What is a Ransomware?
Ransomware is a kind of malware that pressurizes a victim to pay ransom, and unless and until the ransom fee is paid, the data of the victim remains encrypted or blocked from his access. Within the context of this attack, an entire organization is left paralyzed.
How they spread?
Ransomware spreads through phishing emails which contain malicious attachments or through software which a user downloads unknowingly. The attachment can be in any format such as ZIP files, Word documents, Excel spreadsheets, and even more. A ransomware attack can also take place when a user visits a website he is not aware of.
WannaCry ransomware (also known as Wana Decrypt0r, WCry, WannaCrypt) came to notice in the year 2017. A massive attack across multiple countries took place on 12 May 2017. Multiple reports mention that a total of 300,000+ systems were affected in over 150 countries. The ransomware attack affected multiple industries including healthcare, government, telecommunications, and petrochemicals. The true nature of this malware is that it comes under a worm classification which means that it can replicate itself in order to spread within an entire network. Researchers also mentioned that WannaCry has an encryption component that is based on public-key cryptography.
How WannaCry infects the systems?
The malware uses the famous Eternal Blue and DoublePulser exploits that were developed by NSA (National Security Agency)
. These exploits were leaked in 2017 by the Shadow Brokers group
. The Eternal blue exploits the SMB v1 vulnerability, which Microsoft patched on 14th March 2017 and added to the security bulletin-MS17-010
. The following vulnerability allows an attacker remote code execution by sending crafted messages and connects to TCP ports 139 and 445 of unpatched Windows system. Once the Eternal Blue exploit is executed, WannaCry tries to insert the DoublePulser through the system backdoor.
- Don’t click on suspicious links: If you feel that the link within an email is not relevant then it’s best to avoid clicking on it. Sometimes when a user interacts with the link, say by clicking on it, the malware starts downloading itself.
- Information related to you: Let’s say you receive a call, message from an unknown contact, do not respond to them. The attacker may have a phishing attack in mind and sharing personal information would make you vulnerable.
- USB drives: If an unknown person (untrusted source) hands over a USB drive to you, never plug-in the device into your system. This device may contain auto-run scripts which can be executed once you connect the drive to the system.
- Updating your Operating System: Keep your programs and operating system updated as the vendors provide regular patches, which are sometimes critical security updates. If you abide by this practice attackers will find it difficult to exploit your system or network.
- Using VPN: We as daily users connect to public networks (Wi-Fi) in coffee shops, subways, railway stations, and restaurants. Nevertheless, we do not realize that connecting to a public network makes us vulnerable to cyber-attacks. Therefore, it is a good practice that we use VPNs while we are in a public place. Another word of caution though; until very essential, do not use public networks.
- Downloading Software: Ideally users should download software from a known source that they can rely on; meaning files from an unknown source may contain ransomware.
- Application whitelisting: Configure operating systems or use third-party software to only allow authorized applications to run on computers, thus preventing ransomware from working.
- Awareness: For organizations, it will prove beneficial if they educate their employees on practices and programs based on ransomware protection along with countermeasures for an attack.
If remote services are not required, it is advised that an individual turns them off. This will make the system more secure. Hence, attackers will not be able to execute remote exploits. For organizations, plenty of endpoint protection software are available, which protect against ransomware. Apply content filter for your mail servers and block websites that are malicious. There are firewall rules that can protect you against ransomware and these configurations should be applied.
Additionally, within Windows, a feature is available for data backup, and it is a good practice that users keep a backup of their data. If NAS (Network Attached Storage) is configured within a network, it can also be a target of ransomware. This is one reason why you should create regular back-ups of your data and save multiple copies.
To avoid becoming a victim of ransomware, we urge you to adopt the necessary precautionary measures and block future attacks. In case you are still a victim of ransomware we encourage you to take necessary action by referring to the above protective measures.