WannaCry Ransomware – Executive summary

If you want news from the IT Security industry, please check IT Security News here: http://www.itsecuritynews.info/?s=WannaCry

This is my summary, inspired from various sources on the web mentioned in the Sources (see at the end).

 

The ransomware Wannacry has infected systems across the globe and has been the topic of discussion among security professionals for quite some days now.

The WannaCry ransomware attack – 5 things you need to know

  1. A ransomware attack of “unprecedented level” (Europol) started spreading WannaCry ransomware around the world on Friday, May 12, 2017, around 11 AM ET/3PM GMT.
  2. Until now, hundreds of thousands of Windows-running computers in 99 countries have been affected, with the highest numbers of infections in Russia, Ukraine, India and Taiwan.
  3. Cyber criminals are using the EternalBlue exploit released by The Shadow Brokers on April 14, 2017. This exploit was patched a month before that, when Microsoft issued a critical security update (Microsoft Security Bulletin MS17-010).
  4. The reason why this particular campaign became so extensive is because it exploits a vulnerability in Windows SMBv1 and SMBv2 to move laterally within networks and infect other computers.
  5. If you haven’t installed the updates and are running a vulnerable operating system (see list below), even if your data hasn’t been encrypted, your computer might still have a backdoor that attackers can leverage in a potential round two of attacks.

wannacry_03

Source: Securelist.

Status

While the original victims of the recent WannaCry epidemic were originally thought to be Windows XP users, new data from antivirus provider Kaspersky Lab shows that 98% of the victims were actually running Windows 7.

Costin Raiu, director of the global research and analysis team at Kaspersky Lab, released the firm’s findings in a tweet on Friday. In the tweet, Raiu said that Windows 7 x64 was the worst hit of the versions, and the number of affected Windows XP systems was “insignificant.”

The new infections for the moment has been stopped by an accidental hero “MalwareTech” by activating the kill switch found after reverse engineering the malware but security experts believe that a new variant could be launched very soon with no kill switch this time and the only solution to prevent the malware from infecting systems is to patch your vulnerable systems as early as you can.

The Malware has a kill switch:

  •  This domain is already sinkholed, stopping the spread of the worm.
  • However, organizations that use proxies will not benefit from the kill switch as Wannacry ransomware is not proxy aware

How to check if your system is patched

If you’re unsure whether your computer is updated to the latest version, you can run Microsoft Baseline Security Analyzer 2.3 and discover which updates are missing. The tool also lists the missing updates by severity and potential impact.

 

How to recover the files

There is no clean way to do that. CCN-CERT created a tool which just prevents the ransomware to encrypt files:  https://loreto.ccn-cert.cni.es/index.php/s/tYxMah1T7x7FhND

 

 

Sources

  1. http://www.cisoplatform.com/profiles/blogs/wannacry-ransomware-all-that-you-need-to-know
  2. https://heimdalsecurity.com/blog/ransomware-distribution-one-infection-network-wide/
  3. https://www.techrepublic.com/article/98-of-wannacry-victims-were-running-windows-7-not-xp/

© Copyright 2017 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch