Microsoft has just released an emergency security patch update for all its unsupported version of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions.
So, if your organization, for some reason, is still running on Windows XP or Vista, you are strongly advised to download and APPLY PATCH NOW!
“The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack,” Microsoft says.
Once infected, WannaCry locks files on the computers and requires victims to pay $300 in Bitcoins to get back the control of their systems, along with a threat to double the price to $600.
But there’s no guarantee of getting your files back even after paying the ransom.
How is WannaCry Spreading?
Such ransomware infection typically leverages social engineering or spam emails as a primary attack vector, tricking users into downloading and executing a malicious attachment.
WannaCry is also leveraging one such social engineering trick, as FoxIT researchers uncovered one variant of the ransomware that is initially distributed via an email containing a link or a PDF file with payload, which if clicked, installs WannaCry on the targeted system.
If the connection to the above-mentioned unregistered domain fails (which is obvious), the dropper proceeds to infect the system with the ransomware that would start encrypting files.
But if the connection is successful, the dropper does not infect the system with the WannaCry ransomware module.
A security researcher, tweeting as MalwareTech, did the same and registered the domain mentioned above, accidentally triggering a “kill switch” that can prevent the spread of the WannaCry ransomware, at least for now.
Malware Tech registered this domain by spending just £10, which makes the connection logic successful.
“In other words, blocking the domain with firewall either at ISP or enterprise network level will cause the ransomware to continue spreading and encrypting files,” Microsoft warned.
If infected, the malware scans the entire internal network and spread like a worm into all unpatched Windows computers with the help of SMB vulnerability.
The SMB vulnerability has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself “The Shadow Brokers” over a month ago.
Demo of WannaCry Ransomware Infection
Meanwhile, Matthew Hickey, a security expert and co-founder of Hacker House, has provided The Hacker News two video demonstrations, showing packet traces that confirm the use of Windows SMB vulnerability (MS17-010).
So Far, Over 114,000 Infections Detected in 99 Countries
WannaCry Ransomware attack has become the largest ransomware infection in history within just a few hours.
- A total of 16 U.K. organizations has been affected by the ongoing attack, including the National Health Service (NHS), which was forced to reject patients, cancel operations, and reschedule appointments due to malware infection.
- WannaCry also targeted Spanish telecom giant Telefónica infecting by some of its computers on an internal network, but did not affect clients or services.
- Other victims of the attack include Portugal Telecom and Russia’s MegaFon.
- Delivery company FedEx was also a victim.
- Users from Japan, Turkey, and the Philippines were also affected.
7 Easy Steps to Protect Yourself
- Keep your system Up-to-date: First of all, if you are using supported, but older versions of Windows operating system, keep your system up to date, or simply upgrade your system to Windows 10.
- Using Unsupported Windows OS? If you are using unsupported versions of Windows, including Windows XP, Vista, Server 2003 or 2008, apply the emergency patch released by Microsoft today.
- Enable Firewall: Enable firewall, and if it is already there, modify your firewall configurations to block access to SMB ports over the network or the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.
- Disable SMB: Follow steps described by Microsoft to disable Server Message Block (SMB).
- Keep your Antivirus software up-to-date: Virus definitions have already been updated to protect against this latest threat.
- Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.
- Beware of Phishing: Always be suspicious of uninvited documents sent an email and never click on links inside those documents unless verifying the source.