RansomWare
UK hospitals hit with massive ransomware attack
A massive ransomware attack has shut down work at 16 hospitals across the United Kingdom. According to The Guardian, the attack began at roughly 12:30PM local time, freezing systems and encrypting files. When employees tried to access the computers, they were presented with a demand for $300 in bitcoin, a classic ransomware tactic
The result has been a wave of canceled appointments and general disarray, as many hospitals are left unable to access basic medical records. At least one hospital has canceled all non-urgent operations as a result.
The same attack infected as many as 45,000 computers across 74 countries, including a number of utilities in Spain. Russia was among the hardest hit, with 1,000 computers in the country’s Interior Ministry falling victim to the attack, although officials insist no data was lost.
May 13, 2017
Microsoft issues ‘highly unusual’ Windows XP patch to prevent massive ransomware attack
UK hospitals, Telefonica, FedEx, and other businesses were hit by a massive ransomware attack on Friday. Around 75,000 computers in 99 countries were affected by malware known as WannaCry, which encrypts a computer and demands a $300 ransom before unlocking it. The malware was able to spread thanks to flaws in old versions of Windows that were originally used by the NSA to hack into PCs before being made public by the Shadow Brokers group last month.
While Microsoft quickly issued fixes for the latest versions of Windows last month, this left Windows XP unprotected. Many of the machines attacked today have been breached simply because the latest Windows updates have not been applied quickly enough, but there are still organizations that continue to run Windows XP despite the risks. Microsoft is now taking what it describes as a “highly unusual” step to provide public patches for Windows operating systems that are in custom support only. This includes specific fixes for Windows XP, Windows 8, and Windows Server 2003.
It’s an unusual move for Microsoft, but this security flaw and the way it was discovered and made public is equally unusual. There are now signs that the ransomware attack has subsided thanks to a kill switch, discovered by a 22-year-old in the UK. Some experts believe the attackers behind the ransomware have only raised around $20,000 from the scam. Either way, this is yet another painful security lesson for everyone involved. Exploits should be disclosed by government agencies, systems should be patched in a timely manner, and nobody should be running an old supported version of Windows.
May 14, 2017
Renault shut down several French factories after cyberattack
Speaking to Automotive News, the spokesperson confirmed that the company shut down production in its Sandouville factory, saying that “proactive measures have been put in place, including the temporarily suspension of industrial activity at some sites," but declined to provide a full list of affected sites. Renault’s partner company Nissan was also affected: a UK spokesperson confirmed that files at its Sunderland factory were impacted on Friday night, but wouldn’t confirm reports that production was halted. A Renault spokesperson told Reuters that the company expects that “nearly all plants” will reopen on Monday.
May 14, 2017
The WannaCry ransomware attack has spread to 150 countries
Researchers have since discovered two new variations of the ransomware. One has been blocked with another domain name registration, but the other variant has no kill switch, but is only partially working.
The software exploits a security flaw in Windows XP, and once it infects a computer, it encrypts the files and spreads to other computers. Victims receive a demand for a payment of $300 in Bitcoin in order to regain access. However, despite the widespread nature of the attack, it’s believed that the perpetrators have only raised around $20,000 in payments.
What exactly happened?
WannaCry, a crypto-ransomware that is also called WannaCrypt, affected at least 45,000 computers spread over 74 countries, including India, on Friday. The WanaCrypt0r 2.0 bug encrypts data on a computer within seconds and displays a message asking the user to pay a ransom of $ 300 in Bitcoins to restore access to the device and the data inside. Alarmingly, the attack also hit the National Health Service of the United Kingdom, stalling surgeries and other critical patient care activity across the British Isles, and making confidential patient information and documents inaccessible.
Who was behind the attack and what was their motivation?
It isn’t known yet. However, it is widely accepted that the hackers used the ‘Eternal Blue Hacking Weapon’ created by America’s National Security Agency (NSA) to gain access to Microsoft Windows computers used by terrorist outfits and enemy states
Interestingly, the NSA tool was stolen in April by a group called Shadow Broker, who seemed unhappy with US President Donald Trump, whom they said they had voted for
How can this be prevented?
Despite the exploits/vulnerabilities being exposed a month back, so many systems were still unpatched. To protect from this ongoing mass exploit and propagation one can do the following:
1. Install all available OS updates including to prevent getting exploited
2. Manually disable SMBv1 via modifications made to Windows Registry by following these steps:
a. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
b. Look for Value: SMB1
c. Modify Data: REG_DWORD: 0 = Disabled
3. Restrict inbound traffic to open SMB ports (ports 139, 445) which are publicly accessible / open to Internet.
4. Block the IPs, Domains, Hash values that are involved in spreading this malware. Please refer the attachment – IOCs – WANNACRY RANSOMWARE.xlsx for details.
5. Implement endpoint security solutions. The ‘AV Signature Name’ section under IOCs – WANNACRY RANSOMWARE.xlsx can be referred.
6. Keep an offline backup of critical data on desktops and servers.
7. Organisations should block connections to TOR nodes and TOR traffic on network (IOCs – WANNACRY RANSOMWARE.xlsx).
What should be done if a node has found infected?
1.Disconnect the infected system(s) from the production network.
2.Perform a full Antimalware scan on the system(s)
3. Block the supplied indicators (IPs, domains, and hash values)at the gateway devices.
4. Try attempting to decrypt any encrypted files using decryption tools such as Trend Micro Ransomware File Decryptor, Redirect
5. Removal script for DoublePulsar impant (if found): countercept/doublepulsar-detection-script
6. Restore data from the most recent backup made
Comments
Post a Comment