iTnews

WannaCrypt ransomware: what you need to know

By Allie Coyne on May 15, 2017 7:40AM
WannaCrypt ransomware: what you need to know

How to keep yourself safe from the rampaging worm.

In less than two days ransomware derived from leaked NSA exploits has spread across the globe to infect hundreds of thousands of PCs at critical operations like hospitals, schools and telcos.

Britain and Russia were the worst hit, but the WannaCrypt/WannaCry ransomware has so far attacked 200,000 victims across 150 countries.

For now, the ransomware outbreak has been somewhat contained thanks to a UK researcher who managed to accidentally shut the operation down by simply registering a domain.

But security experts say the threat is far from over.

Europol has warned of an escalating threat as employees return to work on Monday and boot their Windows PCs.

In Australia - which has largely escaped damage - two more reports emerged on Monday morning of organisations falling victim. It brings the total number to three.

The federal government has declined to name the three victim organisations, but said they were small-to-medium sized operations.

Update 6pm: The federal government has advised the total victim count has now risen to eight.

The Australian Cyber Security Centre has warned local organisations that the ransomware is "highly likely to impact Australian government, industry, and individuals”. 

It urged those affected to contact the ACSC on 1300 CYBER1. 

What is WannaCrypt/ WannaCry?

WannaCrypt/WannaCry is a type of ransomware that attempts to render a computer unusable by encrypting the files on the system.

Victims are then asked to pay a ransom to unscramble their files.

The current WannaCrypt variant initially asks for US$300 and then later doubles to US$600, before threatening to delete files completely if the victim doesn't pay up within a week.

So far the attackers appear to have made around US$18,000 in Bitcoin payments from around 52 victims.

How does it work?

The malware spreads through the Windows Server Message Block (SMB) v1 file sharing protocol. It is self-replicating, so propagates the infection to other computers that respond to SMBv1 requests.

Because it spreads via SMB it means even computers behind firewalls can be affected.

It uses two leaked exploits linked to the US National Security Agency, codenamed ETERNALBLUE and DOUBLEPULSAR.

The ETERNALBLUE module allows for the initial exploitation of the SMBv1 flaw, and then the DOUBLEPULSAR backdoor is implanted to allow the attacker to install the malware. 

According to Talos, the ransomware checks for disk drives, "including network shares and removable storage devices mapped to a letter, such as 'C:/', 'D:/' etc", and then checks files with a file extension of certain names.

It then encrypts everything it finds using 2048-bit RSA encryption.

How was it contained?

A UK security researcher managed to contain the ransomware simply by registering a domain for US$10.69.

After obtaining a sample of the malware, the researcher going by the name MalwareTech discovered that it queried an unregistered domain. So he registered it, inadvertently stopping the spread of the ransomware.

It turns out the ransomware made requests to the domain - iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - and if the connection was not successful, it ransomed the system.

If successful, however, the malware exits, leading MalwareTech to believe the domain is a "kill switch" in case something goes wrong.

However many security researchers now believe it was not a kill switch, rather an effort to stop others reverse engineering the malware's code.

Although this sinkholing of the malware has stopped the rate of infection for now, MalwareTech warned it may only be a temporary fix. He expects the ransomware's authors, or others seeking similar levels of destruction, to release a new variant with modified code.

What can I do to protect myself?

Patch. Now.

Security experts expect that the number of infections - which currently sits at around 200,000 - will rise this week as workers return to offices and boot their unpatched Windows PCs.

Additionally, the sinkholing of the domain won't work for those who use proxy servers between their networks and the internet, according to security researcher Didier Stevens.

The best bet is to make sure your systems are fully patched and that you have a strong back-up strategy in place to mitigate any loss or destruction of files.

Microsoft issued a "highly unusual" security patch for the out-of-support Windows XP, Windows 8, and Windows Server 2003 operating systems over the weekend to fix the holes in SMBv1.

It had issued a patch for the flaws - which were detailed in the Shadow Brokers leak of the exploits earlier this year - for its supported systems in March.

Windows 10 machines don't contain this vulnerability and therefore aren't susceptible to the ransomware spreading through its current method, Microsoft has said.

But organisations running any version of Windows older than Windows 10 need to ensure their systems are fully patched.

Security researcher Troy Hunt also recommends making sure SMB ports (139,445) are blocked from all externally accessible hosts.

If your organisation is struggling to implement the patch, consider disabling SMBv1 altogether while you work on getting your systems secured. 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
nsa ransomware security wannacrypt

Partner Content

Beat the DDoS blackmails in 2021
Partner Content Beat the DDoS blackmails in 2021
Why companies fail at picking cloud modernisation partners
Partner Content Why companies fail at picking cloud modernisation partners
Shut the door on ransomware
Partner Content Shut the door on ransomware
MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics
Partner Content MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics

Sponsored Whitepapers

Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution
Effectively addressing advanced threats
Effectively addressing advanced threats
The risky business of open source
The risky business of open source
Ensure your e-signatures are legally binding
Ensure your e-signatures are legally binding
Mitigating open source risk in your organisation
Mitigating open source risk in your organisation

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • Beat the DDoS blackmailers in 2021
By Allie Coyne
May 15 2017
7:40AM
0 Comments

Related Articles

  • Ransomware gang Ryuk thought to have pulled in US$150 million
  • Ransomware outed as cause of State Transit Authority outage
  • Law In Order hit by ransomware attack
  • Isentia ransomware attack expected to cost at least $7 million
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Telstra blasts plan to 'set aside' mobile spectrum for Optus and TPG, but not it

Telstra blasts plan to 'set aside' mobile spectrum for Optus and TPG, but not it

Australia Post is building a digital twin of its delivery network

Australia Post is building a digital twin of its delivery network

Trump pardons former Google self-driving car engineer

Trump pardons former Google self-driving car engineer

Google threatens to withdraw search engine in Australia

Google threatens to withdraw search engine in Australia

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.