WannaCry Ransomware – Executive summary

If you want news from the IT Security industry, please check IT Security News here: http://www.itsecuritynews.info/?s=WannaCry

This is my summary, inspired from various sources on the web mentioned in the Sources (see at the end).

 

The ransomware Wannacry has infected systems across the globe and has been the topic of discussion among security professionals for quite some days now.

The WannaCry ransomware attack – 5 things you need to know

  1. A ransomware attack of “unprecedented level” (Europol) started spreading WannaCry ransomware around the world on Friday, May 12, 2017, around 11 AM ET/3PM GMT.
  2. Until now, hundreds of thousands of Windows-running computers in 99 countries have been affected, with the highest numbers of infections in Russia, Ukraine, India and Taiwan.
  3. Cyber criminals are using the EternalBlue exploit released by The Shadow Brokers on April 14, 2017. This exploit was patched a month before that, when Microsoft issued a critical security update (Microsoft Security Bulletin MS17-010).
  4. The reason why this particular campaign became so extensive is because it exploits a vulnerability in Windows SMBv1 and SMBv2 to move laterally within networks and infect other computers.
  5. If you haven’t installed the updates and are running a vulnerable operating system (see list below), even if your data hasn’t been encrypted, your computer might still have a backdoor that attackers can leverage in a potential round two of attacks.

wannacry_03

Source: Securelist.

Status

While the original victims of the recent WannaCry epidemic were originally thought to be Windows XP users, new data from antivirus provider Kaspersky Lab shows that 98% of the victims were actually running Windows 7.

Costin Raiu, director of the global research and analysis team at Kaspersky Lab, released the firm’s findings in a tweet on Friday. In the tweet, Raiu said that Windows 7 x64 was the worst hit of the versions, and the number of affected Windows XP systems was “insignificant.”

The new infections for the moment has been stopped by an accidental hero “MalwareTech” by activating the kill switch found after reverse engineering the malware but security experts believe that a new variant could be launched very soon with no kill switch this time and the only solution to prevent the malware from infecting systems is to patch your vulnerable systems as early as you can.

The Malware has a kill switch:

  •  This domain is already sinkholed, stopping the spread of the worm.
  • However, organizations that use proxies will not benefit from the kill switch as Wannacry ransomware is not proxy aware

How to check if your system is patched

If you’re unsure whether your computer is updated to the latest version, you can run Microsoft Baseline Security Analyzer 2.3 and discover which updates are missing. The tool also lists the missing updates by severity and potential impact.

 

How to recover the files

There is no clean way to do that. CCN-CERT created a tool which just prevents the ransomware to encrypt files:  https://loreto.ccn-cert.cni.es/index.php/s/tYxMah1T7x7FhND

 

 

Sources

  1. http://www.cisoplatform.com/profiles/blogs/wannacry-ransomware-all-that-you-need-to-know
  2. https://heimdalsecurity.com/blog/ransomware-distribution-one-infection-network-wide/
  3. https://www.techrepublic.com/article/98-of-wannacry-victims-were-running-windows-7-not-xp/

© Copyright 2017 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca

Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since year 2000 in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is an independent IT Security Consultant focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close