On May 12, 2017, manyWindows O/S users around the world and the critical systems they depend on were
victims of a malicious Ransomware attack. To those who are not familiar with
this kind of threat, Ransomware is a type of malicious software that
carries out the crypto-viral extortion attack with a crypto-virology that
blocks access to data until a ransom is paid and displays a
message requesting payment to unlock it.
In most instances Ransomware
may lock the system in a way that is quite difficult for the user to reverse.
Even advanced security experts are still finding it difficult to solve this
threat and according to reports they had to work extra hours (during the early days
of this recent outbreak) in order to salvage the crisis and currently it is
impossible to decrypt the files without the decryption key.
HOW
DOES RANSOMWARE SPREAD?
According
to a Microsoft alert, this malware is described as a threat that does not
normally spread so rapidly and that they leverage social engineering or emails
as primary attack vector, relying on users downloading and executing a
malicious payload. It further states that the Ransomware perpetrators
incorporated publicly-available exploit code for the patched SMB EternalBlue
vulnerability, CVE-2017-0145,
which can be triggered by sending a specially crafted packet to a targeted
SMBv1 server, although this was fixed in security bulletin MS17-010,
released on March 14, 2017 by Microsoft.
Also the method of infection
varies for most viruses, and Ransomware is typically packaged with installation
files masquerading as official software updates. They are advertised as updates
for Adobe Acrobat, Java and Flash Player. If you’ve opened underground websites
such as torrent sites, you’ve probably come across some of the ads used to
distribute malware. Typically, a popup opens telling you that you need to
update Adobe Acrobat.
STEPS
TO PREVENT AND PROTECT AGAINST THIS THREAT
Itis important to note that the Ransomware malware comes in different variants
and the trending variant called Wannacrypt comes with a worm-like
functionalities, creating an entry vector in machines still unpatched even
after the Microsoft Windows fix had become available.
The exploit code used
by WannaCrypt as stated by security experts was designed to work only against
unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows
10 PCs are not affected by this attack.
At this point it is
important to note that the only way of fighting this threat for now is by putting
some preventive measures in place - as experts are still struggling to discover
a kill switch in decrypting the encrypted files.
Because attackers are
exploiting social engineering emails as a way to trick users to run the malware
and activate the worm-spreading functionality with the SMB exploit, Microsoft
has advised that SMB traffic on port 445 should be block on the router or
firewall. It also strongly recommends that the SMBv1 feature should be disabled
on all Windows O/S.
Also using the
following Microsoft tools can further help in detecting and removing this
threat before it fully escalates.
Getting the latest
protection from Microsoft which I highly recommend as the only antidote to this
threat and many others, I encouraged all Windows users to upgrade to Windows 10. Keep
their computers up-to-date so as
to benefit from the latest features and proactive mitigations built into the
latest versions of Windows.
