The list
of Microsoft Windows based systems and countries affected by the WannaCry
ransomware is growing. The ransomware encrypts files on an attacked system and
in turn requests payment in Bitcoins before the files can be decrypted and the
system returned back to normal.
The
attack is not only limited to personal computers and laptops but also attacks
any Windows based server systems. In the previous posts explained about cryptowall which is a similar in wild during the past.
These days if your mobile or desktop computer is infected
what gets installed is likely to be “ransomware” — malicious software that
locks your most prized documents, songs and pictures with strong
encryption and then requires you to pay for a key to unlock the files.
Here’s some basic advice about where to go, what to do —
and what not to do — when you or someone you
know gets hit with ransomware.
True, this may be easier said than done: In many cases the ransom note that hijacks the victim’s screen is accompanied by a digital clock ominously ticking down the minutes and seconds from 72 hours. When the timer expires, the ransom demand usually goes up or even doubles. Continue to ignore the demands and your files will be gone, kaput, nil, nyet, zilch, done forever, warns the extortion message.
See, the key objective of ransomware is a psychological one — to instill fear, uncertainty and dread in the victim — and to sow the conclusion in the victim’s mind that any solution for restoring full access to all his files involves paying up. Indeed, paying the ransom is often the easiest, fastest and most complete way of reversing a security mistake, such as failing to patch, opening a random emailed document e.g., or clicking a link that showed up unbidden in instant message. Some of the more advanced and professional ransomware operations have included helpful 24/7 web-based tech support.
Paying up is certainly not the cheapest option. The average
ransom demanded is approximately $722, according to an analysis published in September by Trend Micro. Interestingly,
Trend found the majority of organizations that get infected by ransomware end
up paying the ransom. They also found three-quarters of companies which had not
suffered a ransomware infection reported they would not pay up when presented
with a data ransom demand. Clearly, people tend to see things differently
when they’re the ones in the hot seat. And for those not yet quite confident in
the ways of Bitcoin (i.e. most victims), paying up means a crash course in
acquiring the virtual currency known as Bitcoin. In the end the extortionist may bargain
with you if they’re in a good mood, or if you have a great sob story. But they
still want you to know that your choice is a binary one: Pay up, or kiss your
sweet files goodbye forever.
Villain: You MUST pay the ransom!
Victim: I CAN’T pay the ransom!
Villain: You MUST pay the ransom!
Victim: I CAN’T pay the ransom!
Hero: I’ll pay the ransom!
Victim: Oh! My hero!
Villain: Curses! Foiled again!
Assuming you don’t have a recent backup you can restore, fear not: With at least some strains of ransomware, the good guys have already worked out a way to break or sidestep the encryption, and they’ve posted the keys needed to unlock these malware variants free of charge online.
But is the strain that hit your device one that experts already know how to crack?
WHERE TO GO?
The first place victims should look to find out is nomoreransom.org, a site backed by security firms and cybersecurity organizations in 22 countries. Since its launch on July 25, 2016, nomoreransom.org estimates that it has been able to save 6,000 victims of ransomware more than $2 million USD to date. Last week the group announced the site is now available in Dutch, French, Italian, Portuguese and Russian.Visit the Crypto Sheriff page at nomoreransom.org, upload one of the files encrypted by the ransomware, and the site will let you know if there is a solution available to unlock all of your files for free.
Another destination that may be useful for ransomware victims is bleepingcomputer.com, which has an excellent Ransomware Help and Tech Support section that is quite useful and may save you a great deal of time and money. But please don’t just create an account here and cry for help. Your best bet is to read the “pinned” notes at the top of that section and follow the instructions carefully.
Chances are, whoever responds to your request will want you to have run a few tools to help identify which strain of ransomware hit your system before agreeing to help. So please be patient and be kind, and remember that if someone decides to help you here they are likely doing so out of their own time and energy.
HOW NOT TO BE THE NEXT RANSOMWARE VICTIM
Regularly backup your data, and make sure the backups are not connected to the computers and networks they are backing up. Most ransomware variants can encrypt files on any attached drives or network files that are also accessible to the host machine (including cloud hosting and cloud-based backups if those passwords are stored on the machine). Bleepingcomputer’s Lawrence Abrams just published this a nice primer called How to Protect and Harden a Computer Against Ransomware.Many companies are now selling products that claim to block ransomware attacks. Those claims are beyond the scope of this article, but don’t be lulled into thinking these products will always protect you.
