Security Alert - WannaCry Ransomware
From MyCERT Advisories
MyCERT Alert – WannaCry Ransomware
- MyCERT is aware of the outbreak of a ransomware called as WannaCry.
- This ransomware is also referenced online under various names – WCry, WanaCryptor, WannaCrypt or Wana Decryptor.
- Ransomware is type of malware that infects computing platform and restricts users’ access until an amount of ransom is paid in order to unlock it.
- Victims got infected through emails that contains malicious attachment.
- Once the ransomware infected a system, the malware scans and infects other vulnerable systems within the network.
It exploits a vulnerability found in Windows, known as EternalBlue, that Microsoft patched in March (MS17-010). The vulnerability is in the Windows Server Message Block (SMB) service. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- Files on infected computer are encrypted and the owner is unable to access the files until a ransom of $300 worth of Bitcoin is paid.
- Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored.
- Figure 1 shows the ransomnote found on infected computer.
- Figure 2 shows the text file created by the ransomware that explaining what has happened and instructions on how to pay the ransom.
- WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name:
Figure 1: WannaCry ransomnote (source: Securelist.com)
Figure 2: A text file dropped by the ransomware (Source: http://www.cyberswachhtakendra.gov.in)
- Unpatched Windows Vista
- Windows Server 2008
- Windows 7
- Windows Server 2008 R2
- Windows 8.1
- Windows Server 2012
- Windows 10
- Windows Server 2012 R2
- Windows Server 2016
- Users of this product are advised to review and patch the vulnerability described in MS17-010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- Microsoft Patch for Unsupported Versions such as Windows XP, Vista, Server 2003, Server 2008 can be referred here: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
- Users are advised to take the following preventive measures to protect their computer from ransomware infection:
Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.