WANNACRY : RECENT CASE OF MALWARE ATTACK

       In 2017 May, there was a massive global ransomware attack. The attack infected more than 230,000 computers in 150 countries including India, demanding ransom payments in bitcoin in 28 languages.

What is WannaCry?

• WannaCry is Encrypting Ransomware or Crypto Locker type of ransomware that is programmed to attack Microsoft Windows software..
• Shadow Brokers: People (Hackers) behind these attacks call themselves by this term.

 

Severely affected:

• Britain’s National Health Service (NHS),
• Spain’s Telefónica,
• FedEx (USA)
• Deutsche Bahn
• Several plants of carmakers Renault and Nissan had stopped production in France and England due to the malware,
• The Russian Interior Ministry had reported about 1,000 computers.
• Many Areas in India

What is the Origin of Wannacry attack?

• It is said by Wikileaks that National Security Agency (NSA) of USA had these methods to have monitored over subjects.
• This loophole was recently leaked by WikiLeaks.
• The same vulnerability of Windows Operating system was used by ransomware.
• However, Microsoft had released the security patches for the same earlier.

What does it do the computer?

• Some variants of ransomware encrypt data in such a way that it is impossible to decrypt unless the user has an encryption key. These are called ‘Encrypting Ransomware’ that incorporate advanced encryption methods.
• Another type of ransomware that is frequently circulated is ‘Locker ransomware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. CryptoLocker, like WannaCry, is a malware when injected into a host system, scans the hard drive of the victim and targets specific file extensions and encrypts them.

How does it spread?

• Wannacry encrypts the files on an infected computer.
• It spreads by using a vulnerability in implementations of Server Message Block (SMB) of Windows systems. This exploit is known as ETERNALBLUE.
• It encrypts hard disk/drive and then spread laterally between computers on the same LAN.
• It also spreads through the malicious Email-attachment.

How to remain protected from ransomware?

 

• Regular Data Backup: This helps restore the last saved data and minimise data loss. Ransomware also attacks servers; hence it is important to have a backup on a disconnected hard drive or external device on the pre-defined regular basis.
• Prevention: To prevent infiltration of malware, having password protected tools to identify and filter certain file extensions like “.exe” or “. Zip”, are essential. Emails that appear suspicious should also be filtered at the exchange level. There are also some tools that detect the entry of such malware with features of zero days’ protection which work on threat emulation and threat extraction techniques. Users and businesses also need to ensure that hidden file extension is displayed since it becomes easier to filter them.
• User awareness: Awareness among users needs to be created to avoid opening the unsolicited attachment. Malware is typically designed to mimic identities of people that users interact with on a regular basis either on a personal or professional level.
• Rules in IPS: It’s necessary to create rules in the Intrusion Prevention Software (IPS) to discard or disallow the opening of files with extension “.exe” from local App data folders or AppData.
• Regular patch and upgrades: To prevent leaks or vulnerabilities in software, ensure to regularly update the software versions and apply patches released by the vendor. These patches and version are often released to wrestle with known or newly discovered exploits and can prevent known signatures of these malware, Trojans or ransomware to enter the system.
• Install and run anti-malware and firewall software. When selecting software, choose a program that offers tools for detecting, quarantining, and removing multiple types of malware.
• The combination of anti-malware software and a firewall will ensure that all incoming and existing data gets scanned for malware and that malware can be safely removed once detected.
• Keep software and operating systems up to date with current vulnerability patches. These patches are often released to patch bugs or other security flaws that could be exploited by attackers.
• Be vigilant when downloading files, programs, attachments, etc. Downloads that seem strange or are from an unfamiliar source often contain malware.

Some Initiatives by Government of India:

• National Cyber Security Policy 2013: Indian Government already have a National Cyber Security Policy in place. The National Cyber Security Policy document outlines a roadmap to create a framework for comprehensive, collaborative and collective response to deal with the issue of cyber security at all levels within the country.
• Computer Emergency Response Team (CERT-In) has been designated to act as a nodal agency for coordination of crisis management efforts. CERT-In will also act as an umbrella organisation for coordination actions and operationalization of sectoral CERTs. CERT-in will also issue early warnings.
• Cyber Swachhta Kendra: The “Cyber Swachhta Kendra” is a Botnet Cleaning and Malware Analysis Centre (BCMAC), operated by the Indian Computer Emergency Response Team (CERT-In) as part of the Government of India’s Digital India initiative under the Ministry of Electronics and Information Technology (MeitY). Its goal is to create a secure cyberspace by detecting botnet infections in India and to notify, enable cleaning and securing systems of end users so as to prevent further infections.