Vin Ransomware Blog02

 Where did it all began?

1. Ransomware? This is now not a new malware. Over the past 3-4 years, ransomware has made sure it is one such malware which has made quite an (damaging) impact on not just individuals but big and small corporations alike.

2. WannaCry Ransomware is no different than the rest of the ransomware's that we see today.

- It infects the computer.
- Encrypts files and documents.
- Demands ransom in bitcoins.
- Upon ransom amount being met, they release files.

3. Special about WannaCry Ransomware? It uses of “ETERNALBLUE” exploit that target SMB vulnerability.

4. “ETERNALBLUE” is an exploit derived from an NSA exploit leaked by the Shadow Brokers in April 2017.

5. The massive scale of this attack is because most users have not patched their Windows systems. The exploit makes use of vulnerability in SMB server(4013389) (MS17-010).

How did it spread quickly?

WannaCry Ransomware attack is considered to be one of the biggest attack in the past decade of malware history.The attack started spreading on massive scale on 12th May 2017. It is observed that this malware is self-spreading. It makes pre-infection checks to unregistered domain, if domain it checks is unregistered then it proceeds to encrypt the system; But if the domain is registered then it stops its process.

What can Users do at the Moment?

At present,  there is no free decrypter available and so the users are strongly advised to take to following actions:

1. Update Windows System immediately! Especially make sure that the MS17-010 patch from https://technet.microsoft.com/en-us/library/security/ms17-010.aspx is applied.

2. Windows XP, Windows 8 and Windows Server 2003 have been cut off from the mainstream support by Microsoft, Windows has separately released patches (Microsoft KB4012598) for these systems and can be updated from this link http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

3. System Administrators can update their YARA Rules using this link: https://docs.google.com/spreadsheets/d/1XNCCiiwpIfW8y0mzTUdLLVzoW6x64hkHJ29hcQW5deQ/pubhtml#

4. Take Backup of the Systems, Database and keep the backup on a different storage which is on a network different than a machine.

The Research Team at Paramount is currently working on the initial analysis on the WannaCry ransomware. Stay tuned to this blog for more regular updates…


Popular posts like this: