-->

Monday, May 15, 2017

What To Do When Ransomware WannaCry or Peyta Attacks?

[The attacks are likely to recur. Bookmark this page or download the PDF version from http://www.eurionconstellation.com/free-downloads.html]

WannaCry ransomware requires the users to pay certain amount (~$300) in bitcoins to “unlock” the encrypted files and threatens to double the ransom in two days. If the demands are not met, the malware threatens to delete the files. Several users have already remitted thousands of dollars. While all fingers point at the U.S. security agency NSA, that debate is better left for later. This advisory post from Eurion Constellation is for individual users, as well as, home/office networks.



Who is at risk?

The following factors in isolation or in combination, increase the risk of the WannaCry ransomware attacks on Windows computers and server systems:

  • Windows XP
  • Server 2003
  • Windows NT4
  • Windows 2000
  • Home/Office LAN Networks
  • Devices and networks without the March 17, 2017 Security Patch for latest Windows (10/8.1/8/7) versions issued by Microsoft
  • Systems without anti-virus software or pirated versions
  • Pirated versions of Windows operating system or other Windows software

How to protect yourself?

Whether you are a Home or Office Network user or use a standalone device, follow the instructions below:
 
  • Update systems and anti-virus, shut down and restart to allow the new security modules to take effect
  • Set your updates to automatic mode
  • Make sure you use are not using any pirated software, including the anti-virus
  • Consider upgrading to latest Windows systems to newer (supported) versions
  • Make sure your anti-virus software has real-time protection that includes internet and email filters
  • Backup your system regularly and store the backup files offline to facilitate recovery in case of a critical failure
  • Disable VBA Macros on all MS Office products or allow them to run only after prompt. You will need to select each application separately. In a networked environment, disable macros using group settings. This link is for 2013, but same settings apply for 2016: https://technet.microsoft.com/en-us/library/ee857085.aspx
  • Restrict user rights and permissions. ESET, an anti-virus software maker lays out the following:
“There are many types of restrictions, such as the restriction from accessing application data, and even some that are prebuilt as a Group Policy Object (GPO).
1. Disable files running from the AppData and LocalAppData folders.
2. Block execution from the Temp subdirectory (part of the AppData tree by default).
3. Block executable files running from the working directories of various decompression utilities (for example, WinZip or 7-Zip).”
  • Keep User Account Control turned on
  • Use discretion in opening attachments, including those that appear to be a fax, invoice or receipt
  • Disable Remote Desktop Protocol, which is integrated in the Windows operating system
  • Run manual anti-virus checks periodically, even if your software is configured to run automatically
  • Block TCP ports 139, 445 and 3389 in your firewall (for networks)
All major anti-virus software manufacturers have published information on using the security features embedded in their software to in the wake of this cyber attack. You must refer to the documentation from your manufacturer on priority.
 

What are the warning signs?

The network administrators should keep an eye on certain developments:
 
  • Increase in the use of SMB v1
  • Sudden spurt in activities like, file renaming and new file creation
  • Connected computers trying to connect to an external IP
  • If your system/network is compromised, you will see certain executable files into a random character folder in the 'ProgramData' folder with the file name of "tasksche.exe" or in 'C:\Windows\' folder with the file-name "mssecsvc.exe" and "tasksche.exe"
  • If your anti-virus software detects similar malware at different locations, your network might be infected
  • Files converting to extensions “.wnry”, “.wcry”, “.wncry” or “.wncryt
  • !WannaDecryptor!.exe.lnk” and “!Please Read Me!.txt” files in every location where original files have been encrypted
This is an inclusive list. Continue employing the other network monitoring tools.

What to do if you are attacked?

Before taking any action, please refer to the following:

  • Disconnect the infected device from the network immediately. If you are an individual user, go offline.
  • Do not make any ransom payment. By doing this you could be compromising your bank details to the hackers. In addition, there is no guarantee that you will get your files decrypted.
  • Do not throw away your encrypted files. Anti-virus software majors, like Kaspersky come out with their decryptors and the company is already creating one for WannaCry malware. You might see it here https://noransom.kaspersky.com/ when released.
  • Contact your nodal cyber security agency in case of an attack.
  • Contact your anti-virus support for cleaning the system/network.

For additional information, refer latest statement from National Cyber Security Center and US-CERT (Computer Emergency Readiness Team).

Get more technical details from CERT-IN (Indian Computer Agency Response Team) and Symantec.

Will the attacks recur?

Most likely. While “Accidental Hero” has temporarily killed the spread of WannaCry, he has warned the attacks may recur perhaps in a modified form, which will not contain the "kill switch" that stopped the first wave. Therefore, we advise all our customers, associates and public in general to follow the safety measures mentioned earlier and reduce vulnerability of their critical data.

No comments:

Post a Comment