Comprehensive guide to WannaCry Ransomware

Introduction

Ransomware is a threat to businesses, especially those that do not have strong cyber security.

Small and medium-sized enterprises (SMBs) are more vulnerable than others. Companies must maintain their systems safe and up to date since ransomware takes advantage of flaws in out-of-date Windows operating systems.

Moreover, When businesses experience a ransomware attack, it can impact their reputation and the trust of their customers. Even if they can recover from the attack, rebuilding trust and reputation can be challenging.

The WannaCry ransomware is a highly dangerous type of malware. It is notorious for its ability to spread quickly through a network by exploiting vulnerabilities in Windows computers. In fact, it is responsible for causing one of the most notorious malware infections in history.

In this article, We will talk about WannaCry ransomware, how it attacks your computers and what security measures a company should take to prevent the WannaCry ransomware attack.

How WannaCry works?

The WannaCry attack happened because of a Microsoft Windows vulnerability exploited using an EternalBlue hack. This hack was developed by the United States National Security Agency and was made public by a group of hackers called the Shadow Brokers.

The WannaCry attack affected many individuals and organisations who had neglected to update their operating systems despite a security patch available nearly two months before the attack.

Methods of infiltration and propagation

The WannaCry virus is different from other ransomware attacks because it can spread on its own without any help from users. This virus infects computers by installing a program called the DoublePulsar dropper and then makes copies of itself while searching for vulnerable computers to infect. Unlike other ransomware attacks, this virus does not rely on tricking people into downloading it.

Historical impact and notable attacks

On friday, May 12th, 2017, the news was dominated by a cyber attack that had widespread effects. Hospitals in the UK could not access their systems, leading to patients being turned away.

Car factories in France had to shut down, and a Spanish telecommunications company instructed their employees to shut down their computers.

This was caused by WannaCry, a massive hacking attack that affected computers worldwide, causing chaos. Within two days, over 200,000 computers in 150 countries were affected.

However, the attack did not seem to cause much long-term damage, and the hackers only made about $100,000. This was one of the largest and most peculiar computer attacks ever witnessed.

WannaCry caused financial damages and revealed security vulnerabilities in outdated Microsoft Windows systems. Fortunately, a British security researcher found a "killswitch" that prevented the malware from attacking many US companies. Despite this, WannaCry still managed to infect more than 200,000 machines worldwide. The virus's rapid spread surprised cybersecurity experts.

Therefore, the incident brought attention to the continuous difficulty of patch management in big businesses, highlighting the necessity of preventative cybersecurity measures.

Is WannaCry a threat today?

Although the original WannaCry attack is no longer functional, newer variants continue to emerge. These versions can still exploit the EternalBlue vulnerability, primarily affecting outdated Windows systems that haven't been updated. You remain at risk if you have an old operating system that hasn't received security patches.

Some lessons that you can learn from the May 2017 WannaCry attack are:

• Interconnected networks: WannaCry demonstrated how easily interconnected networks can be breached. If your network connects to the internet, it can be vulnerable to attacks. Even if you think your system is secure, it's essential to remain vigilant.
• Importance of patching: More than just having a patch available is needed; organisations must actively apply it. The EternalBlue patch was released before WannaCry hit, yet many systems remained unpatched. This serves as a reminder that timely updates are important.
• Targeted organisations: Many crucial institutions, like hospitals and schools, continue to be vulnerable. They may need more resources to upgrade their systems effectively. For example, the UK's NHS faced criticism for still using Windows XP, which Microsoft no longer supports.

With attacks on essential services continuing, from healthcare to government operations, the importance of a robust security strategy cannot be overstated. It's not a matter of if, but when, the next attack will occur.

To mitigate the risk of WannaCry and similar threats, consider implementing a Zero Trust security model. This approach treats every user and device as a potential threat, regardless of their location in or outside of the network. It regularly checks and verifies who has access to your network and applications, reducing the risk of ransomware spreading. This model is based on the principle of 'never trust, always verify ', and it can significantly enhance your cybersecurity posture.

What would happen if the WannaCry ransom was not paid?

During the WannaCry ransomware attack in 2017, victims faced a harsh ultimatum. The attackers initially demanded a ransom of $300 in Bitcoin, later increasing it to $600. Victims who didn't pay within three days were warned that their files would be permanently deleted.

