Security researchers found a ransomware called “WannaCry” or “Wanna Decryptor”. This blog will help you to understand how to protect yourself from Ransomware attack.It is a type of ransomware which spreads from machine to machine silently and remains invisible to users until it unveils itself, which then warns users that all their files have been encrypted with a key known only to the attacker and only they can unlock it. They ask user to pay cryptocurrency Bitcoin to an anonymous party.
Microsoft patched the flaw in MS17-010, released in March, but that doesn’t mean all Windows PC owners have applied the security update. Researchers found that WannaCry attack is based on an attack developed by the NSA, codenamed ETERNALBLUE. Once a computer is infected, the ransomware typically contacts a Command and Control server for the information it needs to activate, and then begins encrypting files on the infected computer with that information. Once all the files are encrypted, it posts a message asking for payment to decrypt the files – and threatens to destroy the information if it doesn’t get paid.
The ransomware called WannaCrypt or WannaCry encrypts the computer’s hard disk drive and then spreads laterally between computers on the same LAN. The ransomware also spreads through malicious attachments to emails. The malware is delivered as a Trojan through a loaded hyperlink that can be accidentally opened by a victim through an email, advert on a webpage or a Dropbox link. Once it has been activated, the program spreads through the computer and locks all the files with the same encryption used for instant messages. Once the files have been encrypted it replaces the originals and delivers a ransom note in the form of a readme file named! Please Read Me!.txt which contains the text explaining what has happened and how to pay the ransom, This malware modifies files in the /Windows and /windows/system32 directories and enumerates other users on the network to infect.
Inspira Enterprise – Leading IT Solutions Provider in India, with its Center of Excellence in Networking, Unified Communication, IT Security, Cloud, Smart City and Healthcare Solutions, have suggested few tips to protect yourself from Ransomware Attack.
11 Tips to protect yourself from Ransomware Attack
- Back-up your data.
- Remove unwanted software and browser add-ons.
- Use updated antivirus software.
- Update latest patches of windows. (MS17-010 is a patch for ETERNALBLUE vulnerability.)
- Patch Management: To protect yourself from Ransomware Attack ensure all Workstations and Servers have latest Microsoft patches, especially the ones related to MS17-010.
- IPS: To protect yourself from Ransomware Attack ensure IPS signatures are updated. Verify if the signature that can detect this vulnerability / exploit attempt is enabled and is in blocking mode. Get the details with regards to the name of the Signature and verify if this Signature has been detected in the logs for last 1 week.
- Antivirus: To protect yourself from Ransomware Attack update AV signatures on all assets. Personally review this action on critical assets and target them first. Get the details with regards to the name of the malware and verify if this malware has been detected in the logs for last 1 week.
- Email Gateway: To protect yourself from Ransomware Attack ensure Email Gateway solutions have all relevant updates for detecting possible mails that may bring the Trojan in the environment. If your email service is not hosted on well-known public gateways like gmail or Office365, please ensure that the emails are scanned with updated email scanning solution with well-known scanning engines. (Via-endpoint based AV solutions or hosting a download server). Educate all email users to review the receiving email address carefully and not to open any executable files and scripts within seemingly trusted files. Kindly monitor all the 3rd party vendors’ machines who have access to their corporate emails through web.
- Proxy: To protect yourself from Ransomware Attack ensure Proxy solution has updated database. Block IOCs for IP Address and Domain names on the Proxy. Block access to public email service from where malwares are most likely to spread through the proxy. Verify last one week logs for the IOCs on Proxy and take action on sources of infection.
- Anti – APT Solutions (Bluecoat, McAfee, Trend Micro, Sophos): To protect yourself from Ransomware Attack ensure signatures are up to date. Check for possible internal sources of infection and take actions.
- SIEM: To protect yourself from Ransomware Attack check logs to verify if any of the IOCs have been detected in 1 week logs.