Ransomware threat found in using Google’s RailWire free Wi-Fi service

The smart city dream is making everyone enthusiastic. However, this comes with security breaches and malware attacks that can have a detrimental effect on the entire nation. Public Wi-Fi networks are not very safe as they may seem. Even if they have a security password or OTP, there is sharing of data which is constantly happening via these platforms. This means your data is at risk and you may become an easy target to cybercrime.
Ransomware-Statewise-statistics

Due to the mayhem caused by WannaCry Ransomware, we saw a surge and emergence of Ransomware as the top-most attack vectors in the threat landscape. According to the statistics made available, India was one of the top most affected countries in the world.

Moreover, based on the information collected from our telemetry servers, we observe that the most infected state within India was Madhya Pradesh with 32.63%, followed by Maharashtra at 18.84% with Delhi coming in at number three position with 8.76%.
Ransomware-most-affected-ISPs

There are numerous ISPs operating within India, and Google’s Railwire, the free Wi-Fi service launched by Railtel, is one of them. It was observed to be the top-most network where WannaCry and other Ransomware have been detected within India is the RailTel with 32.14% of the entire share.

Based on the figures, we can gauge the popularity of this Free Wi-Fi Service and also the density of population which can get affected. We have every reason to believe that majority of the Ransomware attacks which happened during the last week, within India, would have been averted had Railtel implemented the stop-gap measure of blocking SMB traffic.

While the Government is installing free Wi-Fi spots at various spots all over India, there is need to validate the internal security of these networks and there is also a need to ensure that all the consumers who are using RailTel’s free Wi-Fi service should do so with some caution. Moreover caution is to be exercised whenever using any free Wi-Fi service.

We, at eScan, believe that it is our duty to be proactive in alerting the users about the potential attacks, which will help them to take necessary precautions. Sharing out statistics is one such aspect. Here are some of the tips to stay safe from Ransomware, phishing, etc. while using open Wi-Fi at public places:

  • Avoid doing financial transactions like online shopping, banking etc. while using public Wi-Fi networks
  • Do not share any confidential/personal information via public Wi-Fi
  • Use Virtual Private Network (VPN) Apps on your device to keep data secure
  • Do not let the device to connect automatically to public Wi-Fi
  • Turn off file sharing while using Wi-Fi
  • Connecting to unsecure networks can leave your device vulnerable
  • Protect your system with Security Suite, which not just blocks malicious traffic but would also protect your system harmful activity.

 

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , , | Comments Off on Ransomware threat found in using Google’s RailWire free Wi-Fi service

Ransomware variants vying for the top slot

eScan Threat Assesment

eScan Threat Assessment

WannaCry Ransomware is a game changer at all levels in the arena ruled by the likes of Reveton, CryptoLocker, CryptoWall, Locky etc. WannaCry has not just utilized the encryption capabilities but also exploited vulnerabilities to propagate. WannaCry gained prominence due to its worm-like propagation method and also due to sheer fact that the Eternal Blue vulnerability used by it was in fact found in the arsenal of NSA.

However, for the past week, WannaCry wasn’t the only Ransomware which wreaked havoc; Wallet and JAFF have also dominated, although the focus was on WannaCry.

Our R&D team has released the breakdown of the various Ransomware attacks in the past week, and added that in the coming few weeks there would be an increase in such attacks. However, we also observed increased activity amongst the various variants and families of different Ransomware, vying for the top position.

breakdown-for-ransomware-attack

From the available statistics, it is apparent that Wallet/Jaff Ransomware commanded 32% of the total Ransomware incidents, while WannaCry was at 28%. There are other families of Ransomware which have continued to maintain their onslaught, however; these are intermittent attempts which just add up to the numbers. Furthermore, it is to be noted that Ransomware, be it any variant of any family, is the most destructive piece of malware to have ever been created.

The cyber-crime ecosystem thrives on:

  • Fame
  • The depth of the attack
  • Stability of the infection
  • Reliability of the Malware
  • The most important of all, the ability of the authors to provide FUD (Fully Undetectable) at a very fast pace.