Some major consequences of not paying the ransom were:

For many victims, not paying the ransom meant risking the loss of their files. The attackers made it sound urgent, creating fear that time was running out. However, paying did not guarantee recovery of data, leaving victims in a precarious situation.

• Faulty code: Interestingly, the code used in the WannaCry attack had flaws. Victims who paid the ransom found that the attackers could not connect the payment to their specific computers. This meant that you might still need to get your files back even if you paid.
• Mixed results on data recovery: There are conflicting reports about whether any victims successfully regained their files after paying. While some researchers claimed that no one got their data back, a cybersecurity company, F-Secure, suggested that a few did. This inconsistency highlights the risks of ransom payments.

Basically, the general advice from cybersecurity experts is clear: do not pay a ransom. Here's why:

• No guarantee: There is no assurance that paying will restore your files. Attackers often need to follow through on their promises.

Encourages Future Attacks: Paying the ransom supports the attackers' business model. Ransomware attacks are profitable for cybercriminals, and when victims pay, it incentivizes the attackers to continue their operations. This can lead to more ransomware attacks on you and others, perpetuating the cycle of cybercrime.

• Invest in Prevention: Instead of paying, focus on prevention. To reduce the risk of an attack, regularly back up your data, keep your software updated, and maintain strong security measures.

Who was responsible for the WannaCry ransomware attack?

In late 2017, both the United States and the United Kingdom attributed the WannaCry ransomware attack to the government of North Korea. This claim suggested that North Korean hackers were behind the widespread disruption caused by WannaCry.

Moreover, many researchers believe that the attack was carried out by a group known as the Lazarus Group. This group is thought to operate out of North Korea and has been linked to various cyberattacks over the years. However, not everyone agrees that the North Korean government directly orchestrated WannaCry.

In fact, some security experts argue that the evidence pointing to North Korea may have been manipulated. They suggest that the creators of WannaCry could have planted clues in the malware (malicious software) to make it appear as though North Korea was responsible. This means that the actual authorship of the attack could be from a different region altogether, not just North Korea.

Understanding the risks and consequences

Cyberattacks not only harm a company's health but also its operations, finances, and reputation.

WannaCry affects individuals and businesses by infecting a victim's computer and encrypting its contents. It proliferates quickly, taking advantage of holes in out-of-date Windows computers to cause extensive interruptions to crucial systems and data loss.

The impact of the assault goes beyond the initial infection and may result in extended downtime and recovery efforts for the impacted businesses.

The WannaCry cyber attack caused significant financial damage worldwide. The estimated cost to companies for disruptions and recovery expenses is billions of dollars. This attack also caused serious reputational damage to affected companies. Following a high-profile hack, companies may lose the customer's trust, which is a major concern.

Prevention and protection measures

However, companies are now using updated versions of Microsoft Windows with a security patch. But still, taking preventive measures is necessary to avoid these dangerous cyber attacks.

Make a data backup

• Always ensure you often back up important data to a cloud server or external hard drive.
• Adhere to the 3-2-1 rule: keep three copies of your data offline and on two different kinds of storage.
• For an additional degree of security, think about utilising indelible and immutable cloud storage. You can try Tata Communications' Vayu Cloud, which gives you a reliable and secure application experience.

Update all software and systems

• Make sure to regularly update your operating system, web browser, antivirus software and other programs to their latest versions.

Set up firewalls and antivirus software

• Use all-inclusive antivirus and anti-malware software to identify, locate, and address online dangers.
• As the first line of defence against outside threats, configure firewalls to screen and prevent suspicious data packets.

Sectioning a Network

• Use network segmentation to isolate possible ransomware and stop its propagation throughout the network.
• To improve security, provide every subsystem with firewall and access rules.

Best practices for network security and anti-ransomware solutions

With Data and network security, companies and their employees must be vigilant and create a strong security system. Try these best practices:

Email security:

Watch out for phishing emails; don't click on links or open attachments from unidentified senders. Update your email client software often to stop hackers from exploiting security flaws. For further security, use email authentication methods like DKIM, DMARC, and SPF.

Whitelisting applications

To restrict which apps may be downloaded and run over the network, use whitelisting.

