WannaCry, the ransomware is highly popularly now and is already becoming a global phenomenon. The malware in just a few days managed to infect over 2 lakh computers throughout the world, affecting several companies and the working of important services. However, till now it has not affected India on a big scale. Union IT minister Ravi Shankar Prasad has reportedly said that the malware has had almost zero impact on India. WannaCry spreads through a leaked NSA (National Security Agency) exploit which targets the erstwhile versions of the Microsoft Windows OS, like the includes Windows XP, 7, and Server 2008. But if you have the Windows 10, you are least likely to get affected now. Interestingly, Microsoft had issued patches for the exact exploit in March 2017. The way WannaCry has impacted is merely showcasing that are not regularly updated.
The WanaCrypt0r 2.0 bug basically encrypts data on a computer within seconds and displays a message asking the user to pay a ransom of $ 300 in Bitcoins to restore access to the device and the data inside. Payment is demanded within three days or the price is doubled, and if none is received within seven days the locked files will be deleted, according to the screen message. F-Secure, a cybersecurity firm has highlighted the need for a four-phase approach to cybersecurity: Predict, Prevent, Detect, and Respond; and detect by monitoring infrastructure for signs of intrusion or suspicious behaviour. The Finnish company also said that Russia and China were affected the most, and it could be due to the rampant use of pirated software in those countries. This means India is also at a high risk of a big cyber issue in future, if not this time.
India’s CERT-in (Computer Emergency Response Team) has issued a red alert for the malware. Also recently, the Maharashtra government has also set up a cyber security helpline to handle queries related to the infection, agencies reported. Many have compared this infection to the popular Conficker worm, that continues to attack computer systems around the world even today despite the fact that the security flaw it exploits was patched in 2008. But, Conficker does no immediate damage and hides so that it can use infected computers as part of a “botnet” to send out spam and fake antivirus software. So it is important that you follow certain steps to tackle such big malware.
Here is a list of Do’s and Don’ts which you should follow to keep your computer safe:
1. You need to immediately install the May Windows Update bundles. Shutting down your system for a few minutes will be worth it, if it enables you to avoid this. If you’re still using Windows XP, you’re out of luck, but the March and April update bundles are available for Windows Vista. Also, Microsoft has released a patch for Windows XP and its server counterpart Windows 2003.
2. In order to prevent the infection, users and organisations should apply relevant patches to Windows systems as mentioned in the Microsoft Security Bulletin MS17-010. The malware has been targeting commonly used office file extensions such as .ppt (PowerPoint), .doc and .docx (Word), .xlsx (Excel), and image file extensions such as .tiff, .raw, among various other common file types for archiving, emails, databases, etc.
3. This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks).
4. As part of the best practices to prevent ransomware attacks, users should maintain an updated antivirus software, regularly check for integrity of the information stored on databases, to not open attachments in unsolicited e-mails, restrict users’ ability to install and run unwanted software applications, among various others.
5. Individuals or organisations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report such instances of fraud to CERT-In and law enforcement agencies.
6. Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
7. CERT-In advisory: Block SMB ports on Enterprise Edge/perimeter network devices [UDP 137, 138 and TCP 139, 445] or Disable SMBv1. https://support.microsoft.com/en-us/help/2696547
8. Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organisation’s website directly through browser
9. Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
10. USE THESE TOOLS:
1. Tool (NoMoreCry) to prevent Wannacry Ransomware by CCN-CERT:
2. Sophos: Hitman.Pro
3. Malwarebytes Anti-Ransomware(formally Crypto Monitor)
4. Trendmicro Ransomware Screen Unlocker tool
5. Microsoft Enhanced mitigation and experience toolkit(EMET)
(with inputs from Microsoft and CERT-In)