WannaCry Ransomware Used in Widespread Attacks All Over the World (Download PDF)

Doorsteptutor material for IAS is prepared by world's top subject experts: Get detailed illustrated notes covering entire syllabus: point-by-point for high retention.

Download PDF of This Page (Size: 172.06 K)

It has been reported that a new ransomware named as “WannaCry” is spreading widely. WannaCry encrypts the files on infected Windows systems. Our products detected and successfully blocked a large number of ransomware attacks around the world.

Image of the Hacked windows systems

Image of the Hacked Windows Systems

Image of the Hacked windows systems

Highlights:

  • The ransomware called WannaCry encrypts the computer’s hard disk drive and then spreads laterally between computers on the same LAN.
  • Our analysis indicates the attack, dubbed “WannaCry”, is initiated through a SMBv2 remote code execution in Microsoft Windows.
  • his exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft
  • Unfortunately, it appears that many organizations have not yet installed the patch.
Image of many organizations have not yet installed the patch

Image of Many Organizations Have Not Yet Installed the Patch

Image of many organizations have not yet installed the patch

  • Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their site about a massive ransomware attack affecting several Spanish organizations
  • The alert recommends the installation of updates in the Microsoft March 2017 Security Bulletin as a means of stopping the spread of the attack.
  • To understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware
  • The lack of existence of this vulnerability doesn’t really prevent the ransomware component from working.

The file extensions that the malware is targeting contain certain clusters of formats including:

  1. Commonly used office file extensions (. ppt, . doc, . docx, . xlsx, . sxi).
  2. Less common and nation-specific office formats (. sxw, . odt, . hwp).
  3. Archives, media files (. zip, . rar, . tar, . bz2, . mp4, . mkv)
  4. Emails and email databases (. eml, . msg, . ost, . pst, . edb).
  5. Database files (. sql, . accdb, . mdb, . dbf, . odb, . myd).
  6. Developers’ sourcecode and project files (. php, . java, . cpp, . pas, . asm).
  7. Encryption keys and certificates (. key, . pfx, . pem, . p12, . csr, . gpg, . aes).
  8. Graphic designers, artists and photographers files (. vsd, . odg, . raw, . nef, . svg, . psd).
  9. Virtual machine files (. vmx, . vmdk, . vdi).

Analysis of the Attack

  • We have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia.
Image of Analysis of the attack

Image of Analysis of the Attack

Image of Analysis of the attack

  • It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher.

To Prevent Ransomware Attacks:

  • Data should be kept on a separate device, and backups should be stored offline.
  • Don’t open attachments in unsolicited e-mails
  • Deploy web and email filters on the network.
  • Disable macros in Microsoft Office products
  • Maintain updated Antivirus software on all systems
  • Keep the operating system third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches
  • Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records
  • Enable personal firewalls on workstations
  • Implement strict External Device (USB drive) usage policy
  • Employ data-at-rest and data-in-transit encryption.

- Published/Last Modified on: May 21, 2017

Science/Technology

Developed by: