A massive ransomware attack shut down computer systems across several countries including India.The security researchers identified the ransomware as a new variant of WannaCry (also known as WanaCrypt0r and WCry) that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system (as per Microsoft bulletin MS17-010).
The ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. It demands users pay USD 300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the payment will be raised after a certain amount of time. The malware spreads through e-mail. A ransomware attack infects individual computers (Windows OS) with a malware that blocks access to all data on the system. The malware encrypts all the data on a computer system and decrypts it only after the computer user/owner agrees to pay a ransom. The WannaCry virus infects only machines running Windows operating systems. If you do not update Windows, and do not take care when opening and reading emails, then you could be at risk.You can protect yourself by running updates, using firewalls and anti-virus software and by being careful when reading emailed messages.Since most of Government computers run on Linux based Ubuntu system risk is less.But when Microsoft Windows based software is run on linux based system using software like Wine there is a chance of infection . When Windows based system is used for updation of various Government portals and software with out software updation and proper anti virus there is a chance of infection.Regularly back up your data to a cloud based storage like Google drive ,dropbox,box so you can restore files without having to pay up should you be infected, as there is no guarantee that paying the ransom will result in your files being unlocked.
How did the attack occur?
- Attack appeared to be caused by a self-replicating piece of software that takes advantage of vulnerabilities in older versions of Microsoft Windows.Microsoft XP systems were attacked in Kerala by ransomware.
- It spreads from computer to computer as it finds exposed targets.
- Ransom demands start at $US300 and increase after two hours.
- Security holes were disclosed several weeks ago by TheShadowBrokers, a mysterious group that has repeatedly published what it says are hacking tools used by the NSA
- Shortly after that disclosure, Microsoft announced it had already issued software “patches” for those holes
- But many companies and individuals have not installed the fixes yet or are using older versions of Windows that the company no longer supports and for which no patch was available.
You are advised to kindly take the following preventive measures to protect their computer networks from ransomware infection/ attacks:
1. Ensure that ports TCP/UDP 445 are blocked on all perimeter devices and internal access control devices.
Ensure that ports TCP/UDP 445 are blocked on all clients & servers using host firewalls through host antiviruses and HIPS.
Apply all patches of Microsoft Windows (client and server) for the vulnerability mentioned in the Microsoft Security Bulletin MS17-010.
2. Secure mail server with antivirus and anti spamware solution.
3. Maintain updated Antivirus software on all user client systems urgently ON PRIORITY.
4. Update operating system, third party applications (MS office, browsers, browser Plugins) and antivirus software with the latest patches ON PRIORITY.
All system administrators to ensure this is done in the organizations ASAP.
5. Alert all users in the organization of the attack. Hence the above step of updating software on the computer needs to be ensured before the user accesses email or internet.
6.Users should be alerted not to open attachments in unsolicited e-mails, even if they come from people in your contact list; never click on a URL contained in an unsolicited e-mail unless you are sure it is genuine. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
7. Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.*
8. Check regularly for the integrity of the information stored in the databases.
Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)
9. Ensure integrity of the codes /scripts being used in database, authentication and sensitive systems
Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
10. Application white listing/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
11. Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr| reg|cer|pst|cmd|com|bat|dll| dat|hlp|hta|js|wsf
12. Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.
Disable remote Desktop Connections, employ least-privileged accounts. Limit users who can log in using Remote Desktop, set an account lockout policy. Ensure proper RDP logging and configuration.
13. Restrict access using firewalls and allow only to selected remote endpoints, VPN may also be used with dedicated pool for RDP access
14. Use strong authentication protocol, such as Network Level Authentication (NLA) in Windows.
Kerala State IT Mission Instructions
- The Server Message Block (SMB) protocol-Do the following Changes
Click here to download instructions in pdf
- Block Port -445
Click here to download instructions in pdf
- To prevent data loss Users & Organisations are advised to take backup of Critical Data
What should I do if my computer is attacked ?
Disconnect your PC from any networks it’s connected to.
Then power it off.
If you’re at home, get in touch with a local IT support company who’ll be able to get your computer back into working order.
If you’re at work, get in touch with your internal IT department, then make sure a notification is sent out telling everyone about the attack.
Should I pay the ransom?
“We should not be paying criminals,”
“If you keep paying ransom it’s actually helping attackers to grow the industry,”
How do I protect myself ?
- Update your operating system regularly
- Make sure you keep a regular backup of your important files
- Install anti-virus and anti-malware software (and keep it updated)
“It’s vital that everyone takes the opportunity to utilze the backup tools that most operating systems have built in now. People need to learn how to use those. They’ve become a part of everyday life,” Professor Gregory .
“Backups and the constant updating of our computers means that we’ve got the best opportunity to recover.”