Introduction: A unique strain of ransomware known as
‘’WannaCry’’or ‘’Wanna DeCryptor’’, ‘’wcry’’, infected
more than 300,000 vulnerable systems globally, across 150 countries since
Friday, 12 May, 2017. WannaCry installs Doublepulsar - a backdoor that allows the device
to be remotely controlled. The malware freezes the infected device, pops up a
red screen with the message, "Oops, your files have been encrypted!"
It goes ahead to demand ransom payment in Bitcoin (equivalent to $300-$600)
before subsequently destroying the encrypted files if payment is not made. To
offer an insight on the consequences of the WannaCry ransomware attack, the Chinese state media says about 29,372 institutions was
infected along with hundreds of thousands of devices. In Japan, 2,000 computers
at 600 locations were reportedly affected. The ‘’WannaCry’’ransomware
attack also denied access to confidential patient information, stalled x-rays,
surgeries and other critical healthcare services in at least 47 hospitals under
the auspices of the United Kingdom’s National Health
Service (NHS). The list goes on. Envisage a Stuxnet cyberattack on a vulnerable
nuclear warhead or submarine. Tragedy!
What Is A Ransomware?
Ransomware
is coined from the age-old word- ransom - money demanded for the return of a
captured person or something valuable. Ransomware is a malicious software remotely
deployed by cybercriminals or cyber-extortionists to encrypt, or hold valuable
digital information ‘hostage’ until a ransom is paid.
Who Was Responsible For
WannaCry Ransomware?
Ransomware,
cybersattacks could be propagated by Nation States (cyberwarfare,
cyberterrorism), or by cybercriminals who render
‘ransomware-as-a-service’ (RaaS) - offering tools or charging clients a fee to
help them disseminate ransomware. Preliminary technical
clues, coding similarities connects the WannaCry
ransomware cyberattack to the Lazarus Hacking Group, a North Korean cyber
outfit previously blamed for the cyberattack, theft of $81 million from a
Bangladesh bank in 2016 and on Polish banks in February 2017. It is widely accepted that masterminds of ‘’WannaCry’’ ransomware exploited the
‘Eternal Blue Hacking Weapon’ created by the United States’ National Security
Agency (NSA) which was stolen and dumped online by the ‘’Shadow Broker’’ hacking
group to gain access to systems powered by Microsoft Windows.
Why Ransomware And Cyberattacks Will
Persist
The
proliferation of ransomware, cyberattacks is not surprising to tech-savvy minds
because a Kaspersky Lab’s IT Threat Evolution Q1 2016
report envisioned ransomware emerging as the biggest cybersecurity
threat. Similarly, the United States Securities and Exchange Commission (SEC) warned in 2016 that the biggest risk the financial system faces is
cybersecurity. A cybersecurity
special report suggests that ransomware will
worsen due to the increasing penetration and inherent vulnerabilities in
Internet of Things (IoT), medical devices, web cameras, IP Phones, Internet
Protocol (IP) CCTV Cameras, DVRs, SmartHouses or SmartCities, wearables such as
SmartWatches, public Wi-Fi, and proliferation of mobile Apps with
malicious codes, amongst others. The good news is
that there are ways around ransomware, cyberattacks. As we know, prevention is
better and cheaper than cure. We discuss prevention best practices afterwards.
