Blog

Microsoft Vulnerability makes organizations in the world “WannaCry”

Posted on May 18, 2017

On 12th May 2017, Cybercrime hit a new record infecting more than 2,30,000 computers widespread across 150 countries throughout the globe within a span of 48 hours. This ransomware cyber attack is an astounding reminder of the importance of cyber security in 21rst century.

SO WHAT IS WanaCry?

The WannaCry ransomware also known as WannaCrypt aka WanaCrypt0r 2.0 or Wanna Decryptor is a ransomware computer worm which primarily targets the Microsoft Windows operating system, encrypting all data in the system and demanding ransom payments to decrypt the data in the cryptocurrency bitcoin which is virtually impossible to trace.

The initial delivery of the ransomware is likely to be through phishing attacks or other simple mechanisms, like by clicking on a link or opening up an archive or maybe sent via an email which is likely cause of infection on the system. When executed, the malware would encrypt the system’s data and then would attempt to exploit the SMB vulnerability to worm out to other computers on the same network or random computers on the Internet. The payload WannaCry ransomware is an executable file which displays a message informing the users that their data has been encrypted, and demands a payment of around $300 in bitcoin within 72 hours and double within 144 hours after which their data would be permanently lost.
Microsoft had issued a patch nearly two months before the attack on 14th March 2017, to remove the vulnerability for all supported systems but many organizations had not yet applied it.

HOW DOES THIS RANSOMWARE WORK?

The ransomware uses exploits such as EternalBlue, DoublePulsar and many other tools which were apparently leaked from NSA, by the hacker group which goes by the name “The Shadow Brokers” on April 14th 2017. EthernalBlue exploits use the vulnerability in Microsoft’s SMB (Server Message Block) Protocol. SMB is designed to enable access to shared directories, files, printers and serial ports, among other resources within the network and also through the internet.

The EternalBlue is part of the same exploitation framework such as DoublePulsar. DoublePulsar is a persistent backdoor that can infect endpoints to provide unauthorized access to its operators. It enables a remote attacker to send malware into the target endpoint and execute it without the owner’s knowledge or permission. DoublePulsar’s ability to open the backdoor and inject arbitrary Dynamic Link Libraries (DLLs) into the user-mode process zones relies on exploitation of the SMB protocol.

HOW MUCH DAMAGE?

According to wikipedia.org, the attack affected many National Health Service (NHS) hospitals in England and Scotland and up to 70,000 devices which includes computers, MRI Scanners, blood-storage refrigerators and theatre equipments. The Organizations affected by this ransomware also includes Government of Kerala, West Bengal and Gujarat, Andhra-Pradesh Police, Ministry of Internal Affairs of the Russian Federation, Hitachi, Renault and many more.

According to Kaspersky Labs, the four most affected countries were Russia, Ukraine, India and Taiwan.

HOW CAN WE DEFEND OUR ORGANIZATION?

  1. If you are using a supported version of windows then install the patch ms 17-010 and keep your system updated.
  2. Update your Anti-Virus softwares as most vendors have added a detection capability for WannaCry ransomware.
  3. Keep a regular backup of your data or secure your backups on an offline device, this way the malware cannot encrypt your data.
  4. If you are a start up company or a small scale business owner, consider using Linux OS as they are much more secure compared to windows and easy to use.

Author:

Nived Velayudhan | Technical Consultant | ipsr Solutions Limited

7 thoughts on “Microsoft Vulnerability makes organizations in the world “WannaCry””

  1. Hardik Kharwa says:

    Excellent article!
    I feel more such articles and solutions on simple Do’s and Dont’s should be published for amateur users, as India is going digital . I am sure after this news, people who have just started using email and online transactions would be having second thoughts.
    Great job guys !

  2. Capt. Velayudhan Chirangara says:

    It’s a very good article you posted. When we are struggling to get the depth of this “Wanacry” virus. your blog is an excellent eye opener. Timely knowledge can protect our computers from viruses attack.
    It is time for us to shift from expensive Microsoft windows operating system to Linux, which has low operating cost and stronger virus protection.
    Congratulations for your effort for posting excellent knowledge sheet.
    👌👌👌

  3. Sruthi says:

    Very informative article nived.
    Elaborate and crisp .
    These attacks help focus the minds of chief technology officers across corporations to make sure security protocols are up to date, and you often see bookings growth at cyber security companies as a result

  4. aby says:

    Nice article good to know about it

  5. Akhil Nair says:

    Linux And Mac os are far better than window in such scenarios … Such malwares can also enter your device when you install pirated softwares …this article was quite interesting and informative… keep up the good work !

  6. Bala Ullattil says:

    Nice, very interesting and well written. Keep up the good work!

  7. Reshma A Raj says:

    Very informative.
    It gives a good overview about wannacry. Congratulations Nived sir for this excellent article.

Leave a Reply

Your email address will not be published.