search
ngCERT-2017-0016: ngCERT 2nd Advisory on WannaCry/WCry/WCrypt0 Ransomware Warm and Remote Desktop Protocol (RDP) & Server Message Block (SMB) Protocol Vulnerability
Risk
High
Damage
High
Platform
Microsoft® Windows 10Microsoft® Windows 2016Microsoft® Windows 7Microsoft® Windows 8Microsoft® Windows OSMicrosoft® Windows Server 2000Microsoft® Windows Server 2003Microsoft® Windows Server 2008Microsoft® Windows Server 2012Microsoft® Windows VistaMicrosoft® Windows XP
Advisory ID
ngCERT-2017-0016
Published Date
Monday 15th, May 2017
Summary

The Remote Desktop Protocol (RDP) and a vulnerability in the implementation of the Server Message Block SMB protocol of Microsoft Windows Operating System is currently being exploited by a ransomware called WannaCry worm. The worm encrypts all files on an infected computer’s hard drive.

Description and Consequences

RDP is a protocol on Windows Operating systems that allows remote access and control of the Windows Operating System. This protocol is usually used by systems administrators to control computers running windows operating systems remotely. While the SMB protocol is commonly used by servers to communicate with computers on a domain and also used by computers to share files, printers and so on, on a network. These protocols are currently being exploited by a Ransomware called WannaCry, to spread and infect computers on a network.

When a computer is affected by the worm, the worm encrypts the host computer’s files and request for a ransom of .1784 bitcoin, which is equivalent to approximately $300 and further leaves a threat that, if the ransom is not paid within 3 days, the ransom amount will be doubled and if the ransom is still not paid after 7 days the files will be deleted such that they cannot be recovered forever. Nonetheless, paying the ransom does not guaranty that the files will be recovered.

Figures A & B below showcases the messages displayed by an infected computer;

Figure A: showing a message popup on an infected computer

Figure B: Showing Instructions In a text file on an infected computer.

Although Microsoft has released updates since March 2017, however computers that have not been updated remain vulnerable.

Solutions

1. Stakeholders are advised to ensure that computers running Windows 7 and above are up-to-date by checking the windows update center in the control panel. While stakeholders with computers running other variants of the Windows operating system can follow the links below to download the corresponding update for their operating system.

a. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/?utm_source=t.co&utm_medium=referral

b. https://support.microsoft.com/kb/2696547

2. Stakeholders are also advised to upgrade any computer running later versions of the Microsoft Windows Operating System to windows 10 so as to utilize advance update features of the windows 10 operating system. Computer can be updated using the following link: https://www.microsoft.com/en-us/windows/windows-10-upgrade.

3. Stakeholders are encouraged to run isolated or remote periodic backups of their critical data and files so as to ensure minimal downtime in the event of incident.

4. If an infected computer is identified, power-off the system using the hardware power switch on the computer and unplug the system from the network if the computer is connected to a network and report the incident to ngCERT via phone: 07044642378, email: incident@cert.gov.ng or using the report an incident for on the ngCERT website: www.cert.gov.ng.

Revisions

1. First Published on Saturday 13th, May 2017