NSA-derived ransom ware is shutting down computers globally

What Is NSA-driven ransom ware?

Tens of thousands of organisations have been caught out by a computer virus called WannaCry. The malicious software locks data away and demands a payment of up to $300 (£230) a time before it will restore scrambled files.

As IT geek knows NSA-driven ransom ware is playing havoc around the globe since its 1st release back in Mid-April 2017. It was Mid-April when an arsenal of extremely power, lethal grade software tools designed by NSA to inject and Control Windows computers was leaked< by a hacking group called “Shadow Brokers”. Merely a month later, the hypothetical threat that these tools would be used against general public has become real, and tens of thousands of computers worldwide are now crippled by the unknown party demanding ransom.

nsa ransomware wanna cry attack

NSA ransom ware wanna cry attack

Who made the WannaCry worm?

Currently, we do not know. Ransomware has been a firm favourite of cyber-thieves for some time as it lets them profit quickly from an infection. They can cash out easily thanks to the use of the Bitcoin virtual currency, which is difficult to trace.

The competition among different ransomware gangs has led them to look for ever more effective ways of spreading their malicious code.

WannaCry seems to be built to exploit a bug found by the US National Security Agency. When details of the bug were leaked, many security researchers predicted it would lead to the creation of self-starting ransomware worms. It may, then, have only taken a couple of months for malicious hackers to make good on that prediction.

How widespread

At the time of this writing, it has reportedly reached UK’s National Health Service (NHS) shutting down hospitals operation throughout the country as the attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems. A major Spanish telecom, FedEx, and the Russian Interior Ministry are reportedly infected with the worm. In total, researchers have detected Wannacry infections in over 57,000 computers across over 70 countries (and counting — these things move extremely quickly).

Experts who are tracking and analyzing the worm and its spread said, this could be one of the worst-ever cyber attacks of its kind in history. We’ve never seen anything like this with ransom ware, a MalwareTech has twitted.

The malware, known as Wanncry, Wanna, Wcry, has reportedly infected at least 95,000 computers, according to Avast. Kaspersky Lab said Organisations in at least 74 countries have been affected, with Russia being worst affected, followed by India, Ukraine, and Taiwan. Infections are also <a https://intel.malwaretech.com/botnet/wcrypt>spreading through the United States.

Watch it spread at https://intel.malwaretech.com/botnet/wcrypt

wannacry ranomware attack distributionwannacry ranomware attack distribution

Is my computer at risk?

It depends. The WannaCry virus only infects machines running Windows. If you do not update Windows and do not take care when opening and reading emails then you could be at risk.

You can protect yourself by running updates, using firewalls and anti-virus software and by being wary when reading emailed messages. It might also be worth taking a back up of key data so you can restore without having to pay up should you be infected.

Email is still the preferred attack tool of cyber-thieves

Email is still the preferred attack tool of cyber-thieves

Can I 100% protect my server/computers from NSA-driven ransomware “Wannacry”?

Not really. However, you can, and do, work hard to protect your infrastructure. Set up firewalls, install anti-virus programs, apply file filters, run intrusion detection and regularly update Windows to keep malware and hackers out.

In this case, a patch to close the bug has been available since 14 March but many organisations have clearly failed to apply it in time.

Looking to Defend your computer follow these stesps:How to defend from WannaCry RansomWare?

What I can do to protect my servers from NSA-driven ransomware “Wannacry”?

Our network was attacked on April 18, 2017, and the first server was ransomware encrypted. That lead us to reimage the server and recover data from backups. Soon after we made and applied a SOP which has thus far worked well for us since we have not experienced any further attack ever since.

For the public benefit, we will list the measures taken to protect from this NSA-derived worm attack:

  1. Microsoft has released fixes for vulnerabilities and related tools disclosed by TheShadowBrokers. Run Microsoft Windows updates and fully patch the system
  2. Both RDP and SMB are attack vectors, block following ports in your firewall:
    1. Incoming (TCP): 445, 22, 23
    2. Outgoing (TCP): 139, 445, 22, 23
    3. Outgoing (UDP): 137, 138
  3. Disable SMBv1 – open PowerShell and run this command
    Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force
  4. RDP is another vector it uses so might be best to start closing ports on the firewall too
    1. On the firewall restrict RDP port access by IP address
  5. Microsoft has released various security hotfixes to address this issue, we have compiled all patches in single zip file
    1. that you can download from here Download NSA Win Update
    2. When downloaded, extract zip and run each security patch one by one.
  6. Update all virus definitions
  7. If you do any kind of process whitelisting, keep watching VirusTotal and blogs, and blacklist the SHA256 hashes.
  8. Check your backups.
  9. Snapshot critical systems.

More from our blog

See all posts
No Comments