I cannot emphasize enough that botnets and ransomware remains one of the biggest threats to various businesses. The damages to the economy are enormous. Just about 2 days ago, I responded to a Dale Drew’s (CISO of Level3 Communications and a well-regarded security expert) blog – 256: WHY HEALTHCARE SECURITY IS VULNERABLE AND BOTNETS & RANSOMWARE REMAIN OUR BIGGEST THREAT. I highlighted the severity due to international nature of ransomware.
WannaCrypt ransomware is creating havoc on internet connected Windows PCs and servers and bringing down businesses one after the other. Here are some of the very important factors you need to know about this threat.
What does it do?
WannCrypt enters PCs, Laptops, servers and devices running unpatched Windows 7, Windows 8 or previous versions of Windows operating system using SMB v1 vulnerability. It encrypts all the files on the device and communicates to Command and Control Center with the details of the device held hostage.
A red and white window with a message board gets displayed with the details of the threat.
- Warns you about all of your data files, documents, pictures etc. being encrypted. Few of them can be decrypted for free but for others you need to pay certain number of bitcoins for decryption.
- Gives warning on number of days you have to pay the ransom. Not paying within the given time limit triggers deletion of your files.
- It also shows the amount of time left for you to pay the ransom.
- A link to pay ransom to is clearly shown at the bottom of the warning page.
Some more details of the vulnerability are given here as described by the Microsoft Security Protection Center .
Some technical details:
- This ransomware uses Microsoft Server Message Block 1.0 (SMB v1) server vulnerabilities to get transported into the system and uses the same protocol to transport to other systems or spread.
- Operating Systems targeted: Unpatched versions of Windows including Windows 7, Windows 8, Windows Vista.
- Alternative names of ransomware: WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor.
- According to Microsoft Security analysts when run it tries to communicate with the following URL: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comon port 80.
- It creates services like %SystemRoot%tasksche.exe and mssecsvc2.0
- It appends .WNCRY extensions to all the encrypted files.
- It looks for files of almost all the important types with corresponding extensions. It does not use wildcard in filenames for encryption.
What should you know if affected?
- The ransom seems to be different for different cases.
- There is no guarantee or assurance that you would get your files decrypted back after the ransom is paid. Ransomware and MDN (Malware Delivery Networks) are complex mechanisms. They depend upon multiple factors on the network and connectivity for destruction and recovery.
- As far as possible, keep your system connected to the network if you plan to pay the ransom. Again, this is not an encouragement but it would be a complex decision based on your business critical operations.
- If there is any special observation, post it to this blog or any blog of your choice and share the information.
What should you do to avoid infection?
- Keep all the unaffected systems offline or move them to different segment of the network with appropriate segmentation or firewalls.
- Get the latest software updates to your Windows systems.
- Install up-to-date security patches.
- Use segmentation technology for your servers which provide protection for legacy protocols as well.
- Always follow strong and frequent data backup procedures for archival.
There are resources available for you to avoid infections by this ransomware. Please ask your IT experts on usage of effective segmentation for security and firewalling. For more information, please email firstname.lastname@example.org