When it hit the UK’s NHS,
the news sparked discussions, and brought awareness of Ransomware and cyber
security even in masses. Here, are the top 5 facts and lessons from the
Message Block version 1 (SMBv1) is obsolete and vulnerable.
WannaCry took advantage of
vulnerability in SMBv1 to spread across the network. The world has moved on to
SMBv3 and Microsoft has been asking people to disable SMBv1. Windows needs
SMBv1 disabled to be able to implement a comprehensive, multi-layer security
policy. Systems that run Windows 10 were
safe from this particular attack but the vulnerability persists. If any app or
device on a computer is dependent on SMBv1, then replacing it is the only
solution to keeping the network safe.
are back; unpatched networks are at high risk.
WannaCry is a combination of
classic and modern malware techniques.
It encrypts files on a computer, replicates to other computers on the
unpatched network, and then encrypts files on those computers as well. With technologies like LANDESK and Shavlik,
workstations and servers can be patched against worm replication. Investing in
application whitelisting technology and controlling the use of Admin privileges
are some more ways of mitigating the risk.
running Windows 7 were hit.
Far from using a Zero-day,
WannaCry spread due to vulnerability in Windows 7 for which Microsoft had
issued a patch in March 2017. Data released by Kaspersky Lab revealed that 98
per cent of the affected computers were running some version of Windows 7. A significantly small number of Windows XP
systems also got affected by the Ransomware attack. Microsoft issued patch to Windows XP only in
emergency, after most of the damage was already done.
analysis expert sinkholed WannaCry.
A malware analysis expert,
while examining WannaCry strain discovered the kill switch in it. He found out
that registering a domain that appeared in a gibberish URL that WannaCry uses
to query will slow down the proliferation of the ransomware. The malicious
traffic to that domain can be diverted to a sinkhole (a server environment that
captures malicious traffic). The kill switch does not help the already locked
down systems, but will buy time to secure the remaining systems.
had significant capabilities.
WannaCry prompted the users
to either pay or use a ‘demo’ version to unlock 50 files on the computer and
inform the attacker that the account is live.
Though this is a fairly basic attack, it has takeaways for malware and
ransomware writers. For instance, the future attackers can adopt time factor –
put the price up every hour! Backing up data regularly, keeping software up to
date and having a business network with a zero-trust model are some simple
practices to keep computers and networks safe from malware attacks.