Problem Overview
(1) WannaCrypt, aka WanaCrypt or Wcry is a malicious software that was created using ETERNALBLUE and DOUBLEPULSAR, two of the stolen exploits from the NSA released by ShadowBrokers in April 2017. WannaCrypt encrypts all the files on an Infected Microsoft Windows Computer and demands that the victim pay a ransom to regain access to the files.
WannaCrypt also adds itself tot the Windows registry and thus persist after reboots. Put differently, a reboot has no effect on infected computers.
Multiven informed the world of the potential impact of these exploits to the Internet, initially via https://multiven.com/#/news/4
(2) WannaCrypt propagates itself by exploiting a vulnerability in Microsoft Server Message Block v1 Protocol – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.
(3) This Malware targets computers running Microsoft Windows client and server operating systems.
(4) The way users get infected is typically via spear-phishing emails i.e. a fake email with the malware hidden in the attachment with a seemingly ‘legitimate’ name, that looks like a genuine message from a known or otherwise trusted source e.g. your bank, Facebook, LinkedIn, etc., When the attachment is clicked upon, it downloads and installs the malware on the local computer and spreads across the organisation’s internal network using the file-sharing protocol SMBv1. Specifically, it installs amended versions of the NSA exploits ETERNALBLUE and DOUBLEPULSAR, a backdoor that allows the attacker to remotely control the infected computer.
Solution
If you have been impacted by this malware:
The ONLY way to truly resolve this is to wipe an infected computer clean and restore it with data from an un-infected backup. Once restored, the user should immediately install the security patches all available for free download at: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
If you have not been impacted by this malware:
Download a free security update (http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598) and patch your computer today. If that is not an immediate option, then, you must;
- Disable Microsoft Server Message Block 1.0 (SMBv1);
- Block ports 138, 139 and 445.
Thinking Beyond The Fix – for Businesses, Governments and Telcos:
As evident from these attacks, it is existential for all businesses to ensure that they have non-stop software maintenance service on all their operational computers and networking equipment like routers, switches, servers etc. Even when the equipment manufacturer has ceased software support, independent providers like Multiven offer lifetime software integrity maintenance services that will help keep IT networks in a state-of-the-art condition and the limit exposure to cyberattacks.
Thinking Beyond The Fix – for Individuals
As a general rule of thumb, you should never open an attachment or click on embedded links in emails or text messages from unknown sources. All such emails should be deleted without opening. When in doubt, mouse-over the name of the email sender and see if the displayed address matches the domain they claim to represent. A better sender-validation-check is to right-click on suspicious emails and click on ‘show original’ to reveal the Internet Protocol header which contains the sender’s factual domain and see if it matches the claimed domain. (Note; on Gmail and Hotmail, you have to first click on the email—>click ‘More’ or ‘More Actions’—>’Show Original’)
To Close
To close, individuals and organisations around the world should brace themselves for even more sophisticated cyberattacks based on ‘enhanced’ versions of these NSA exploits especially now that over 1 million corporate, telco and government computer systems and networks have been compromised.
Multiven is here to help.
