Authored by Ronak Shah and Chetan Limbachiya
“What happened to my computer?”
If this is the message you are seeing in a red box on your computer screen, then it has been hacked by the Wannacry ransomware cyrptoworm.
In what is termed as one of the biggest coordinated malware attack across Europe, Asia, and part of North America, the Wannacry hackers not just attacked individuals. They also went after government institutions like law and enforcement and healthcare services. Right from French carmaker Renault to cell phone carriers in Spain, the victims covered a specific pattern - anybody who hadn’t updated their Windows XP and Windows 7 OS in the last month. The global cyberattack that started in the UK harmed more than 200,000 computers in more than 150 countries worldwide.
How it spread?
The malware spread via the Server Messaging Block (SMB) protocol utilized by the Windows OS. Through this protocol machines can interact with file systems over a network. Wannacry spread quickly over this file sharing system. Since IT teams in a company manage the updates, any instance of not updating the Windows meant that all computers on the network were vulnerable to the attack.
Microsoft had already released a patch that would’ve eliminated this problem in March. The OS level patch was a security update for the MS17-010 vulnerability. But regular updates do not feature high on priority for many individuals and companies. Hence, their systems remained prone to the mind-boggling attack.
The attacked PCs show a message that you have 3 days to pay $300 in bitcoins to unlock all files on your PC. After 3 days the mount is doubled to $600 and after a week, your files will be deleted forever. The malware was connected to a specific unregistered domain. A 22 year old security researcher with the Twitter handle ‘MalwareTech’ bought the registration for this domain and stopped the malware in its tracks. He has appealed to people to update their systems ASAP to prevent another round of attack.
How to hack-proof your computer from Wannacry?
The immediate steps you need to take in order to contain the destructive impact of Wannacry is to do the below–
Steps for Prevention Recommended by US-CERT:
- Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
- Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
- Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
- Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
- Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.
- Test your backups to ensure they work correctly upon use.
You need to be alert for malicious emails that dress up like genuine mails from companies or your known acquaintances. It is critical to never click on the link or attachment that comes with the mail as it could unleash a malware on your PC.
The 22-year old accidental savior of the cyberworld was implicit in his assessment. He strongly feels that such attacks will continue unless root level precaution is taken. From our experience, we could enumerate the below steps to be taken by the IT team to maintain the collective health of organizational IT systems –
- OS patch is the number one priority if you are on Windows OS
- On local System Antivirus should be known, effective, and updated (Symantec Endpoint, Trend Micro, and Kaspersky are the industry leaders in this context)
- OS Firewall needs to be activated while you are working on a standalone system with full internet access.
- User should not visit unwanted sites, no should he download unwanted information
- Keep require Windows open on System, if users working or surfing any sites he/she should be very careful while click on any POPUP received
- Top of that, Admin access should be revoked if not needed for users in corporate environment
- Remove unwanted open share folder from local system
- Most Important – Keep Backing up critical data on external storage to prevent big loss.
These basic building blocks will go a long way in preventing the next cybersecurity attack like Wannacry. CIGNEX can help in safeguarding your applications, data and servers from malicious security attacks. Have a Safe Digital Experience!”