Modus Operandi of WannaCry Ransomware
Attackers
can
distribute ransomware via email attachments, exploit kits, botnets. The WannaCry ransomware attack essentially employs a notorious
vulnerability in Microsoft Windows operating system to spread and infect
machines. Ransomware encrypts the following
file types: .doc, .docx, .docb, .docm, .dot, .dotm, .dotx, .xls, .xlsx, .xlsm,
.xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .ppt, .pptx, .pptm, .pot, .pps,
.ppsm, .ppsx, .ppam, .potx, .potm, .pst, .ost, .msg, .eml, .edb, .vsd, .vsdx,
.txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .hwp, .602,
.sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ,
.bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .jpeg,
.jpg, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu,
.m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg,
.vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp,
.php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js,
.asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm,
.odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay,
.mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc,
.sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12,
.csr, .crt, .key, .pfx, .der
Solution To Ransomware,
Cyberattacks
F-Secure, a Finnish cyber security and privacy company based in
Helsinki, Finland, recommends the need for a four-phase approach to
cybersecurity: Predict, Prevent, Detect,
and Respond. Predict by performing an exposure analysis; prevent by
deploying a defensive solution to reduce the attack surface; respond by
determining how a breach happened and what impact it had on systems; and detect
by monitoring infrastructure for signs of intrusion or suspicious behaviour.
Let’s further elaborate how to prevent ransomware, cyberattacks.
22 Ransomware, Cyberattack Prevention Best
Practices
1.
Key rule of thumb is to ensure
that very important files or documents are backed up on a regular basis.
Backups are useful only if they're created prior to a ransomware
attack. Dedicated backup software such as Acronis's True Image supports data
recovery onto different hardware. Preferably, backups should be spread in such
a way that the failure of any single point won’t lead to the irreversible loss
of data. It is advisable to store one copy in the cloud or employ Microsoft’s
OneDrive, Dropbox storage facilities, and the other on offline physical storage
gadgets such as a portable Hard Disk Drive (HDD). Ensure data access privileges
and read/write permissions are set, so that the files cannot be modified or
erased and also to check the integrity of your backup copies once in a while.
2. Ensure
your Windows operating system is updated with Microsoft’s
latest Security Bulletin MS017-010: Security Update for Microsoft Windows SMB
Server (4013389) released in March 2017. Devices that were updated with the
patch would have been automatically protected from WannaCry ramsomware but it
is probable that many organizations, individuals may not have updated their systems
or installed the update. Systems with older
versions of Windows XP that no longer have mainstream support should refer to
Microsoft's blog for details of emergency security patches released in response
to WannaCry.
3. Keep Microsoft Windows Firewall turned on and properly configured
at all times and enhance your protection more by setting up additional Firewall
protection. Disabling Windows Script
Host could be an efficient preventive measure, as well.
4. Consider disabling Windows
PowerShell, which is a task automation framework. Keep it enabled only if
absolutely necessary.
5. Enhance the security of
your Microsoft Office components (Word, Excel, PowerPoint, Access, etc.). In particular, disable macros and ActiveX. Additionally,
blocking external content is a dependable technique to keep malicious code from
being executed on the PC. To ward off a strain of ransomware known as Cerber,
disable Macros in your Microsoft Office programs.
6. Make sure your antivirus, browsers, Adobe Flash Player, Java, and
other system software or Applications are up-to-date. Fine-tune your security
software to scan compressed or archived files, if this feature is available.
7. Ensure you install a browser add-on to block popups as they can
also pose an entry point for ransom Trojan attacks.
8. Should a suspicious process be detected on your computer or
device, promptly turn off the Internet connection. This is particularly efficient
during the early stage of a cyberattack because the ransomware won’t get the
chance to launch a connection with its remote Command and Control server and
thus cannot complete the encryption process.
9.
Personalize your anti-spam settings the right way: Most ransomware strains are known to spread via eye-catching
emails that contain contagious attachments. It is advisable to configure a
webmail server to block dubious attachments with extensions like .exe, .vbs, or
.scr.
10.
Desist from opening suspicious looking attachments: This doesn’t only apply to messages sent by unfamiliar people
but also to senders who you believe are your acquaintances. Phishing emails may
masquerade as notifications from a delivery service, an e-commerce resource, a
law enforcement agency, or a financial institution.
11.
Be very heedful before clicking on links: Dangerous hyperlinks, especially shortened urls can be received
via email, social media or instant messengers, and the senders are likely to be
people you trust, including your friends or colleagues. For this attack to be
deployed, cybercriminals compromise their accounts and submit bad links to as
many people as possible.
