A Review “WannaCry Ransomeware” attack took place on 12th May, 2017

On 12th May, 2017 a Ransomware attack named as “WannaCry” Ransomeware, one of the largest ever cyber attacks - was reported, infecting the 19 trusts of NHS (National Health Services) in UK and infecting computers in many other countries including Spain, Russia, US, India, Ukrain etc.), at 19 different location. It was reported that day-1 itself it infected about 1,26,000 to  2,00,000 machines (mentioned in different research reports from different countries) which reached to 104 Countries on day-2, though now it is slowing down. The analysis & study of the incident reveals that it was not a targeted attack; rather anonymous attack sent across as an attachment through email having malicious contents and waiting to perspective users to open these emails and attachment, specially on Windows-based machines. Whenever a user in a particular network opens the emails attachments, the malicious code first places on this machine and the machine becomes infected. Actual damage starts from now when this code gets spread across the Windows Network without windows authentication.

If we look at the facts about the impact of ransomware attacks in year 2016 globally, as per Malwarebytes Lab, it is seen that about 40% of businesses were impacted by such attacks, of which 30% businesses victims lost revenue and about 20% businesses had to shut down their functions immediately.

In these attacks, data is encrypted with the extension “.WCRY” added to the filenames. Many of the Cyber Security agencies and experts have started addressing this issue on war footing. In such an study, Kaspersky’s Lab, indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14. Unfortunately, it appears that many organizations have not yet installed the patchup,

Though as of Saturday, no hacker or hacker group had come forward to claim responsibility for the cyber attack, however as per news agency Reuters, the ransomware - dubbed Wanna Cry - demanded payments between $300 (around Rs 19,000) and $600 (around Rs 39,000) in bitcoin to unlock data on a single system.

I was a part of CISO Platform Decision Summit held on 12th & 13th May, 2017 and various experts & Cyber Security researchers spoke on this issue and there was consensus that the impact of this attach could have been avoided or reduced, to a significant extent, if proper patches provided by Vendors & other security agencies could have updated, proper security provisions would have been followed & implemented.

The file extensions that the malware is targeting contain certain clusters of formats including:

  1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
  3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).hines
  6. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  9. Virtual machine files (.vmx, .vmdk, .vdi).

The WannaCry dropper drops multiple “user manuals” on different languages.

This summary report is prepared based on the data of various survey, research & news agencies.

Views: 753

Comment

You need to be a member of CISO Platform to add comments!

Join CISO Platform

 

© 2017   Created by CISO Platform   |   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service

Related Posts