Cyber Criminals are aware of these facts and in order to increase their revenue and grab their share of spoils are working hard to unleash a new wave of destruction. This reinstates the fact the perils of Ransomware are still to be ascertained in terms of the damages it would cause. Apart from that, the attacks are going to be more aggressive and stealth in their ways and means, than before.  The future is also uncertain, due to the fact that the anonymity offered by Crypto-Currencies has been embraced by cyber-criminals and till the crypto-currencies are not in check, criminals will elude the law by staying anonymous.

There is also stiff competition amongst the various families of Ransomware, as to who is the best and better of all and as we can observe, the fight for the top place has already begun. This creates another larger threat in terms of proving who is bigger; the attackers would compete with each other wreaking havoc worldwide. In view of such possibilities, it is imperative that every user of technology takes utmost precautions and remain alerted towards the outbreaks, so as to stop the evils of Ransomware.

Moreover, this competition would ensure that Ransomware would occupy the topmost position across the entire Threat-Landscape for years to come.

Readers are invited to visit the Threat-Assessment, so as to keep themselves informed about the various on-going attacks happening across the globe.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , , , , , | Comments Off on Ransomware variants vying for the top slot

eScan decimates Ransomware Hoax News

Wanna Cry Hoax

Wanna Cry Hoax

WannaCry Ransomware has attacked computers as many as in 150 countries, all over the world and earned a payment of about 300$ in return to unlock the stolen data. Post this, social media and instant messaging applications were flooded with hoax texts/news to safeguard the audience against attacks. Some of the texts may have been intentional while many of them turned to be untrue.

Following the carnage and mayhem caused by WannaCry, we were pleasantly surprised to find all sorts of advisories making rounds in the social networking circles. Many of them were outrageous, while others tickled our funny bone. Here are some of the clarifications to ensure you do not fall prey to these texts:

  • RBI orders Shutdown of ATMs until they are patched and safe

Status: Hoax

RBI has issued clarification that they haven’t issued such orders.

  • Avoid using ATMs and Do not do any online transaction

Status: Hoax

Any computer system infected with Ransomware would display the message that it has been infected. Hence, the moment Ransomware Message is displayed on the ATM Screen; the entire system is rendered useless.

  • Don’t do any online transaction. Don’t open any Shopping cart.

Status: Hoax

Webserver infected with Ransomware would simply be not able to serve the pages. Shopping carts do not store Ransomware.

However, while browsing and downloading software make sure that these executables are scanned by an antivirus.

  • Except Africa all countries IT companies are hacked.

Status: Hoax

No explanations required cause its 100% fake news. When IT organizations get hacked, the information is published all over the internet, TV channels etc. These news pieces aren’t just limited to your limited group of friends.

  • Dance of the Hillary video

Status: Hoax.

We even received an advisory in our inbox which says:

  • Power off smart TVs, tablets, and every other smart device.
  • Turn off Bluetooth, WiFi, tethering (also known as Hotspot) on your mobile phones.
  • Switch off your servers (or any other computers that you may leave on 24×7.
  • Disconnect LAN (network, CAT6, CAT5) cable plugging computers or laptops in the network. If it is a laptop, it may have a physical slide switch or button press to switch off WiFi card inside the laptop – Switch That Off.
  • if possible, wait for news from eastern world

Status: Outright funny

This simply means that we should lead the life of an ascetic.

Keep Antivirus On:

Status: 100% True.

No matter what, buy a good antivirus, keep it updated, keep your operating system updated, take precautions, never divulge your personal information, are some of the things one should remember.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , | Comments Off on eScan decimates Ransomware Hoax News

WannaCry Ransomware – eScan’s Advisory

Wannacry Blog
WannaCry Ransomware attack has affected a lot of endpoints in the networks of hospitals, educational organizations, government sector etc. This has led to the negative consequences on the businesses causing loss of data, thus hampering the business continuity. WannaCry also known as WannaCrypt, WanaCrypt0r 2.0 or Wanna Decryptor is an unprecedented attack spread across more than 70 countries. Very recently Shadow brokers had leaked the US Spy agency – NSA’s, hacking tools and vulnerabilities, with one of them being Eternal Blue exploit. It relied on a SMB Exploit to hack into other connected / networked PCs in a network. So far the Ransomware has affected over 200K computers all over the globe.

