WannaCry/WCry/WCrypt0 Ransomware

ngCERT 2nd Advisory on WannaCry/WCry/WCrypt0 Ransomware Warm and Remote Desktop Protocol (RDP) & Server Message Block (SMB) Protocol Vulnerability

Risk: High

Damage: High

Platforms: Microsoft Windows Operating Systems implementing RDP & SMB protocol

Date: Mon 15th, May 2017

SUMMARY

The Remote Desktop Protocol (RDP) and a vulnerability in the implementation of the Server Message Block SMB protocol of
Microsoft Windows Operating System is currently being exploited by a ransomware called WannaCry worm. The worm encrypts all files on an infected computer’s
hard drive.

DESCRIPTION AND CONSEQUENCES

RDP is a protocol on Windows Operating systems that allows remote access and control of the Windows Operating System. This protocol
is usually used by systems administrators to control computers running windows operating systems remotely. While the SMB protocol is commonly used by servers
to communicate with computers on a domain and also used by computers to share files, printers and so on, on a network. These protocols are currently being exploited
by a Ransomware called WannaCry, to spread and infect computers on a network. When a computer is affected by the worm, the worm encrypts the host computer’s
files and request for a ransom of .1784 bitcoin, which is equivalent to approximately $300 and further leaves a threat that, if the ransom is not paid
within 3 days, the ransom amount will be doubled and if the ransom is still not paid after 7 days the files will be deleted such that they cannot be recovered
forever. Nonetheless, paying the ransom does not guaranty that the files will be recovered. Figures A & B below showcases the messages displayed by
an infected computer;

Figure A: showing a message popup on an infected computer

 

Figure B: Showing Instructions In a text file on an infected computer.

Although Microsoft has released updates since March 2017, however computers that have not been updated remain vulnerable.

SOLUTION

1. Stakeholders are advised to ensure that computers running Windows 7 and above are up-to-date by checking the windows update center in the control panel.

While stakeholders with computers running other variants of the Windows operating system can follow the links below to download the corresponding update for their operating system.

a.  https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/?utm_source=t.co&utm_medium=referral

b.  https://support.microsoft.com/kb/2696547

2. Stakeholders are also advised to upgrade any computer running later versions of the Microsoft Windows Operating System to windows 10 so as to utilize advance update features of the windows 10 operating system. Computer can be updated using the following link: https://www.microsoft.com/en-us/windows/windows-10-upgrade.

3. Stakeholders are encouraged to run isolated or remote periodic backups of their critical data and files so as to ensure minimal downtime in the event of incident.

4. If an infected computer is identified, power-off the system using the hardware power switch on the computer and unplug the system from the network if the computer is connected to a network and report the incident to ngCERT via phone: 07044642378, email: incident@cert.gov.ng or using the report and incident for on the ngCERT website: www.cert.gov.ng.

REFERENCES

1. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/?utm_source=t.co&utm_medium=referral

2. https://www.us-cert.gov/ncas/alerts/TA17-132A

REVISION

1. First Published on Saturday 13th, May 2017

image
Security Alert

& Advisory

Read More image
image
We Love to

Hear From You

Send Your Enquiry Here image
Join Our Newsletter