“WannaCry” Blocked by Symantec – Best Practices Against Ransomware.

A world wide cyberattack that caused chaos On May 12, 2017  is still ongoing involving a ransomware named WannaCry (aka WCry). These attacks are targeting and have affected users from various countries across the globe. The WannaCry threat will encrypt data files on infected computers and ask users to pay a $300 US ransom in bitcoin to decrypt their files. Wana Decrypt WannaCry

A specific exploit against this vulnerability, code-named “Eternal Blue”, and was maWana Decrypt WannaCryde available through a dump of various attack tools by the group Shadow Brokers, on April 14, 2017.

Analysis indicates the attack spreads through an SMB remote code execution in Microsoft Windows. This was announced and patched by Microsoft on March 14, 2017. That is two whole months where if a patch was allowed to be pushed to a Windows System those users would not of had an issue.

Who was not Hit?

Users who have installed an updated Patched Windows Operating System or have a quality trusted End Point Protection.

Symantec from their various end point protections was able to see this vulnerability with their Intrusion Prevention System (IPS) network protection technology, Symantec Endpoint Protection (SEP) and Norton products prior to the release of the WannaCry attacks. Symantec even picked up the attacked before it went mainstream.

WannaCry Blocked By symantec 2017-05-16_1041Exploit attempts WannaCry blocked by Symantec

Exploit attempts WannaCry blocked by Symantec

Who is/was impacted?

Any unpatched Windows computer is potentially susceptible to WannaCry. Organizations are particularly at risk because of its ability to spread across networks and a number of organizations globally have been affected, the majority of which are in Europe. However individuals can also be affected. Majority of the systems that where infected were Windows XP, Vista, and 8. Wanna Cry Heat Map from Norton Endpoint

Is this/was a targeted attack?

No, this is not believed to be a targeted attack at this time. Ransomware campaigns are typically indiscriminate.

Why is it causing so many problems for organizations?

WannaCry has the ability to spread itself within corporate networks without user interaction, by exploiting a known vulnerability in Microsoft Windows. Computers that do not have the latest Windows security updates applied are at risk of infection.

How is WannaCry spread?

While WannaCry can spread itself across an organization’s networks by exploiting a vulnerability, the initial means of infection—how the first computer in an organization is infected—remains unconfirmed. Symantec has seen some cases of WannaCry being hosted on malicious websites, but these appear to be copycat attacks, unrelated to the original attacks.

Have many people paid the ransom?

Analysis of the three Bitcoin addresses provided by the attackers for ransom payment indicate that at the time of writing, a total of 31.21 bitcoin ($53,845) had been paid in 207 separate transactions.

What are best practices for protecting against ransomware?

  • New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
  • Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
  • Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that backups are appropriately protected or stored off-line so that attackers can’t delete them.
  • Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to roll back to the unencrypted form.

When navigating the world wide web be cautious of where you go. For hundreds of thousands of people around the world Symantec saved the day for its users, but remember The First Line of Security Is To Stay Up To Date With Software Patching. Have A Prompt Antivirus you can Trust on. Remember Stagnation or putting off an important patch could lead to a hacker gaining access to your system and it’s data.


Posted by:
Dominic Rafael
Senior Lead IT Engineer
Be sure to Subscribe!!

Recent Posts

S/MIME for Outlook O365 Windows

Add to Favorites S/MIME Advantages of S/MIME Certificates S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates offer several advantages when it comes to securing email communications. Here

Read More »

Abbreviations

Add to Favorites There are literally thousands of IT abbreviations out there. Many are concerned with the technical aspects of the computer, while others deal

Read More »

SSL Installation on Qmail

Add to Favorites SSL Installation on Qmail Qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts.

Read More »