Earlier today, a massive, worldwide ransomware attack broke the news, beginning in Europe and shutting down computers worldwide within hours. WanaCrypt0r 2.0 (also known as Wanna, Wannacry, or Wcry) is the ransomware software responsible for this global attack, and unless you are running a Mac, Linux or the latest security patch of Windows 10, your computer may be vulnerable. In one day, the software compromised healthcare institutions, telecommunications companies, and many more across the globe.
Method of attack
The ransomware is spread using a known and patched vulnerability (MS17-010) that came from a leaked NSA set of exploits from April 2017. Research shows the encryption is done with RSA-2048 encryption, meaning decryption will be next to impossible without following the ransom instructions. Once infecting a computer, the software spreads through local networks to all connected devices, regardless of whether or not they are connected to the internet. It was discovered that another method the software is spread is through a malicious phishing email, that includes a link to (or attached) PDF document, which when opened will download an ‘.HTA’ file that leads to eventual infection of the system that opened the e-mail.
The ransomware demands $300 per device paid to a Bitcoin address. WanaCrypt0r threatens to double the price to $600 after 3 days, and after a week threatens to permanently delete the files.
You’re probably wondering whether you’re at risk by this attack. As of 11:08:04 EDT Friday morning, the encryption trigger in the ransomware is believed to have been remedied through the discovery of a ‘killswitch’ in the hardcoded into the program. Once the ransomware is running on a victim’s machine it tries to connect to the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com.
If the connection succeeds, the binary exits and will not start encrypting files nor start spreading. One security researcher discovered that this domain was not registered to the attackers, and registered the domain name himself. As soon as it was replying to requests it seems that the kill switch in the malware became active.
Whether or not WanaCrypt0r is indeed prevented by this discovery, due to the large publicity and impact of this attack, it would not be unlikely for other attackers to attempt similar attacks through ransomware. To this end, here are some prevention methods to prevent this exploit:
- Apply Windows update MS17-010
- Disable the outdated protocol SMBv1
- Do not allow connections to the RDP or SMB protocol directly from the internet
- Isolate unpatched or unsupported systems from the internal network
Consumers and businesses alike should be sure their systems and software are updated with all current patches in order to stop the spread of infection.
How can we protect you and your business?
Here at Rappahannock IT, we’re committed to delivering the best information technology solutions to businesses and consumers and securing all your devices from potential threats and attacks. In general, many people know of internet security best-practices, such as not opening suspicious emails and attachments, and not to connect to unknown wireless networks, but even the most careful of people can be vulnerable to malware, ransomware and other attacks without the proper protection. That’s why we strive to protect you with the most advanced anti-malware and computer security solutions available.
For businesses, we offer next-gen security technology that protects from attacks and remediates damage that other security solutions will miss. We apply endpoint protection that helps stop threats, including known malware and even zero-day exploits, significantly reducing the risk of malware and ransomware. We offer advanced breach remediation and endpoint protection for enterprise deployments as well, ensuring that all devices, including PCs and Macs, are protected.
If you are in need of a security solution for your computers and networks, or if your current protection hasn’t been revisited and updated in a while, let us help you get the peace of mind knowing your computers, servers and more aren’t at risk. Contact us through our online contact form or give us a call at (540) 940-2773 to set up a consultation on security technologies we offer that will be best-suited for you.