WannaCry / WannaCrypt ransomware attack has spread throughout the world. Affecting organizations in over 150 countries, tallied damage includes more than 200,000 people infected with the malware and roughly $28,463 paid in bitcoin to decrypt files. And that number may only increase unless companies act to mitigate the threat. Some reports indicate the ransomware attack has been slowed but there are fears we haven’t seen the last of the damage. Desk of EC-Council Group CISO has issued an updated cyber security briefing on standard precautions to protect your systems.
What is WANNACRYPT (WannaCry / Wcry)?
A new ransomware attack, perhaps the largest so far, was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems. 200K machines have been infected in just a few days.
- Arrives via phishing email (pdf) and spreads like a worm using covert channels and exploiting the Windows SMB vulnerability (aka EternalBlue), which was fixed by Microsoft in March (MS17-010)
- Payload delivered via exploit running as a service
- It performs encryption in the background, with key-built in (no contact to C2 necessary)
- Uses tor to stay anonymous
- Drops ransom notes in 25+ languages
- Encrypts shared and local files (176 types of files)
Ransom note demands $300 within 3 days or $600 within 6 days or lose files. There is no guarantee of recovery of files.
The CISO Guide to WannaCry malware
Patch and update immediately
- Windows machines and servers (MS released patches for legacy versions)
- EternalBlue exploit (MS17-010)
Prevent phishing mails and suspicious attachments
Prepare users (User Awareness Script)
- Remind them how to recognize phishing mails
- Tell them not to click suspicious attachments
- Tell them what to do if they think they are infected – disconnect from the network and report to Infosec team / IT team, for example.
Block SMB (Port 445) and Rdp on servers
Improve detection by implementing IoCs into SoC and timely incident response
Perform backup and database integrity checks periodically
Ensure Antivirus And Antimalware is up to date and have latest definitions to prevent infection
- Report to law enforcement agencies and ISAC (where applicable)
- Activate your incident response plan
User Awareness Script to avoid phishing, attachments, response and report
As you may have heard, in last few days a massive cyber attack has infected machines around the world. The attack, called “WannaCry”, locks users out of their own systems and demands a ransom payment to release files. WannaCry has so far has impacted over 120 countries (and counting) and a large number of computers.
In this heightened situation, we request you to stay vigilant while using your computers. While dealing with any emails from any unknown email address, do not click any link or open any unknown attachments.
We request you to follow the best practices outlined below while performing your daily operations:
- Do not open attachments in unsolicited e-mails, even if they come from people in your contact list.
- Do not click on any URLs contained in an unsolicited e-mail.
- Report any suspicious emails or attachments to the IT/IS team.
- Follow the Computer Usage policy.
- Do not download software, videos, MP3s, etc.
- Check that your antivirus is updated and running in any machine you are using.
- Backup your critical data periodically.
If you believe your computer has been infected, immediately disconnect your machine from the network by pulling the LAN cable out of the port in your computer and call the information security team. Do not try to restore any data on your own.
CISO Signature Block
This briefing is for informational purposes only and should not be utilized as a solution to the WannaCry attack. If you believe you have been affected or have questions on how to remediate, reach out to a security consulting company.
Source from EC-Council: EC-Council Issues WannaCry Briefing
Experts Exchange: Ransomware topic
Journal of Ahima: Tips for Preventing and Responding to a Ransomware Attack
TDS Connect Blog: Be careful what you type: scams (and malware) lurk in misspellings
GOVERNMENT INCIDENT RESPONSE TEAM ISSUES ALERT ON GLOBAL RANSOMWARE ATTACK Posted by Daily News
Complete Computing: Ransomware: What it is and how to prepare
Communications Diversified: Hacking the Modern Phone System – Part I: The Voice Mail Exploit
OlivaIT: PETYA – TAKING RANSOMWARE TO THE LOW LEVEL
Money Cowboy: Bitcoin worth more than gold
Techuism: List Of Best Antivirus Software Of 2016
Stuffworks: Kaspersky releases decryption tool that unlocks ransomware
Jay Jean: Cryptolocker
MedHacker: How Ransomware Works, and Why You Should Be Afraid
DevAdmin Vlog: Hardening di un server Remote Desktop
khsblog: Apa itu Ransomware WannaCry dan bahayanya bagi komputer serta langkah pencegahan
Jun 27: CryptoWall 3.0 Datenrettung und Entschlüsselung
10 Servicios ocultos interesantes en la deep web de TOR – Actualización
Thice.nl: Getting rid of the Buma Stemra ransomware malware – Windows 7
kinetik IT blog spot: 4 Ways to Protect Your Small Business From Ransomware
For my Friends and Family: You have no excuse not to secure your Microsoft Accounts with Multi-Factor Authentication
Ingens Networks de la mano de SonicWall ha protegido a nuestros clientes de la nueva amenaza mundial Ransomware
Safehard Group: Tu dinero o tus archivos la nueva moda de los ransomwares
Radiology and HIT Blog: HHS Focuses on Security: Ransomware and HIPAA Guidance; Threat Information Dissemination FOAs
Mai 13: Von der NSA gestohlene Ransomware sorgt weltweit für Probleme
Cybersecurity News: Targeted Cyber Attack Poses ‘Credible Threat’ to US Banks
Tomi Craft Japan Blog: ランサムウェアの感染が拡大 書類を読めなくして数百ドルの身代金を要求
Custom Information Services: A New Frightening Form of Malware: Ransomware
Réparer le MBR de Vista ou Seven sans le DVD d’installation
CINGEY: A US official proposes a ransomware to block porn
TechShizz: CryptoLocker (Ransomware) Prevention Methods
DTyOC: Tendencias en Seguridad Informática para el 2016
BellWether Blog: American Scholar of Russian Studies Stephen Cohen: NATO games in Ukraine bring world 5 minutes before nuclear midnight
Cloud, Virtualisation & Management Blog: Is Security a cloud benefit or a shared responsibility?
NWO Report: It Spreads: FedEx Confirms It Has Also Been Hit With RansomWare Attack: “Implementing Remediation Steps As Quickly As Possible”