Wannacry Ransomware used to spread global cyber attacks
May 12, 2017
A global ransomware attack began impacting companies and hospitals across the United States, Europe, and Asia early Friday morning.
Companies in more than 70 countries have reported incidents as of Friday afternoon. Computers all over the world are being locked down by a ransomware called Wannacry/Wanna/Wcry. The British government has announced that a bitcoin virus attack has hit public hospitals in the country on a large scale, requiring users of the network to pay $300 in exchange for access to the computer.
Ransomware is a type of malware, used more and more frequently, which sequesters user data and requires a rescue, usually in bitcoins. In essence, ransomware is a piece of malicious software that manages to encrypt files or blocks computers, demanding afterward a payment as a rescue in order to recover the normality. Unfortunately, there is little room to avoid having to pay the ransom because once the system is infected, it cannot be cleaned.
The ransomware WannaCry infection produced today has been distributed across all Windows machines on the networks of affected corporations. Here you can find the Indicators of Compromise (IOCs) associated with this malware.
From Blueliv we highlight different options that would have allowed to avoid this infection or at least mitigate the affectation:
Collecting shared engagement indicators on Blueliv’s Threat Exchange Network. Many of them have helped organizations to early detect the global attack that spread in multiple countries during the day.
- Acquiring cyber threat intelligence feeds like the one offered by Blueliv. This feed is based on a large-scale malware scan engine that constantly analyzes samples, identifies and classifies them, extracts URLs and C & C, to finally compile the information into a single feed. It provides the user with in-depth information on C & C, Exploit Kits, Malware Hashes and bad reputation IPs.
- Monitor organization applications according to standardized whitelists, to block or execute executable programs
- Improve and optimize your backup and restore system
Once the infection has occurred and depending on the type of ransomware involved, the infected machine may be cleaned. Although in most cases, the encryption used to contain the infected computer or content is very difficult to break, and therefore it is difficult to prevent theft, the following cases may happen:
- The ransomware has some problems in its process so, it is possible that the files can be recovered by analyzing the file system or by using carving techniques
- There is a backup copy of the hijacked content or of the computer
- Somehow it would be possible to obtain a copy of the encryption key used to encrypt the files or by other techniques which can unlock critical computer files
We hope that this information is useful, and do not hesitate to contact us if you need to know how to prevent attacks like those that occurred today.
These two images represent an example of the thousands of “successful” attacks that have forced the infected to pay for a ransom. It can be seen that the address to which the redemption had to be paid, has received, among others, the 2 payments that appear in the second image.