Thursday 18 May 2017

Cybersecurity Awareness: 21 Best Practices To Forestall ‘’WannaCry’’ Ransomware, Cyberattacks

Introduction: A unique strain of ransomware known as ‘’WannaCry’’or ‘’Wanna DeCryptor’’, ‘’wcry’’, infected more than 300,000 vulnerable systems globally, across 150 countries since Friday, 12 May, 2017.  WannaCry installs Doublepulsar - a backdoor that allows the device to be remotely controlled. The malware freezes the infected device, pops up a red screen with the message, "Oops, your files have been encrypted!" It goes ahead to demand ransom payment in Bitcoin (equivalent to $300-$600) before subsequently destroying the encrypted files if payment is not made. To offer an insight on the consequences of the WannaCry ransomware attack, the Chinese state media says about 29,372 institutions was infected along with hundreds of thousands of devices. In Japan, 2,000 computers at 600 locations were reportedly affected. The ‘’WannaCry’’ransomware attack also denied access to confidential patient information, stalled x-rays, surgeries and other critical healthcare services in at least 47 hospitals under the auspices of the United Kingdom’s National Health Service (NHS). The list goes on. Envisage a Stuxnet cyberattack on a vulnerable nuclear warhead or submarine. Tragedy!
What Is A Ransomware?

Ransomware is coined from the age-old word- ransom - money demanded for the return of a captured person or something valuable. Ransomware is a malicious software remotely deployed by cybercriminals or cyber-extortionists to encrypt, or hold valuable digital information ‘hostage’ until a ransom is paid.

Who Was Responsible For WannaCry Ransomware?

Ransomware, cybersattacks could be propagated by Nation States (cyberwarfare, cyberterrorism), or by cybercriminals who render ‘ransomware-as-a-service’ (RaaS) - offering tools or charging clients a fee to help them disseminate ransomware. Preliminary technical clues, coding similarities connects the WannaCry ransomware cyberattack to the Lazarus Hacking Group, a North Korean cyber outfit previously blamed for the cyberattack, theft of $81 million from a Bangladesh bank in 2016 and on Polish banks in February 2017. It is widely accepted that masterminds of ‘’WannaCry’’ ransomware exploited the ‘Eternal Blue Hacking Weapon’ created by the United States’ National Security Agency (NSA) which was stolen and dumped online by the ‘’Shadow Broker’’ hacking group to gain access to systems powered by Microsoft Windows.

Why Ransomware And Cyberattacks Will Persist

The proliferation of ransomware, cyberattacks is not surprising to tech-savvy minds because a Kaspersky Lab’s IT Threat Evolution Q1 2016 report envisioned ransomware emerging as the biggest cybersecurity threat. Similarly, the United States Securities and Exchange Commission (SEC) warned in 2016 that the biggest risk the financial system faces is cybersecurity. A cybersecurity special report suggests that ransomware will worsen due to the increasing penetration and inherent vulnerabilities in Internet of Things (IoT), medical devices, web cameras, IP Phones, Internet Protocol (IP) CCTV Cameras, DVRs, SmartHouses or SmartCities, wearables such as SmartWatches, public Wi-Fi, and proliferation of mobile Apps with malicious codes, amongst others. The good news is that there are ways around ransomware, cyberattacks. As we know, prevention is better and cheaper than cure. We discuss prevention best practices afterwards.

Modus Operandi of WannaCry Ransomware

Attackers can distribute ransomware via email attachments, exploit kits, botnets. The WannaCry ransomware attack essentially employs a notorious vulnerability in Microsoft Windows operating system to spread and infect machines. Ransomware encrypts the following file types: .doc, .docx, .docb, .docm, .dot, .dotm, .dotx, .xls, .xlsx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .ppt, .pptx, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .pst, .ost, .msg, .eml, .edb, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .jpeg, .jpg, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

Solution To Ransomware, Cyberattacks

F-Secure, a Finnish cyber security and privacy company based in Helsinki, Finland, recommends the need for a four-phase approach to cybersecurity: Predict, Prevent, Detect, and Respond. Predict by performing an exposure analysis; prevent by deploying a defensive solution to reduce the attack surface; respond by determining how a breach happened and what impact it had on systems; and detect by monitoring infrastructure for signs of intrusion or suspicious behaviour. Let’s further elaborate how to prevent ransomware, cyberattacks.

