ngCERT-2017-0016: ngCERT 2nd Advisory on WannaCry/WCry/WCrypt0 Ransomware Warm and Remote Desktop Protocol (RDP) & Server Message Block (SMB) Protocol Vulnerability
RDP is a protocol on Windows Operating systems that allows remote access and control of the Windows Operating System. This protocol
is usually used by systems administrators to control computers running windows operating systems remotely. While the SMB protocol is commonly used by servers
to communicate with computers on a domain and also used by computers to share files, printers and so on, on a network. These protocols are currently being exploited
by a Ransomware called WannaCry, to spread and infect computers on a network.
When a computer is affected by the worm, the worm encrypts the host computer’s files and request for a ransom of .1784 bitcoin, which is equivalent to approximately $300 and further leaves a threat that, if the ransom is not paid within 3 days, the ransom amount will be doubled and if the ransom is still not paid after 7 days the files will be deleted such that they cannot be recovered forever. Nonetheless, paying the ransom does not guaranty that the files will be recovered.
Figures A & B below showcases the messages displayed by
an infected computer;
Figure A: showing a message popup on an infected computer
Figure B: Showing Instructions In a text file on an infected computer.
Although Microsoft has released updates since March 2017, however computers that have not been updated remain vulnerable.
1. Stakeholders are advised to ensure that computers running Windows 7 and above are up-to-date by checking the windows update center in the control panel.
While stakeholders with computers running other variants of the Windows operating system can follow the links below to download the corresponding update for their operating system.
2. Stakeholders are also advised to upgrade any computer running later versions of the Microsoft Windows Operating System to windows 10 so as to utilize advance update features of the windows 10 operating system. Computer can be updated using the following link: https://www.microsoft.com/en-us/windows/windows-10-upgrade.
3. Stakeholders are encouraged to run isolated or remote periodic backups of their critical data and files so as to ensure minimal downtime in the event of incident.
4. If an infected computer is identified, power-off the system using the hardware power switch on the computer and unplug the system from the network if the computer is connected to a network and report the incident to ngCERT via phone: 07044642378, email: firstname.lastname@example.org or using the report an incident for on the ngCERT website: www.cert.gov.ng.
1. First Published on Saturday 13th, May 2017