Use tools such as Windows AppLocker to add programs and URLs to a whitelist or blacklist.

Endpoint defence:

Give all network users priority regarding endpoint detection and response (EDR) or endpoint protection platforms (EPP). You can use real-time security warnings, data encryption, intrusion detection, antivirus, and anti-malware.

Restrict user access rights:

Adopt policies for role-based access control (RBAC) and verify users using two-factor or multi-factor authentication.

Conduct security testing often:

Keep an eye out for vulnerabilities, regularly review user rights, and develop new security procedures. Use sandbox testing to evaluate the efficacy of security safeguards against malicious code.

Train your employees

End users and staff should get security awareness training to identify and steer clear of any dangers.

Discuss using strong passwords, staying aware of phishing communications, and keeping your systems up to date.

Responding to a WannaCry attack

• The first things to do after a WannaCry infection update every windows system right away
• Install the available fixes on susceptible computers to stop the worm-like assault.
• Determine and revise inactive windows systems
• Use technologies like Tenable's Nessus to search all internal networks for unpatched systems or conduct penetration testing.
• If patching is impossible, think about turning off SMBv1 on susceptible computers.
• Turn off or clean the impacted machines.
• Restore backup data and delete impacted systems, including any possible backdoors like DOUBLEPULSAR.

Firewall-blocked windows ports

Using network segmentation, block SMB ports (TCP 139, 445, UDP 137, 138) both internally and externally at internet boundaries.

Establish and track DNS entries

• Set up DNS entries to function as kill switches for the first attack, and keep an eye out for any possible security holes in DNS logs.
• Inform users immediately about the attack's unique hazards and general ways to avoid phishing.
• Untracked, vendor-managed, and guest devices should be used cautiously since they may not have been fixed and might be dangerous.
• To lessen the effects of WannaCry, make sure the following are implemented:
• For help, report any ransomware attack to the appropriate law enforcement and cyber response teams.
• The first things to do after a WannaCry infection update every windows system right away.

Case studies or real-life examples

Honda Motor Company's Sayama Plant in northwest Tokyo temporarily stopped producing cars after discovering WannaCry ransomware in the plant's computer network. Honda was able to contain the malware, restore production, and put strong cybersecurity procedures in place despite the initial interruption. With haste, the organisation installed security upgrades, cleansed impacted computers carefully, and closed Windows ports on its firewall. The event demonstrated how critical it is to respond to ransomware threats swiftly and decisively.

Takeaways acquired

• WannaCry's tenacity highlights the necessity of constant watchfulness, even after the first outbreaks fade.
• Regularly patching and upgrading are essential, especially for older and legacy operating systems.
• Preventive actions help stop ransomware from spreading, such as turning off SMBv1 and restricting ports.

Police victoria - Australia

WannaCry particularly targeted 55 traffic cameras run by outside company Redflex in Australia. While acknowledging the virus's existence, Victoria Police reassured the public that the integrity of the camera system was unaffected. The event highlighted the wide variety of systems susceptible to ransomware attacks, highlighting the need for thorough cybersecurity measures outside typical IT networks.

Takeaways acquired:

• Critical infrastructure, such as traffic systems, should include resilient cybersecurity solutions.
• Regular updates and monitoring are crucial to identify and address changing cyber threats quickly.

Conclusion

The WannaCry ransomware attack is a clear indication of the dangers that businesses are exposed to, and individuals and organisations must take proactive measures to prevent, respond to, and recover from potential attacks. The purpose of this guide is to provide insights and tools to enhance cybersecurity readiness.

Real-world events, such as the WannaCry attack on Honda and the hacking of traffic cameras in Australia, underscore the importance of having effective cyber defences in place. Tata Communications is a leading provider of comprehensive communication solutions equipped to help businesses defend against evolving cyber threats.

The reappearance of WannaCry emphasises the dynamic nature of cybersecurity and the value of taking preventative action. With its cutting-edge cybersecurity solutions, Tata Communications is a dependable partner for businesses looking to be resilient in the digital era.

Tata Communications is a reliable partner for businesses looking to strengthen their digital future by providing innovative solutions for navigating the dynamic threat landscape. By working together, we can create a linked and safe society that guarantees everyone has access to a robust cyberspace.