22 Ransomware, Cyberattack Prevention Best Practices
1.     Key rule of thumb is to ensure that very important files or documents are backed up on a regular basis. Backups are useful only if they're created prior to a ransomware attack. Dedicated backup software such as Acronis's True Image supports data recovery onto different hardware. Preferably, backups should be spread in such a way that the failure of any single point won’t lead to the irreversible loss of data. It is advisable to store one copy in the cloud or employ Microsoft’s OneDrive, Dropbox storage facilities, and the other on offline physical storage gadgets such as a portable Hard Disk Drive (HDD). Ensure data access privileges and read/write permissions are set, so that the files cannot be modified or erased and also to check the integrity of your backup copies once in a while.
2.     Ensure your Windows operating system is updated with Microsoft’s latest Security Bulletin MS017-010: Security Update for Microsoft Windows SMB Server (4013389) released in March 2017. Devices that were updated with the patch would have been automatically protected from WannaCry ramsomware but it is probable that many organizations, individuals may not have updated their systems or installed the update. Systems with older versions of Windows XP that no longer have mainstream support should refer to Microsoft's blog for details of emergency security patches released in response to WannaCry.
3.     Keep Microsoft Windows Firewall turned on and properly configured at all times and enhance your protection more by setting up additional Firewall protection. Disabling Windows Script Host could be an efficient preventive measure, as well.
4.      Consider disabling Windows PowerShell, which is a task automation framework. Keep it enabled only if absolutely necessary.
5.      Enhance the security of your Microsoft Office components (Word, Excel, PowerPoint, Access, etc.). In particular, disable macros and ActiveX. Additionally, blocking external content is a dependable technique to keep malicious code from being executed on the PC. To ward off a strain of ransomware known as Cerber, disable Macros in your Microsoft Office programs.
6.     Make sure your antivirus, browsers, Adobe Flash Player, Java, and other system software or Applications are up-to-date. Fine-tune your security software to scan compressed or archived files, if this feature is available.
7.     Ensure you install a browser add-on to block popups as they can also pose an entry point for ransom Trojan attacks.
8.     Should a suspicious process be detected on your computer or device, promptly turn off the Internet connection. This is particularly efficient during the early stage of a cyberattack because the ransomware won’t get the chance to launch a connection with its remote Command and Control server and thus cannot complete the encryption process.
9.     Personalize your anti-spam settings the right way: Most ransomware strains are known to spread via eye-catching emails that contain contagious attachments. It is advisable to configure a webmail server to block dubious attachments with extensions like .exe, .vbs, or .scr.
10.                        Desist from opening suspicious looking attachments: This doesn’t only apply to messages sent by unfamiliar people but also to senders who you believe are your acquaintances. Phishing emails may masquerade as notifications from a delivery service, an e-commerce resource, a law enforcement agency, or a financial institution.
11.                        Be very heedful before clicking on links: Dangerous hyperlinks, especially shortened urls can be received via email, social media or instant messengers, and the senders are likely to be people you trust, including your friends or colleagues. For this attack to be deployed, cybercriminals compromise their accounts and submit bad links to as many people as possible.
12.                        The Show File Extensions feature can thwart ransomware plagues, as well. This is a native Windows functionality that allows you to easily tell what types of files are being opened, so that you can keep clear of potentially harmful files. Cybercriminals may also utilize a confusing technique where one file can be assigned a couple of extensions. For instance, an executable may appear like an image file and have a .gif extension. In some cases, files look like they have two extensions – e.g., cute-dog.avi.exe ortable.xlsx.scr – so be sure to pay attention to tricks of this sort. A standalone known attack vector is through malicious macros enabled in MS Word documents.
13.                        Consider disabling the vssaexe functionality in your system. This functionality built into Windows to administer Volume Shadow Copy Service is normally a handy tool that can be used for restoring previous versions of arbitrary files. In the framework of rapidly evolving file-encrypting malware, though, vssadmin.exe has turned into a problem rather than a favorable service. If it is disabled on a computer at the time of a compromise, ransomware will fail to use it for obliterating the shadow volume snapshots. This means you can use VSS to restore the blatantly encrypted files afterwards.
14.                        Use two-factor authentication and strong passwords that cannot be brute-forced by remote criminals. Set unique passwords for different accounts to reduce the potential risk.
15.                         Deactivate AutoPlay in your system. This way, harmful processes won’t be automatically launched from external media, such as USB memory sticks or other drives.
16.                         You may have to disable file sharing. By so doing, the ransomware infection will be restricted only to the infected system.
17.                         Consider restricting remote services. Otherwise, the threat could rapidly propagate across the enterprise network, thus calling forth serious security issues for the business environment if your computer is a part it. For example, the Remote Desktop Protocol can be leveraged by the black hat hackers to expand the attack surface.
18.                         Switch off unused wireless connections, such as Bluetooth or infrared ports. Cybercriminals can surreptitiously exploit a Bluetooth to launch a cyberattack or compromise a computer, a mobile device.
19.                        Turn off Wi-Fi when not in use: It is known that hackers can launch a cyberattack on a computer system, a mobile device through vulnerable, unsecure Wi-Fi networks. Use very strong passwords to protect your Wi-Fi. Beware of using public Wi-Fi’s.
20.                         Define Software Restriction Policies that keep executable files from running when they are in specific locations in the system. The directories most heavily used for hosting malicious processes include ProgramData, AppData, Temp and Windows\SysWow.
21.                         Tor (The Onion Router) Internet Protocol (IP) addresses or gateways are usually the preferred route for ransomware to communicate with their Command and Control servers. Hence, blockading such IP addresses may impede a malicious malware from infiltrating.
22.                         Deploy an Intrusion detection system (IDS), such as AlienVault Unified Security Management (USM) which includes an inbuilt IDS with SIEM and real-time threat intelligence monitoring to help you swiftly detect malware and other threats in your network.


It is encouraging that Nigeria’s National Information Technology Development Agency (NITDA) has asked Nigerians to contact its Computer Emergency Readiness and Response Team (CERRT) for assistance regarding ransomware, cyberattack. CERT can be reached via telephone on +2348023275039 or e-mail: Given the proliferation of ransomware, cyberattacks and given the fact that cybersecurity is constantly evolving; it is incumbent on the Nigerian government and relevant agencies to formulate and implement an up-to-date national cybersecurity policy that is fit for purpose. Ongoing public awareness on cybersecurity issues and best practices will be of help.

Written by:
© Don Okereke
(Security Junkie/Analyst/Consultant, Writer)
CEO Holistic Security Background Checks Limited
Follow me on Twitter: @donokereke

No comments: