So thats pretty much what this ransomware is, it exploits a vulnerablility within Windows system and eventually encrypts all your files and data making your
computer completely unusuable, then it demands a handsome amount of ransom
to Decrypt your files and make your Computer usable again.
Over 2 million systems all over the world are already affected by it and of which
5% from India only.
The Indian government is trying every bit to prevent this attack. The Ministry of Electronics and Information Technology has organized a live session this morning
for awareness and prevention of this virus, they even mass mailed Indian citizens
HOW TO MAKE MYSELF SECURE?
This is the first question that comes to mind right now, so here is how you can do that:
Windows update MS17-010
The virus uses EternalBlue exploit, which is closed by Microsoft security update MS17-010 released in March. I recommend that you check update center for presence of such an update (by code) on your computer (for example, code for Windows 7 will be KB4012212 or KB4012215).
If updates are not installed, you can download them from official Microsoft website:
For older systems (Windows XP, Windows Server 2003 R2), Microsoft released special patches:
Close ports 135 and 445
To prevent penetration, block the ports 135 and 445 through which the virus penetrates (in most cases they are not used by ordinary users).
To do this, open the console with administrator rights (cmd.exe -> run as administrator). And execute in turn two commands (after each command there should be status OK).
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name="Block_TCP-135" netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445"
Disabling SMBv1 support
The vulnerability can also be closed by completely disabling SMBv1 support. Run this command in cmd (run as administrator).
dism /online /norestart /disable-feature /featurename:SMB1Protocol
Apart from these technical methods I’ll additionally recommend you to Search Safe,
Surf Safe, that is for this time being don’t even browse or download from Untrusted
Websites, torrents etc. And if possible then avoid using Windows for this time being.
Dual boot a free Linux distro and you don’t have to worry about these.
Please do not open any email which has attachments with tasksche.exe
Or rather don’t download any email attachments for the time being.
WHAT TO DO IF I AM ALREADY INFECTED?
Well, thats definitely a bad news for sure but you have to take some important measures
If you find yourself infected then Do these without wasting time:
Immediately isolate the system from Network
Run cleanup tools and clean your computer of the virus, Download here
Preserve the data even if its encrypted
So before cleaning up you might want to backup all your data in an external hdd,
Cause maybe in some days a Cure for this will be discovered and then you will be able to recover your data
If you are from India then Report the incident to CERT-In and local law enforcement agency
Send the Report to firstname.lastname@example.org
INDICATORS OF COMPROMISE
Ransomware is writing itself into a random character folder in the ‘ProgramData‘ folder with the file name of “tasksche.exe” or in ‘C:\Windows\‘ folder with the file-name “mssecsvc.exe” and “tasksche.exe“.
Ransomware is granting full access to all files by using the command:
Icacls . /grant Everyone:F /T /C /Q
Using a batch script for operations:
use endpoint protection/antivirus solutions to detect these files and remove the same
FOR CYBER SECURITY RESEARCHERS
Hashes for Wannacry:
The malware use TOR hidden services for command and control. The list of .onion domains inside is as following:
IMPORTANT LINKS AND CONTACTS