WannaCry Ransomware attack has affected a lot of endpoints in the networks of hospitals, educational organizations, government sector etc. This has led to the negative consequences on the businesses causing loss of data, thus hampering the business continuity. WannaCry also known as WannaCrypt, WanaCrypt0r 2.0 or Wanna Decryptor is an unprecedented attack spread across more than 70 countries. Very recently Shadow brokers had leaked the US Spy agency – NSA’s, hacking tools and vulnerabilities, with one of them being Eternal Blue exploit. It relied on a SMB Exploit to hack into other connected / networked PCs in a network. So far the Ransomware has affected over 200K computers all over the globe.
How can it impact you:
WannaCry Ransomware has targeted industries to individual users, right across healthcare, financial, manufacturing and government verticals. This has resulted in sudden crippling of businesses with valuable loss of sensitive data. Some estimates also are of that the attack also exploited to capture banking information from people who had paid the ransoms in bitcoins. This Ransomware has also caused reputation losses for many businesses and trust among its customers. The demand of $300 for the decrypt key by the attackers, were not an assurance to receive the keys and instances were also reported where the attackers had doubled the demand money if not paid within 48 hours and after the seven day deadline, the files get completely deleted.
WannaCry Ransomware exploited the vulnerability of Windows Operating System discovered by NSA earlier and Microsoft had already provided the patch on 14 March with an advisory to update the systems. It is a common knowledge that when vulnerabilities exist and patches are made available, it is the onus of the Security Administrators to patch up the systems under their control. With this attack, it has been proved beyond doubt that Security Administrators and the entire process of reviewing the laid down procedures for ensuring patch management has taken a severe beating.
India being one of the largest legacy system users as well many pirated software users among individuals is one of the most vulnerable countries in terms of the spreading possibilities of WannaCry. Hence, users need to take utmost precaution to find all possible vulnerabilities in their network and use patch updates to safeguard any probable exploit. According to some unconfirmed reports, 70% of Indian ATMs, out of the 2.19 Lac ATMs, are still running on Windows XP, and according to the Ministry some of the ATMs have been shut down to patch the ATMs before resuming their normal banking operations.
How does eScan protect against Ransomware attacks:
eScan’s Proactive Behavioral Analysis Engine (PBAE) monitors the activity of all processes on the Local Machine and when it encounters any activity or behavior that matches to Ransomware, a red flag is raised and the process is blocked. In case, if an infected system tries to access network share of a protected system and encrypt/modify files residing on that system, PBAE will immediately invalidate the network session.
Along with WannaCry, PBAE is also successfully blocking Ransomware attacks such as Locky, Zepto, Crysis and many more. Additionally, by analyzing the data collected through our Cloud (ESN), we are able to successfully detect and mitigate thousands of Ransomware attacks on all systems protected by eScan.
eScan’s Active Virus Control (AVC) also proactively protects the system from infection, when it is being executed in real-time. It’s not just the PBAE but also the AVC which identifies and blocks the execution of malware / Trojans, including Ransomware of all types and variants.
Statistics:
WannaCry Statistics
As per the eScan R&D, the telemetry data collected from its Cloud Server shows that by 14th May 2017 the WannaCry infection has reduced after spike in infections after the breakout on 12th May. However, since past two days being holidays and the advisories being released worldwide, infections may reduce, while there would be a rise in detection of WannaCry infection attempts.
Moreover, since humans are the weakest link in the entire ecosystem of IT Security, we believe that although advisories have been released and everyone has been made aware of WannaCry attack, an employee advisory should be circulated internally not to click or try opening any attachments from unknown sources received through emails and the Security Administrators should implement the patch issued by Microsoft across the Windows Systems in their network.
The threat report can be viewed by visiting the Threat Report page.
WannaCry File Extensions:
WannaCry, after encrypting the files, changes the extension to one of the below mentioned:
- WNCYR
- WCRY
- .WCRYT
- .WNCRY
- .WNCRYT
- .WNRY
Prevention Measures:
- Download and implement MS17-010 patch, from the below link :
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx - Administrators should block all executable files from being transmitted via eMails.
- Administrators should isolate the affected system in the Network.
- Administrator can restore the encrypted files from the backup or from system restore point (if enabled) for affected systems.
- Install and Configure eScan with all security modules active.
- eScan Real Time Monitoring
- eScan Proactive protection
- eScan Firewall IDS/IPS Intrusion prevention
- Users shouldn’t enable macros in documents.
- Organizations should deploy and maintain a backup solution.
- Most important, Organizations should implement MailScan at the Gateway Level for mail servers, to contain the spread of suspicious attachments.
