WannaCry Ransomware

The internet world was recently taken by storm by a malicious software that locked people out of their computers. Already declared as a critical threat to cyber-security, India’s Cyber Security organisation – CERT has organised a special webcast on the ransomware, informing Indian users about its threat and how to protect themselves from it.

What is WannaCry Ransomware?

The ransomware, known as WannaCry or WanaCrypt0r 2.0, locked up the files on computers across 2 dozen countries and asked the users for a ransom in exchange of access to their own files. The large-scale attack hit NHS hospitals across London, delivery giant FedEx, Spanish Telecom firm Telefonica, Japan’s Nissan Motor Co, German Deutsche Bahn rail network and more such firms.

The global cyber-attack made use of a glitch in Microsoft Windows which the attackers claim to have gained from a secret NSA server, the United State’s National Security Agency.

How does it affect systems?

The ransomware essentially encrypts the files on the target system and makes them inaccessible to users. In exchange for gaining access back, the malicious software asks the users for a ransom through money transfer on Bitcoin. The initial transfer demanded by the ransomware is USD 300 which may later increase to USD 600.

Experts say that there is no assurance of the access being handed back to the users after a payment is made. Moreover, once infected, the ransomware can perform repetitive attacks on the system, asking users for money over and over again with the threat of deleting the files altogether.

What does CERT say?

The webcast by CERT guides the Indian users on how to tackle the ransomware in case they face any such attack.

CERT says that the malware targets a host of files on a system like .rar .pdf .mp4. ppt. doc. zip and many more. Once it enters the system, it adds the malware extension .WCRY to the system files.

Malware files like tasksche.exe and mssecsvc.exe are added to the system files to encrypt the system. Once infected, it is very difficult to decrypt the system files due to lack of private keys for the same.
What happens upon System infection?

If a system gets infected, a message will be displayed on the screen by the malware which advises users on how to regain access to their files.
Successively, another message scares the user for a ransom by showing that their antivirus has been removed and their data is encrypted.

The malware also drops a PleaseReadme.txt file which gives step-by-step instruction to the user in a QnA format. The users are advised not to run the files any further.

How to stay safe from it?

CERT has laid down certain protective measures which go as follows:

For Users:

- First of all, back-up all the critical data on your system and keep it offline for an easier recovery process, in case the ransomware strikes.

- Apply patches which were released by Microsoft under the Microsoft Security Bulletin 2017 MS17 – 010 on March 2017.

- Regular patches for unsupported versions like XP, Vista, Server 2003 and Server 2008 are not available. Hence, users are advised to upgrade their systems to prevent threat.

- Users are also required to upgrade regular patches for the Windows version they are using.

- In case the patches are not available, CERT advises to isolate the system from the network. Further, users can download the patches onto a CD or a USB, apply it and then connect the system back to the network.

- Maintain an updated Anti-Virus by a reputed software firm.

- Block spam on mails.

- DO NOT click on unsolicited mails, even from known contacts.

- Disable Macros on Microsoft Office products.

- For technical measures, users are advised to visit the CERT website.

For Enterprises:

- CERT advises enterprises to use DKIM or other such Email monitoring methods for protection against email spoofing.

- Use whitelisting solutions on critical systems i.e. only trusted applications should be run.

- Use software restriction policies to prevent the execution of malware.

- Deploy web and email filters on the enterprise network.

- Scan all emails via a reputed anti-virus solution.

CERT says that till now, 7 variants of the ransomware have been detected. It mentions that security tools are freely available on its website which can be used to secure systems. A botnet tool on the website can also be used to detect and remove the malware from the system.

What to do if Infected?

Follow these step immediately in case your system gets infected by the malware.

- Isolate the system from the network immediately. The malware reportedly spreads very quickly through LAN.

- DO NOT PAY RANSOM. CERT strongly advises against it as there is no guarantee whatsoever that the data will be handed back to the user after doing so. Furthermore, this fuels the attacker’s intention and propagates it further.

- Run cleanup tools mentioned on the CERT website to disinfect the system.

- Preserve the data even if it is encrypted.

- Report the incident to the law-enforcement agencies. Users can send an email to incident.cert-in.org.in or call on the toll-free number – 1800-11-4949.