Even products that could somehow block all ransomware attacks can’t prevent the biggest reason that ransomware attacks succeed: They trick victims into taking an action that inadvertently undermines the security of their device — be it a smart phone, tablet or desktop computer.
This usually involves clicking a link or downloading and opening a file that arrives in an email or instant message. In either case, it is an action that opens the door to the attacker to download and install malware.
Remember
my Three Rules of Online Security:
1: If you
didn’t go looking for it, don’t install it.
2: If you
installed it, update it.
3: If you
no longer need it (or, if it’s become too big of a security risk) get rid
of it.
These rules apply no matter what device you use to get
online, but I’ll add a few recommendations here that are more device-specific.
For desktop users, some of the biggest risks come from insecure browser
plugins, as well as malicious Microsoft Office
documents and “macros” sent via email and disguised as invoices or other
seemingly important, time-sensitive documents.
Microsoft has macros turned off by default in most modern
Office versions because they allow attackers to take advantage of resources on
the target’s computer that could result in running code on the system. So
understand that responding affirmatively to an “Enable Macros?” prompt in an
Office document you received externally and were not expecting is extremely
risky behavior.
Enterprises can use a variety of group policy changes to
harden their defenses against ransomware attacks, such as this one which blocks macros from opening and automatically
running in Office programs on Windows 10. Other ransomware-specific group
policy guides are here, here and here .
So, what
can you do to reverse the effects of the attack without paying the ransom?
If your
computer hasn't been affected yet, is there a way to protect against a possible
attack?
Prevention Is Better Than Cure
If your
Windows based systems haven't been affected yet then that is great as you are
in a far better position to prevent against an attack by WannaCry.
The
solution to prevent against the ransomware is reletively simple and was
actually available a full month before the WannaCry ransomware was released
publicly for anyone to use and exploit.
On Friday, May 12, countless organizations around the world
began fending off attacks from a ransomware strain variously known as
WannaCrypt, WanaDecrypt and Wanna.Cry. Ransomware encrypts a victim’s
documents, images, music and other files unless the victim pays for a key to
unlock them.
It quickly became apparent that Wanna was spreading with the help of a file-sharing vulnerability in Windows. Microsoft issued a
patch to fix this flaw back in March 2017, but organizations running older,
unsupported versions of Windows (such as Windows XP) were unable to apply the
update because Microsoft no longer supplies security patches for those versions
of Windows.The software giant today made an exception to that policy after it became clear that many organizations hit hardest by Wanna were those still running older, unsupported versions of Windows.
“Seeing businesses and individuals affected by
cyberattacks, such as the ones reported today, was painful,” wrote Phillip Misner,
principal security group manager at the Microsoft Security Response Center.
“Microsoft worked throughout the day to ensure we understood the attack and
were taking all possible actions to protect our customers.”
The update to address the file-sharing bug that Wanna is
using to spread is now available for Windows XP, Windows 8, and Windows Server
2003 via the links at the bottom of this advisory.
On Friday, at least 16 hospitals in the United Kingdom
were forced to divert emergency patients after computer systems there were
infected with Wanna. According to multiple stories in the British media, approximately 90 percent of care
facilities in the U.K.’s National Health Service are
still using Windows XP – a 16-year-old operating system.
All you
have to do is to install the latest Microsoft Windows security patch which is
mentioned in this March 2017 Microsoft Security Bullettin. You can download the patch here and follow the instructions to
install it and protect your system against a potential WannaCry ransomware
attack. The move is a bid to slow the spread of the WanaCrypt ransomware strain
that infected tens of thousands of Windows computers virtually overnight this
week.
Reversing The Damage
The best
advice so far seems to come from Kaspersky Labs who have said they are also
working on the possibility of creating a decryption tool to help victims.
Firstly,
as advised by Kaspersky, you need to ensure that your Windows system is running
any form of endpoint security and if running Kaspersky tools, ensure that the
the Kaspersky
System Watcher component is available on your system.
Kasperky System Watcher component blocking the WannaCry attack.
Kasperky
System Watcher has the ability to "rollback the changes done by ransomware
in the event that a malicious sample managed to bypass other defenses".
Below are
the steps to follow to try and recover the effects of the WannaCry ransomware:
1. Make sure that all hosts are
running and have enabled endpoint security solutions.
2. Install the official patch (MS17-010) from Microsoft, which closes the affected SMB
Server vulnerability used in this attack.
3. Ensure that Kaspersky Lab
products have the System Watcher component enabled.
4. Scan all systems. After
detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the
system. Once again, make sure MS17-010 patches are installed.