On Friday, 12th May 2017, WannaCry Ransomware Attack spread like wild fire – infecting and spreading to computers in more than 70 countries. Over the weekend it started inflicting damage to data of National Health Service in the UK, transportation departments in Spain and Germany, immobilized government ministries in Russia, FedEx in the USA, as well as countless businesses in over 100 countries. It was an advanced cyber attack of historic proportions and is still escalating throughout the globe.
What is a ransomware?
The first ransomware emerged in 1989 and it was called the AIDS Trojan. The attack type of this malware was crude and it spread via floppy disks (redundant these days). The victim were shown a message to deposit US$ 189 in to a post office in Panama to pay the ransom. Over time, many variants were created and released. Here’s a quick look at the various discoveries of the ransomware.
Image credits: CERT-RO
In simple terms, a ransomware is a form of malicious software which is designed to block access to a computer system until the affected user pay’s a sum of money. There are basically two types of ransomware making the rounds in the cyber world:
The first one and the most common now-a-days is the Encrypting ransomware. This ransomware incorporates advanced encryption algorithms. It is designed to block system files, encrypt the data files and demand payment for providing a decryption key that can decrypt the encrypted files.
The second in line is the Locker ransomware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer.
Another version pertaining to this type is the Master Boot Record (MBR) ransomware. The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When the MBR ransomware strikes, the boot process can’t complete as usual, and prompts a ransom note to be displayed on the screen.
The ransomware requires its victims to wire money over BitCoins in order to get the control back of their machines or restore their data. However, there’s no guarantee that paying will get your data back.
For now, we shall just discuss the Encryption Ransomware which has affected many machines and data across the globe over this weekend.
WannaCry Ransomware Attack
The ransomware WannaCry which has created havoc across the world is an advanced malware which supports 28 different languages and can encrypt more than 180 different file types. This ransomware uses the Server Message Blocks (SMB) vulnerability to infect and spread. Here are some key characteristics of WannaCry:
- It has an unbreakable encryption that prevents the victim from reversing the damage done. This means that once the files have been encrypted, there is no way you can decrypt the files.
- It can encrypt almost all types of files – documents, spreadsheets, pictures, videos, audios, etc.
- It scrambles the file names and so identifying which files were affected is nearly impossible.
- Once it has encrypted the files on a victim’s computer, it display’s a notice stating that the data has been encrypted and that the victim now has specific time limit to pay for the decryption. This payment needs to be done by purchasing BitCoins.
- If the payment is not done in stipulated time frame the ransom increases. This is a psychological game that is being played by the attackers.
- The ransomware uses a complex set of evasion techniques to go undetected by your anti-virus. It can also render your machine as a terminal from where cyber criminals can launch and expand more attacks on the computers in the network to spread the malware.
- The ransomware can also employ data export capabilities which means that it can extract data from the affected computer like usernames, passwords, email address, etc. and send it to a predefined network device like a server of the attacker.
How does ransomware spread?
Ransomware can spread using many disguise techniques on the Internet. Spam email campaigns, security exploits in unpatched systems, traffic redirection from websites, malicious code injections in web pages, etc. The most common vehicle used to spread is Spam Emails.
The victim receives an email which looks like a legitimate email from a bank, client or a website. This email has a malicious link or a malware as an attachment. Once the victim clicks on the link or downloads and opens the attachment, a payload (small software) is placed on the affected computer. This payload then further downloads the ransomware from the attacker’s list of servers. The ransomware starts encryption of the files on the entire hard disk and then can even spread to the cloud drives which have been added to the computer as network drives. It can also spread to other network computers if the affected computer is connected to the local network. The file “tasksche.exe” checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:’, ‘D:’ etc. The malware then checks for files from the list of 180+ extensions and encrypts these using 2048-bit RSA encryption.
Once the encryption of data is done, the ransomware shows a message asking for the ransom similar to what you see here.
Everything happens so quickly that even before you realize that you are affected, the data is lost. This may raise a question in the mind of the victim that even though there was an anti-virus installed on the PC, why did the ransomware go undetected? The answer is – advanced techniques employed to disguise and deploy the ransomware. The communications between the payload and the server from where the ransomware is downloaded is encrypted – thus making it difficult to detect.
How can I be safe?
Here are few tips which can help safe guard your data:
- Always make sure that you have the latest backups. Make this a habit and ensure to take backups at least in two different locations. If your backup software can encrypt and store data, nothing like it. Remember that the encrypted data does not carry a familiar extension (.docx, .pdf, .jpg, etc.) and so it becomes difficult for the malware to affect this files.
- Always ensure that the software that you use is genuine and legal. This will allow your operating system to download the patches which are released to block the vulnerability. Keeping your systems patched and your anti-virus signatures updated at all times can help prevent compromises which spread via exploit kits.
- Always use a reliable, paid antivirus product that includes an automatic update module for updating the antivirus signatures and a real-time scanner.
- Install a good firewall in your business network which can do deep packet analysis and filter network traffic. Adjust the security settings to scan compressed or archived files if this feature is available in your network firewall.
- On your local machine, ensure that Windows Firewall is turned on and properly configured at all times. If you do not know what to allow and what to block, do consult an expert or a computer security agency who can help you with it.
- Recheck your SPAM settings on the mail server or mail box so that it blocks or removes any suspicious attachments. It’s always good to configure your mail server to block and remove attachments which have common executable attachments like .exe, .vbs or .scr.
- Educate yourself and others to be extra cautious and refrain from opening attachments that look suspicious. Many get emails these days which look like they have been sent from a social site or an eCommerce store from where you make your purchases, a law enforcement agency or a banking institution. Be careful before you open them.
- In the event a suspicious process is spotted on your computer, instantly turn off the Internet connection.
This is particularly efficient on an early stage of the attack because the ransomware won’t get the chance to establish a connection with its Command and Control (C&C) server and thus cannot complete the encryption routine.
- Configure your Microsoft Office components like Word, Excel, PowerPoint, etc. and disable them from running macros and ActiveX automatically.
- Do not use the administrator account for your daily use. Instead create a normal user account which has limited privileges.
Be prepared. Be safe.
Remember that prevention is better than the cure. And in the case of ransomware, there is no definite cure yet. Once you are affected, trust me, there is no way to get back your data unless you have latest backups. Also remember that paying the ransom does not work. There is no guarantee that once you have paid the ransom in BitCoins you shall receive the promised decryptor. In fact, by paying the ransom we would be funding the hackers to finance their next cyber attack.