• Why you #WannaCry last Mother’s Day



    YET another malware outbreak happened and during the Mother’s Day weekend no less. This time in the form of a Ransomware dubbed as “#WannaCry”. Malware is short for malicious software and is the correct technical term that describes the whole slew of high-tech computer infestation which includes viruses, Trojans and worms (although everyday people most often uses the term virus, as it’s very easy to relate to).

    Ransomware is another type of malware that doesn’t do any (real) damage to yourdata. As the name implies it kidnaps or holds your data hostage. How? By encrypting them and withholding giving you the decryption key or tool until you pay the perpetrators. This is done usually via the new online currency called bitcoins (as of this writing the current bitcoin exchange rate is P109,581 buying and P106,435 selling).

    What is so special about this malware is that it does not need any user interaction to propagate. If one of the computers in your network gets infected, the others can be compromised in a matter of seconds. WannaCry has its own network scanner that looks for the vulnerableand infects them without the user even having to lift a finger.

    Malware is delivered to victims via an exploit or malicious program. An exploit needs a vulnerability or flaw in the program for it to do its deed and that is to deliver the deadly payload which is in this case the #WannaCry ransomware. Think of an exploit as a freight train that delivers stuff to a town, although instead of food or other goods it delivers harmful programs to your computer. The vulnerability or software flaw that is exploited in this attack is a certain service called the SMBv1 found in the Windows operating system with versions 8.1 and older. This is where it gets interesting; the software exploit is a program created by the US National Security Agency (NSA) whose code was leaked in the public Internet.

    Here are thesecurity measures you need to immediately apply. First and foremost is to ask your network or security administrator to filter the ports or communications channel used by the SMBv1 protocol on your firewall to make sure no infection comes from the outside. Second is temporarily disable all workstations and servers running the SMBv1 protocol. This is to prevent further exploitation of susceptible computers. Third is to whitelist or allow the kill switch URLs or Web addresses in your firewall that the ransomware communicates to check if it is active – the ransomware has a routine that suspends itself if it detects that these web addresses are active. The port numbers and the kill switch URLs are available from the Internet.

    After the actions stated above, run the software updates available from Microsoft to patch the SMBv1 vulnerability. This will effectively prevent any more ‘deliveries’ of your NSA Exploit train. Remember – the Exploit is a delivery mechanism. This time it delivered a ransomware but if you don’t patch the next delivery could be anything from a remote-control program, a virus, keyboard logger and many other malicious payloads.

    “I got hit! What now?” First things first – don’t shut down the computer! (I’ll explain this in a while).

    Although, the short and easy way out is to pay the ransom, you can only hope that there is honor among thieves and that they will give you the decryption keys/tools.

    Some bit of good news though is that security professionals have created tools that may help you recover your encrypted data. I say may because there are preconditions for these tools to be effective. It will only work if the computer was not rebooted after infection (this is why I told you earlier not to shut down the computer) or if no program has used the same memory space the ransomware initially used – Yes, it will not work all the time. One tool works for Windows XP Only because even if the product was discontinued years ago a lot of people and companies are still using it.

    The tools that may help you decrypt and recover your files are the following:

    1. “WannaKey” Decryptor – developed by Adrien Guinet, from Quarkslab, which also discovered the method for finding the ransomware’s decryption key. Only works for Windows XP. Get it here –> http://bit.ly/2rnUhd3

    2. “WannaKiwi” Decryptor – developed by Benjamin Delpy, based on the method by Adrien Guinet and works on Windows XP, 2003 and Windows 7. Get it here –>http://bit.ly/2ryoORQ

    There are lots of leaked weaponized cybertools out there and who knows what is up next. A lot of pronouncements from various people and entities saying this is a “wake-up call”. Heck, how many wake-up calls did we already get? Wasn’t the Morris Worm a wakeup call? The I Love You virus?

    Microsoft says patch but it’s easier said than done. Applications written using those versions of operating systems which uses the SMBv1 protocol exist today and runs the risk of breaking down. You got to have a process, a timely check of depreciated protocols and programs that your current software are using, more than just patch management – just as you have a retirement plan for ageing equipment, a patch and software update strategy to go along with old operating systems is imperative. Unless you #WannaCry over and over again.


    Please follow our commenting guidelines.

    1 Comment