12.
The Show File Extensions
feature can thwart ransomware plagues, as well. This is a native Windows
functionality that allows you to easily tell what types of files are being
opened, so that you can keep clear of potentially harmful files. Cybercriminals
may also utilize a confusing technique where one file can be assigned a couple
of extensions. For instance, an executable may appear like an image file and
have a .gif extension. In some cases, files look like they have two extensions
– e.g., cute-dog.avi.exe ortable.xlsx.scr – so be sure to pay
attention to tricks of this sort. A standalone known attack vector is through
malicious macros enabled in MS Word documents.
13.
Consider disabling the vssaexe
functionality in your system. This functionality
built into Windows to administer Volume Shadow Copy Service is normally a handy
tool that can be used for restoring previous versions of arbitrary files. In the
framework of rapidly evolving file-encrypting malware, though, vssadmin.exe has
turned into a problem rather than a favorable service. If it is disabled on a
computer at the time of a compromise, ransomware will fail to use it for
obliterating the shadow volume snapshots. This means you can use VSS to restore
the blatantly encrypted files afterwards.
14.
Use two-factor authentication
and strong passwords that cannot be brute-forced by remote criminals. Set unique passwords for different accounts to reduce the
potential risk.
15.
Deactivate AutoPlay in your system. This way, harmful processes won’t be automatically launched
from external media, such as USB memory sticks or other drives.
16.
You may have to disable file sharing.
By so doing, the ransomware infection will be
restricted only to the infected system.
17.
Consider restricting remote services. Otherwise, the threat could rapidly propagate across the
enterprise network, thus calling forth serious security issues for the business
environment if your computer is a part it. For example, the Remote Desktop
Protocol can be leveraged by the black hat hackers to expand the attack
surface.
18.
Switch off unused
wireless connections, such as Bluetooth or infrared ports.
Cybercriminals can surreptitiously exploit a Bluetooth to launch a cyberattack
or compromise a computer, a mobile device.
19.
Turn off Wi-Fi when not in use:
It is known that hackers can launch a cyberattack on a computer system, a
mobile device through vulnerable, unsecure Wi-Fi networks. Use very strong
passwords to protect your Wi-Fi. Beware of using public Wi-Fi’s.
20.
Define Software Restriction Policies that keep
executable files from running when they are in specific locations in the
system. The directories most heavily used for hosting malicious processes include
ProgramData, AppData, Temp and Windows\SysWow.
21.
Tor (The Onion Router) Internet Protocol (IP) addresses
or gateways are usually the preferred route for ransomware to communicate with
their Command and Control servers. Hence, blockading such IP addresses may
impede a malicious malware from infiltrating.
22.
Deploy an Intrusion detection system (IDS),
such as AlienVault Unified Security Management (USM) which includes an inbuilt
IDS with SIEM and real-time threat intelligence monitoring to help you swiftly
detect malware and other threats in your network.
Conclusion/Recommendation
It
is encouraging that Nigeria’s National Information
Technology Development Agency (NITDA) has asked Nigerians to contact its Computer
Emergency Readiness and Response Team (CERRT) for assistance regarding
ransomware, cyberattack. CERT can be reached via telephone on +2348023275039 or
e-mail: support@cerrt.ng. Given the proliferation of ransomware, cyberattacks
and given the fact that cybersecurity is constantly evolving; it is incumbent
on the Nigerian government and relevant agencies to formulate and implement an
up-to-date national cybersecurity policy that is fit for purpose. Ongoing
public awareness on cybersecurity issues and best practices will be of help.
Written
by:
© Don Okereke
(Security
Junkie/Analyst/Consultant, Writer)
CEO
Holistic Security Background Checks Limited
Follow
me on Twitter: @donokereke
No comments:
Post a Comment
What are your thoughts on this post?