Giving a whole new meaning to online piracy
I'm a little late to the party, but in case you haven't already heard, a huge cyberattack is underway all across the world, and it could get worse. A massive ransomware trojan known as WannaCry (or WannaCrypt) has affected well over 200,000 computers across the world as of May 15, 2017.
Possibly the most well-known case of WannaCry was in Britain where a series of hospitals were affected, but many other organizations were also hit including FedEx, and if I'm not mistaken, the Provincial Government of Saskatchewan in Canada. The attack has gained so much notoriety that Microsoft even released security updates for Windows Vista, Windows XP and Windows Server 2003.
When detected, Kaspersky security programs show the WannaCry malware as "MEM:Trojan.Win64.EquationDrug.gen".
If you've been sheltered from the Internet for the past several years, a relatively old form of malware has resurged and gained international infamy - ransomware. Ransomware is a type of malware that typically comes in the form of a trojan and often has the properties of a computer worm and it encrypts the user's important data, such as music, pictures and word documents. It then demands that the user pay money - often in Bitcoin currency - to unlock their data.
It is never smart to pay to have your data unlocked. If you do, you might get lucky and your data could be unlocked; however, it is always best practice to not pay the ransom as your data is likely to not be unlocked and remain encrypted forever. In some cases, the criminals behind the malware have users' data deleted regardless of whether they pay or not. In either scenario, your important data is lost forever, unless you securely backed it up. You won't be able to decrypt your files yourself, and these criminals don't deserve your hard-earned money.
Can you defend against such dickery?
Yes you can, but your best defence is preventing your system from becoming infected with this malware in the first place. Once you've got it, your only option is to wipe your hard drive and start anew - without your important data, because it'll all be unrecoverable - unless you backed it up before your PC's infection.
To start protecting yourself, you should understand the malware itself and how it works. Past ransomware typically required some user input to infect a computer, usually through email attachments or personal messages that look legitimate, appearing to be from friends and family, co-workers and bosses or large companies and other organizations. It is good practice to avoid downloading any email attachments from anyone (especially unknown email addresses) unless you're personally expecting it and the sender has told you themselves that they're sending it.
I posted about a piece of malware called Rombertik back in 2015 and its primary method of transmission was through infected email attachments, disguising itself as a .pdf file, but really being a .scr file - a screensaver file. Often, these attachments may have unusual file extensions like .scr which isn't commonly seen anymore, but they can be of any file type - even Microsoft Word documents.
Furthermore, it isn't uncommon for malware like this to have the properties of a computer worm. When one computer becomes infected, the malware can spread to other computers on the network. It is very important for everyone using a computer on your network to understand the effects of malware like WannaCry, because WannaCry can and will spread over a network.
Gmail is good at picking out the spammy and dangerous-looking emails from the legitimate ones. Personally, whenever I get a message in my spam box, I have Gmail begin automatically deleting emails from that address, and I don't even open it. Even still, I won't open emails in my regular inbox that appear even slightly suspicious and I will not open or download any attachments that appear there.
Unfortunately, you don't need to open or download anything yourself to become infected with WannaCry. All you really have to be doing is browsing the web on an insecure, unpatched and out-of-date Windows system. According to Sysadmins of the North, WannaCry seems to have been designed to work on unpatched Windows 7 systems and earlier and fortunately, Windows 10 doesn't appear to be vulnerable to WannaCry, but that doesn't mean that you can become complacent.
It is also possible for this type of malware to infect a computer by browsing unsavoury websites and getting popups, or by clicking dubious advertisements, or by downloading and using dubious applications.
For now, WannaCry exploits the outdated SMBv1 protocol, used for sharing printers and files over the network - but may exploit SMBv2 as well.
Fortunately, Microsoft has patched this exploit, but many people have yet to install it.
SMBv1 is outdated and insecure. It's nearly 30 years old and fortunately, Windows Vista and newer no longer rely solely on SMBv1, but still support it and enable it by default. Windows XP is restricted to SMBv1, which is one reason why Windows XP is more vulnerable to WannaCry than Windows Vista and 7 are.
By disabling SMBv1, the odds WannaCry can cause you trouble are significantly diminished because it exploits SMBv1 to infect the computer. Microsoft has patched this exploit, but it would still be diligent to disable SMB once and for all because it could be an entry point for other attacks. Not only this, but you're still not totally immune to WannaCry at this point either. The user can still launch WannaCry themselves (be it intentionally or inadvertently) and their computer will still become infected.
It is possible to do this in Windows XP, which only supports SMBv1 and not SMBv2 or SMBv3. The downside is that you will no longer be able to share files or printers on a network. I should note that in Windows Vista and up, you should not disable SMBv2 or SMBv3.
According to user Jimadine on a Stack Exchange Superuser post entitled "Disable File Sharing on Windows XP", this was done by opening the Command Prompt in an administrator account (Start > Run > type "cmd" without quotes) and typing the following commands:
sc config server start= disabled
Or
This command will stop and disable the SMB server service. Next, Jimadine suggested that the server be confirmed disabled:
netstat -na | find "LISTENING" | find ":445"
The result should return no output. If not, the computer needs to be restarted.
The process of disabling SMBv1 is much simpler on Windows Vista, 7, 8, 8.1 and 10. This is done through Windows PowerShell, a program similar to the Windows Command Prompt. You should be able to launch the PowerShell (I would personally do so as an administrator) by right-clicking the Start Button and selecting it or by searching your computer for it. Once in the PowerShell, you'll want to run the following commands:
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
Disable-WindowsOptionalFeature -Online -smb1protocol
Kaspersky's security programs include a feature known as "Kaspersky System Watcher", which has the ability to rollback changes done by ransomware and has obvious usefulness.
If your PC ever becomes infected with any form of ransomware, never pay the ransom - no matter how valuable your data. These criminals do not deserve your money and even if you do pay, there's still a strong possibility that your data won't be decrypted. It should also be stated with fair warning that Macs and Linux machines are also not immune to these sorts of attacks either, and similar backing up and anti-malware programs will also help you out in such an event. According to the sourced Kaspersky Lab article, researchers are working on decrypting files encrypted by WannaCry, but even though this is good to hear I wouldn't hold my breath because depending on the skill of the hackers, the encryption can be extremely difficult to break.
Sources
How to disable SMBv1 in Windows 10 and Windows Server - Sysadmins of the North
WannaCry: Are You Safe? - Kaspersky Labs
Disable File Sharing on Windows XP - Stack Exchange Superuser (referenced answer by Jimadine)
Image credits:
Locky Ransomware: Payment by Christiaan Colen (CC BY-SA 2.0)
Comments
Post a Comment