How can it impact you:

WannaCry Ransomware has targeted industries to individual users, right across healthcare, financial, manufacturing and government verticals. This has resulted in sudden crippling of businesses with valuable loss of sensitive data. Some estimates also are of that the attack also exploited to capture banking information from people who had paid the ransoms in bitcoins. This Ransomware has also caused reputation losses for many businesses and trust among its customers. The demand of $300 for the decrypt key by the attackers, were not an assurance to receive the keys and instances were also reported where the attackers had doubled the demand money if not paid within 48 hours and after the seven day deadline, the files get completely deleted.

WannaCry Ransomware exploited the vulnerability of Windows Operating System discovered by NSA earlier and Microsoft had already provided the patch on 14 March with an advisory to update the systems. It is a common knowledge that when vulnerabilities exist and patches are made available, it is the onus of the Security Administrators to patch up the systems under their control. With this attack, it has been proved beyond doubt that Security Administrators and the entire process of reviewing the laid down procedures for ensuring patch management has taken a severe beating.

India being one of the largest legacy system users as well many pirated software users among individuals is one of the most vulnerable countries in terms of the spreading possibilities of WannaCry. Hence, users need to take utmost precaution to find all possible vulnerabilities in their network and use patch updates to safeguard any probable exploit. According to some unconfirmed reports, 70% of Indian ATMs, out of the 2.19 Lac ATMs, are still running on Windows XP, and according to the Ministry some of the ATMs have been shut down to patch the ATMs before resuming their normal banking operations.

How does eScan protect against Ransomware attacks:

eScan’s Proactive Behavioral Analysis Engine (PBAE) monitors the activity of all processes on the Local Machine and when it encounters any activity or behavior that matches to  Ransomware, a red flag is raised and the process is blocked. In case, if an infected system tries to access network share of a protected system and encrypt/modify files residing on that system, PBAE will immediately invalidate the network session.

Along with WannaCry, PBAE is also successfully blocking Ransomware attacks such as Locky, Zepto, Crysis and many more. Additionally, by analyzing the data collected through our Cloud (ESN), we are able to successfully detect and mitigate thousands of Ransomware attacks on all systems protected by eScan.

eScan’s Active Virus Control (AVC) also proactively protects the system from infection, when it is being executed in real-time. It’s not just the PBAE but also the AVC which identifies and blocks the execution of malware / Trojans, including Ransomware of all types and variants.

Statistics:

WannaCry Statistics

WannaCry Statistics

As per the eScan R&D, the telemetry data collected from its Cloud Server shows that by 14th May 2017 the WannaCry infection has reduced after spike in infections after the breakout on 12th May. However, since past two days being holidays and the advisories being released worldwide, infections may reduce, while there would be a rise in detection of WannaCry infection attempts.

Moreover, since humans are the weakest link in the entire ecosystem of IT Security, we believe that although advisories have been released and everyone has been made aware of WannaCry attack, an employee advisory should be circulated internally not to click or try opening any attachments from unknown sources received through emails and the Security Administrators should implement the patch issued by Microsoft across the Windows Systems in their network.

The threat report can be viewed by visiting  the Threat Report page.

WannaCry File Extensions:

WannaCry, after encrypting the files, changes the extension to one of the below mentioned:

  • WNCYR
  • WCRY
  • .WCRYT
  • .WNCRY
  • .WNCRYT
  • .WNRY

Prevention Measures:

  • Download and implement MS17-010 patch, from the below link :
    https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • Administrators should block all executable files from being transmitted via eMails.
  • Administrators should isolate the affected system in the Network.
  • Administrator can restore the encrypted files from the backup or from system restore point (if enabled) for affected systems.
  • Install and Configure eScan with all security modules active.
    1. eScan Real Time Monitoring
    2. eScan Proactive protection
  • eScan Firewall IDS/IPS Intrusion prevention
  • Users shouldn’t enable macros in documents.
  • Organizations should deploy and maintain a backup solution.
  • Most important, Organizations should implement MailScan at the Gateway Level for mail servers, to contain the spread of suspicious attachments.
Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , , | Comments Off on WannaCry Ransomware – eScan’s Advisory