A wave of massive ransomware attack has hunt down PCs of hundreds of entities across the globe on Friday, namely UK, Spain, and Russia. Similar attacks were witnessed across 99 different countries.It was reported that UK NHS Hospitals had been infected with this ransomware which has caused obstruction to their daily routine operations. They had to cancel all medical services except the emergency department service. Hospital authorities found difficulty in accessing important patients’ records. The British Prime Minister Theresa May said: “The attack was part of a large-scale hack across the world and there was no evidence of patients’ data had been compromised.”It is confirmed that the attack was infected to gain ransom money in return. It demands around $300 (£230) in Bitcoin currency. The intruders warn the victims to pay within a minimum of three days or else the price will be doubled. Moreover, if the victims fail to pay, the files and data will be no more!NSA (National Security Agency) had identified a weakness in Microsoft system and named it as ETERNALBLUE. Industry experts say the attack might have been built to exploit this weakness. This ransomware uses the Microsoft vulnerability MS17-10.The Shadow Brokers (Hackers) had leaked the tools from NSA and released them online for auction in April. As a precaution, Microsoft released a patch for the vulnerability, but probably many systems may not have been updated which has to lead to the loophole for the attackers.Many countries like UAE have warned companies to be alert and ensure that all security measures are made intact.
How extensively has the WannaCry ransomware infected?
Reports reveal infections in 99 countries which include UK, US, China, Russia, Spain, Italy and Taiwan.According to Cyber-security firm Avast, it has noticed 75,000 cases of the ransomware - known as WannaCry and its variants around the globe.Researchers from various part of the world came out to a conclusion that the incidents appear to be linked, but may not be a coordinated attack on specific targets.Meanwhile, reports give the information that the wallets for the digital cryptocurrency Bitcoin have been filled with money. Bitcoin currency is usual method of the ransom payment.Who has been affected?
The entities who suffered this attack are those which did not update according to the instructions from Microsoft since March.The major attack was at The UK's National Health Service (NHS) hospitals.Russia also reports that they had several infections and the country’s interior ministry had localized the virus following an attack using windows operating system. These attacks are assumed to be on personal computers. In addition, the second largest mobile phone network in Russia also revealed that they are affected.The members of social media named Twitter has witnessed several tweets of affected computers including a local railway ticket machine in Germany and university computer lab in Italy.Staffs of several Spanish firms were instructed to turn off their computers in connection with the outbreak. The firms include telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural.How does the malware work?
The usual way of ransom attack is by tricking an employee at any of the target organizations through an Email, which seem to be relevant and original. This method is called Phishing.But in contrast, WannaCry has chosen a different approach to cause a massive attack. Once the worm is inside an organisation, it will chase, target vulnerable machines and infect them also. The malware has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. Once infected, the infected file will contain the extension “.WNCRYT”.Precautions to be taken - free from WannaCry!1 - Patch ManagementEnsure all Workstations and Servers have the latest Microsoft patches, especially the ones related to MS17-010.2 - AntivirusEnsure AV signatures are updated on all assets. Identify critical assets and target them first. Block IOCs on AV solution.Get the details with regards to the name of the malware and verify if this malware has been detected in the logs for last 1 week.3 - IPSEnsure IPS signatures are updated. Verify if the signature that can detect this vulnerability / exploit attempt is enabled and is in blocking mode.Get the details with regards to the name of the Signature and verify if this Signature has been detected in the logs for last 1 week.4 - eMail GatewayEnsure eMail Gateway solutions has all relevant updates for detecting possible emails that may bring the Trojan in the environment.5 - ProxyEnsure Proxy solution has updated the database. Block IOCs for IP Address and Domain names on the Proxy.Verify last one week logs for the IOCs on Proxy and take action on sources of infection.6 - FirewallBlock the IP addresses on Perimeter Firewall.Verify logs for last one week.7 - Anti - APT Solutions (FireEye, Trend Micro)Ensure signatures are up to date.Check for possible internal sources of infection and take actions.8 - SIEMCheck logs to verify if any of the IOCs have been detected in 1-week logs.Note:a - If required, raise a case with OEM for getting detailsb - All changes to follow proper approvals and change management process Disclaimer:- Please use on test machines before applying in production
Disclaimer:
Secure Reading has no confirmed sources for the information shared in the above news/articles. It relies on various unconfirmed inputs, social media claims, and websites for its content, and cannot guarantee the accuracy, timeliness, and genuineness of the same. If there is any error in the news, and once it is brought up to our attention with relevant evidence, Secure Reading is willing to make necessary corrections as applicable.