From the media reports and many blogs writing it has been reported that the critical ransomware namely wannacry or wannacrypt is fast spreading to millions of computers far and wide. It installs into a windows computer and then it automatically encrypts files of that operating system and then disallow the original user to open it and use it. It encrypts the file systems of infected computers. If there is a server message block within windows computing system, it automatically takes advantage of it and then it stops those files from active working. This exploits is named as ‘ETRNALBLUE’.
This ransomware is called as wannacry or wannacrypt and it literally encrypts entire Windows drive and then slowly moves towards LAN connected to other computers. On some other mediums, this ransomware could spread through email attachment and while users download it and then open it, automatically the ransomware comes out from these attachments and spread into the entire drive of the Windows operating system and locked it down completely. Microsoft has released patches in its Microsoft Security Bulletin MS17-010 and users are advised to download these patches immediately so that they could secure their operating system.
This security update was published by Microsoft in March 14, 2017 and it is termed as extremely critical. These server side remote execution script could allow the hacker to send a remote message through Microsoft server message block and could encrypt an entire system drive of Windows computer. This update is only available through Windows Update. There is certain kind of regulation in which Microsoft server message block receives messages and by exploitation such vulnerabilities hackers could gain execution code on the target computer. Then, the unauthenticated user sends some crafted packets to the server and then entire server encrypted with it.
It goes on to show that there are certain vulnerabilities in defining these crafted requests and these security updates handle these security holes and patch operating system before the hacker could send unauthenticated request to server. Apart from installing these updates, system administrators with Windows 8.1 and Windows server 2012 R2 and later could use following manual methods to secure client computer and servers.
For client operating system:
Open Control Panel, then click on Programs, and then click on Turn Windows Features on or off and then clear the SMB1.0/CIFS File Sharing Support and then restart the system.
For Server operating system:
Open Server Manager, then click on the Manager and then select Remove Roles and Features and in the Features windows clear the SMB1.0/CIFS File Sharing Support check box and then restart the system.
By these manual work around methods what we do be that we disabled the SMBv1 protocol on the targeted system and thus ending all possibilities of hacker to move into these server without authentication.
What you need to know about the WannaCry Ransomware:
After the ransomware got into system, it shows the information that your files have been encrypted and of course this has been done without your permission. It would ask for payment option so that you would be paying to decrypt all those files. Most of documents, photos, videos and files are no longer accessible and this has been very difficult for most of the big organization having larger scale of data around. It would tell you do not try to decrypt your files as you could not do as only you have to pay for decryption of files. It also guaranteed that you could decrypt all those files, but you do not have unlimited time for it.
It would also allow to decrypt some of your files for free of cost to show that some of your files are in good state. In this way, this ransomware would completely overtake yours organizational database. This ransomware also provides one text file which describes about how to pay the money and procedure of it and after payment it assures the organization to decrypt the entire server and database. It encrypts files in the extension of dot WCRY which is a new format and decryption of this format is not known. This malwares targets files with the commonly used office file extension, archive formats, media files formats, email file formats, database file formats, developer source code and project file formats, encryption keys, graphic designer files and virtual machine files.
This means it covers most of file system files on a Windows computer and for this it is important to update security update and manual work around which is mentioned above so that ultimately you could secure system completely. In its first attempt, the ransomware would write an execution file namely “tasksche.exe” in the system folder of the Windows operating system. In order to prevent such ransomware from spreading to the other system it is advisable to download the Microsoft patch and it is also available in unsupported Windows systems. Microsoft is doing this in order to prevent the spreading of ransomware in unsupported Windows operating system.
WannaCry ransomware spreads aggressively across networks, holds files to ransom:
It is important to back up user data and critical system data so that in the case of attacks on the system a complete reinstallation of the operating system could be done and then the server could connect once again. Data could be retrieved through data back up locations. It is important to perform regular backing up of all important informations so that in the case of such imminent attacks these could be easily retrieved. It is important to keep these back up data in an offline location and in a separate server that of the running server.
Create appropriate email spoofing mechanisms so that spam email prevention could be done easily. It is important to create and establish the sender policy framework, domain message authentication reporting and conference, domain key identified mail for your domain so that exact sender of the domain could be recognized easily. Most of these ransomware comes to the user in the form of a spam message from unauthenticated sources and it is important to find and check those senders and receive messages only through proper authentication procedures.
Windows script or execution of power shell should be reduced to standard privileges so that it could not outreach administrative privileges. Do not open attachments, spam messages and messages received from unknown persons. Do not open unknown URLs and update windows regularly. Use the latest version of Powershell that uses enhanced logging and advanced security features. It is important to send all those log files of powerful shells as well as that of the client computer to centralize the system administrator so that ultimately it provides advanced security mechanisms for users to follow.
Implement stricter regulation of software restriction policy by white listing application so that no client could install other applications which might embed ransomware. The binaries path containing %APPData%, %TEMP% paths should be closed. Most of these ransomware reaches these paths as these paths are most of time unnoticed and then executes from there. It is important to seriously implement white listing of application so that end point works stations should remain critically secure. Deploy email filters and web filters and add security plugins to web browsers so that by mistakes and inadvertently any malwares or any other ransomware should not be downloaded by force. It is important to scan all email attachments, drive by downloads, on the host, on the server, on the internet protocol, at the mail gateway with a reputed antivirus solutions.
Disable macros of any of office products and especially latest version of Microsoft office does provide hybrid macros which would disable the macros that come from outside automatically. Provide most of critical settings of files in terms of least privilege settings, and restrict network share permissions and provide exact routes of the file to move and directories and sharing of those files by right networks. Maintain daily updates of antivirus of client and server system and update windows system regularly. Install free to use host-level antiexploitation tool such as free from Microsoft namely enhanced mitigation experience toolkit to save system files.
Regular check whether any of back up of data bases contain any encrypted files from unauthenticated sources such as from backdoor entry or from malicious scripts. Keep all of third party applications such as Microsoft Office, Adobe, and other updated. Restrict user permission so that they could not install any other application and software apart from you permits as system administrator. Enable personal firewall on the client system and hardware server firewall in work station. Use encrypted network connectivity so that traffic should be redirected to secure routes and all the packets of information send and receive should be scanned comprehensively.
Implement stricter external device policy so that each of USB drive recognition policies should be done with complete checks and balances to stop malwares from reaching to computer or server through any of routes. It is important to carry out from time to time in the vulnerability assessment and penetration testing from time to time so that security audits of critical database server could be done in comprehensive manners. Use latest and modern data encryption technology such as data-at-rest and data-in-transit technologies so that each instance of data could be known completely without any difficulties.