Technology

Cyber Attack: Wannacry 2.0 and Prevention

Pritam MondalLeave a comment

So thats pretty much what this ransomware is, it exploits a vulnerablility within Windows system and eventually encrypts all your files and data making your
computer completely unusuable, then it demands a handsome amount of ransom
to Decrypt your files and make your Computer usable again.

Over 2 million systems all over the world are already affected by it and of which
5% from India only.

The Indian government is trying every bit to prevent this attack. The Ministry of Electronics and Information Technology has organized a live session this morning
for awareness and prevention of this virus, they even mass mailed Indian citizens

Screenshot (811).png

HOW TO MAKE MYSELF SECURE?
This is the first question that comes to mind right now, so here is how you can do that:

Windows update MS17-010
The virus uses EternalBlue exploit, which is closed by Microsoft security update MS17-010 released in March. I recommend that you check update center for presence of such an update (by code) on your computer (for example, code for Windows 7 will be KB4012212 or KB4012215).

If updates are not installed, you can download them from official Microsoft website:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

For older systems (Windows XP, Windows Server 2003 R2), Microsoft released special patches:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Close ports 135 and 445
To prevent penetration, block the ports 135 and 445 through which the virus penetrates (in most cases they are not used by ordinary users).

To do this, open the console with administrator rights (cmd.exe -> run as administrator). And execute in turn two commands (after each command there should be status OK).

netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name="Block_TCP-135"

netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445"

Disabling SMBv1 support
The vulnerability can also be closed by completely disabling SMBv1 support. Run this command in cmd (run as administrator).

dism /online /norestart /disable-feature /featurename:SMB1Protocol


Smart stay
Apart from these technical methods I’ll additionally recommend you to Search Safe,
Surf Safe, that is for this time being don’t even browse or download from Untrusted
Websites, torrents etc. And if possible then avoid using Windows for this time being.
Dual boot a free Linux distro and you don’t have to worry about these.
Please do not open any email which has attachments with tasksche.exe
Or rather don’t download any email attachments for the time being.

WHAT TO DO IF I AM ALREADY INFECTED?

Well, thats definitely a bad news for sure but you have to take some important measures
If you find yourself infected then Do these without wasting time:

Immediately isolate the system from Network

Run cleanup tools and clean your computer of the virus, Download here 

Preserve the data even if its encrypted
So before cleaning up you might want to backup all your data in an external hdd,
Cause maybe in some days a Cure for this will be discovered and then you will be able to recover your data

If you are from India then Report the incident to CERT-In and local law enforcement agency

Send the Report to incident@cert-in.org.in

INDICATORS OF COMPROMISE

Ransomware is writing itself into a random character folder in the ‘ProgramData‘ folder with the file name of “tasksche.exe” or in ‘C:\Windows\‘ folder with the file-name “mssecsvc.exe” and “tasksche.exe“.

Ransomware is granting full access to all files by using the command:
Icacls . /grant Everyone:F /T /C /Q

Using a batch script for operations:
176641494574290.bat

use endpoint protection/antivirus solutions to detect these files and remove the same

FOR CYBER SECURITY RESEARCHERS
Hashes for Wannacry:

5bef35496fcbdbe841c82f4d1ab8b7c2
775a0631fb8229b2aa3d7621427085ad
7bf2b57f2a205768755c07f238fb32cc
7f7ccaa16fb15eb1c7399d422f8363e8
8495400f199ac77853c53b5a3f278f3e
84c82835a5d21bbcf75a61706d8ab549
86721e64ffbd69aa6944b9672bcabb6d
8dd63adb68ef053e044a5a2f46e0d2cd
b0ad5902366f860f85b892867e5b1e87
d6114ba5f10ad67a4131ab72531f02da
db349b97c37d22f5ea1d1841e3c89eb4
e372d07207b4da75b3434584cd9f3450
f529f4556a5126bba499c26d67892240

Network Connections
The malware use TOR hidden services for command and control. The list of .onion domains inside is as following:

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • Xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • sqjolphimrr7jqw6.onion


IMPORTANT LINKS AND CONTACTS

http://www.cert-in.org.in
http://www.cyberswachhtakendra.gov.in/alerts/wannacry_ransomware.html

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s