WannaCry / WannaCrypt ransomware attack has spread throughout the world. Affecting organizations in over 150 countries, tallied damage includes more than 200,000 people infected with the malware and roughly $28,463 paid in bitcoin to decrypt files. And that number may only increase unless companies act to mitigate the threat. Some reports indicate the ransomware attack has been slowed but there are fears we haven’t seen the last of the damage. Desk of EC-Council Group CISO has issued an updated cyber security briefing on standard precautions to protect your systems.
What is WANNACRYPT (WannaCry / Wcry)?
A new ransomware attack, perhaps the largest so far, was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems. 200K machines have been infected in just a few days.
- Arrives via phishing email (pdf) and spreads like a worm using covert channels and exploiting the Windows SMB vulnerability (aka EternalBlue), which was fixed by Microsoft in March (MS17-010)
- Payload delivered via exploit running as a service
- It performs encryption in the background, with key-built in (no contact to C2 necessary)
- Uses tor to stay anonymous
- Drops ransom notes in 25+ languages
- Encrypts shared and local files (176 types of files)
Ransom note demands $300 within 3 days or $600 within 6 days or lose files. There is no guarantee of recovery of files.
The CISO Guide to WannaCry malware
Patch and update immediately
- Windows machines and servers (MS released patches for legacy versions)
- EternalBlue exploit (MS17-010)
Prevent phishing mails and suspicious attachments
Prepare users (User Awareness Script)
- Remind them how to recognize phishing mails
- Tell them not to click suspicious attachments
- Tell them what to do if they think they are infected – disconnect from the network and report to Infosec team / IT team, for example.
Block SMB (Port 445) and Rdp on servers
Improve detection by implementing IoCs into SoC and timely incident response
Perform backup and database integrity checks periodically
Ensure Antivirus And Antimalware is up to date and have latest definitions to prevent infection
- Report to law enforcement agencies and ISAC (where applicable)
- Activate your incident response plan
User Awareness Script to avoid phishing, attachments, response and report
As you may have heard, in last few days a massive cyber attack has infected machines around the world. The attack, called “WannaCry”, locks users out of their own systems and demands a ransom payment to release files. WannaCry has so far has impacted over 120 countries (and counting) and a large number of computers.
In this heightened situation, we request you to stay vigilant while using your computers. While dealing with any emails from any unknown email address, do not click any link or open any unknown attachments.
We request you to follow the best practices outlined below while performing your daily operations:
- Do not open attachments in unsolicited e-mails, even if they come from people in your contact list.
- Do not click on any URLs contained in an unsolicited e-mail.
- Report any suspicious emails or attachments to the IT/IS team.
- Follow the Computer Usage policy.
- Do not download software, videos, MP3s, etc.
- Check that your antivirus is updated and running in any machine you are using.
- Backup your critical data periodically.
If you believe your computer has been infected, immediately disconnect your machine from the network by pulling the LAN cable out of the port in your computer and call the information security team. Do not try to restore any data on your own.
CISO Signature Block
This briefing is for informational purposes only and should not be utilized as a solution to the WannaCry attack. If you believe you have been affected or have questions on how to remediate, reach out to a security consulting company.