008, apply the emergency patch released by Microsoft today.
Since WannaCry has been exploiting a critical SMB remote code execution vulnerability (CVE-2017-0148) for which Microsoft has already released a patch ( MS17-010) in the month of March, you are advised to ensure your system has installed those patches.
Moreover, Microsoft has been very generous to its users in this difficult time that the company has even released the SMB patches (download from here) for its unsupported versions of Windows as well, including Windows XP, Vista, 8, Server 2003 and 2008.
Note: If you are using Windows 10 Creators Update (1703), you are not vulnerable to SMB vulnerability.
Even if you have installed the patches, you are advised to disable Server Message Block version 1 (SMBv1) protocol, which is enabled by default on Windows, to prevent against WannaCry ransomware attacks.
Here's the list of simple steps you can follow to disable SMBv1:
1. Go to Windows' Control Panel and open 'Programs.'
2. Open 'Features' under Programs and click 'Turn Windows Features on and off.'
3. Now, scroll down to find 'SMB 1.0/CIFS File Sharing Support' and uncheck it.
4. Then click OK, close the control Panel and restart the computer.
Always keep your firewall enabled, and if you need to keep SMBv1 enabled, then just modify your firewall configurations to block access to SMB ports over the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.
An evergreen solution to prevent against most threats is to use a good antivirus software from a reputable vendor and always keep it up-to-date.
Almost all antivirus vendors have already added detection capability to block WannaCry, as well as to prevent the secret installations from malicious applications in the background.
Unlike WannaCry, most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs. So, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection.
Also, never download any app from third-party sources, and read reviews even before installing apps from official stores.
To always have a tight grip on all your important documents and files, keep a good backup routine in place that makes their copies to an external storage device which is not always connected to your computer. That way, if any ransomware infects you, it can not encrypt your backups.
There's not a single day that goes without any report on cyber attacks and vulnerabilities in popular software and services, such as Android, iOS, Windows, Linux and Mac Computers as well.
So, it's high time for users of any domain to follow day-to-day happening of the cyber world, which would not only help them to keep their knowledge up-to-date, but also prevent against even sophisticated cyber attacks.
What to do if WannaCry infects you?
If WannaCry ransomware has infected you, you can't decrypt your files until you pay a ransom money to the hackers and get a secret key to unlock your file.
- Never Pay the Ransom
It's up to the affected organizations and individuals to decide whether or not to pay the ransom, depending upon the importance of their files locked by the ransomware. But before making any final decision, just keep in mind: there's no guarantee that even after paying the ransom, you would regain control of your files.
Moreover, paying ransom also encourages cyber criminals to come up with similar threats and extort money from the larger audience.
So, sure shot advice to all users is — Don't Pay the Ransom.
Who's Behind WannaCry & Why Would Someone Do This?
While it's still not known who is behind WannaCry, such large-scale cyber attacks are often propagated by nation states, but this ongoing attack does not bear any link to foreign governments.
"The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits," said Europol, Europe's police agency.
Why are they hijacking hundreds of thousands of computers around the globe? Simple — to extort money by blackmailing infected users.
By looking at the infection rate, it seems like the criminals responsible for this absurd attack would have made lots and lots of dollars so far, but surprisingly they have made relatively little in the way of profits, according to @actual_ransom, a Twitter account that's tweeting details of every single transaction.
At the time of writing, the WannaCry attackers have received 171 payments totaling 27.96968763 BTC ($47,510.71 USD).
Who is responsible for WannaCry Attack?
— Is it Microsoft who created an operating system with so many vulnerabilities?
— Or is it the NSA, the intelligence agency of the United States, who found this critical SMB vulnerability and indirectly, facilitates WannaCry like attacks by not disclosing it to Microsoft?
— Or is it the Shadow Brokers, the hacking group, who managed to hack the NSA servers, but instead of reporting it to Microsoft, they decided to dump hacking tools and zero-day exploits in public?
— Or is it the Windows users themselves, who did not install the patches on their systems or are still using an unsupported version of Windows?
I do not know who can be blamed for this attack, but according to me, all of them shares equal responsibility.
Microsoft Blames NSA/CIA for WannaCry Cyber Attack
Microsoft has hit out at the US government for facilitating cyber attacks, like WannaCry, by not disclosing the software vulnerabilities to the respective vendors and holding them for their benefits, like global cyber espionage.
In a blog post on Sunday, Microsoft President Brad Smith condemned the US intelligence agencies' unethical practices, saying that the "widespread damage" caused by WannaCry happened due to the NSA, CIA and other intelligence agencies for holding zero-days and allowing them to be stolen by hackers.
"This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," Smith said.
This statement also publicly confirms that the hacking tools and exploits leaked by the Shadow Brokers belong to Equation Group, an elite group of hackers from NSA.
"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage," Smith wrote.
