Today a special and quick update on the ransomware Wannacry. At the moment of recording this podcast the number of people affected is estimated at 200.000 across 150 countries. This number is expected to rise in both people and companies since this ransomware started its life on friday 12 May. Just before the weekend…
I will start this podcast with some tips for users and for system administrators, after that i will talk a little more in depth about the ransomware itself.
I would suggest not to click any link you find in email messages or open any suspicious looking files.
Take in mind that many system administrators were not able to upgrade the machines over the weekend. The first half off monday will be decisive to see if more people and companies will be hit with the ransomware. Just be cautious next week and double check if the files or links within email messages are legit.
For system administrators
There seem to be three things to do as a sysadmin
Patch windows machines, Microsoft has released a patch in March with the name MS17-010
The patch has been released for Windows XP, Vista, windows 7, 8 and 10.
Turn off the network protocol SMB1 (Service Message Block)
If possible try to isolate windows XP machines on your network.
What could also possible help is to block TOR exit nodes by adding them to the blocklist on the firewall. Most ransomware gets instructions from a command and control server to encrypt your data. If this server cannot be reached then the encrypting of your data will not be successful. It is quite easy to find the IP addresses of exit nodes on the web.
Hopefully your company or government has security measures in place that prevents users from executing executables. this will limit the risk of further damaging the network and company data.
What is wannacry ?
WannaCry is probably one of the stolen tools made by the NSA. Wana Decryp0r 2.0 ransomware. This Hackingtools from the NSA, is believed to be stolen and published online. It is very well possible that a hackers collective used this stolen information to create this attack.
Apparently the code had some sort of a killswitch build in. Security researchers from malwaretech were able to check the source code and find out the malware connected to a random domain name that was just a bunch of characters. By registering the domain that did not exist before, the attack has been stopped, so far.
According to the researchers; if the attackers change the domain in the source-code and execute another cyber attack, then it is WannaCry all over again.
By registering the domain, it functions as a sinkhole, stopping in the initial attack. Computers that are affected can either pay the ransom money, which i do not recommend, or place back the backup from thursday to friday, loosing a couple of hours of work.
Monday will be decisive to see what further developments will be, after the weekend when people start working again.
Thanks for listening and check out my channel for more on infosec related news.