WannaCryptor: What you need to know about the ransomware 0 288

  • WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting Microsoft Windows operating system.
  • On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.
  • Cybercriminals are beginning to take notice of the numerous vulnerabilities present in Africa’s digital ecosystem and are innovatively exploiting the numerous loopholes within the continents digital technologies.
Understanding Wannacryptor

A new and adverse form of malware

A new and adverse form of malware has taken the world by storm. Riding on the ubiquitous nature of the Windows OS in PCs, the WannaCry ransomware program (detected by ESET as Win32/Filecoder.WannaCryptor.D) has put most cybersecurity executives in tears as it has ploughed through various organisations on an unprecedented scale.

The African digital ecosystem has not been spared either. WannaCryptor has hit numerous institutions throughout the Continent. The nations which were adversely hit include: Kenya, Ethiopia, Tanzania, Mozambique, Sudan, South Sudan, Uganda, Algeria, South Africa and Nigeria.

On the 13th of May 2017, the Communications Authority of Kenya in conjunction with the National Kenya Computer Incident Response Team Coordination Center (National KE-CIRT/CC) issued a press statement alerting members of the public of the presence of the WannaCrypt0r ransomware epidemic throughout the globe.

As predicted, cybercriminals are beginning to take notice of the numerous vulnerabilities present in Africa’s digital ecosystem and are innovatively exploiting the numerous loopholes within our digital technologies.

Understanding Wannacryptor

Understanding Wannacryptor

WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting Microsoft Windows operating system.

On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.

The attack spreads by multiple methods, including phishing emails and on unpatched systems as a computer worm.

The attack has been described by Europol as unprecedented in scale.

WannaCrypt0r uses the EternalBlue exploit, which was developed by the U.S. National Security Agency (NSA) to attack computers running Microsoft Windows operating systems.

Although a patch to remove the underlying vulnerability for supported systems (Windows Vista and later operating systems) had been issued on 14 March 2017, delays in applying security updates has left numerous users vulnerable.

Does your machine run on Windows?

The Windows Operating System remains the main operating system which runs on laptops and desktops in Africa.

With negligible usage over mobile phones in Africa, the Windows OS maintains a significant 35% usage statistic in our continent as over 80% of enterprise devices run on the Windows OS.

This essentially means that if you are a Kenyan reading this article on a Personal Computer or laptop, then there exists an over 80% chance that it is running on Windows.

This, coupled up by the immense chance that the Windows Operating System your device is running on is not updated, increases your vulnerability to the Wannacrypt0r ransomware even further.

What you need to do to stay safe

According to ESET’s Michael Aguilar, here are some tips which we strongly recommend:

  • Install Anti-malware Software – You may have heard this over and over, and it seems very repetitive mentioning it now. However, if we had not encountered multiple instances where I was told, “It is a server, and we have firewalls, so I will leave anti-malware off of this machine” or “I have too many problems to install antivirus on this server”, We would not mention it. But, that has happened. So, we are stating it. Please install reputable anti-malware and give yourself a fighting chance at stopping this before you are affected.
  • Update Your Windows Machines – Please! I know that patches can be very, very difficult to get deployed across the entire network. This one, you will want to install. It has been available since mid-April and stops the exploit from gaining a foothold in your environment. The patch listing for the entire listing of Equation Group files can be located here.
  • Be Intelligent! – As a person who researches infections, exploits and various other information security related items, knowing is half the battle. Especially when items are being leaked and created in this kind of rapid-fire fashion.  Using Threat Intelligence,  ESET was able to create the appropriate YARA rules that identified the droppers, files and characteristics pertaining to the Equation Groups leaked exploitation files.  There has been plenty of detections of these object..  This kind of intel, and more importantly, the feeds that are provided, could help you to make better decisions on what to protect and how to protect it.

In Conclusion

It is important for institutions to invest in reputable malware protection products. As an example, ESET’s network protection module was already blocking attempts to exploit the leaked vulnerability at the network level before this particular malware was even created. ESET increased the protection level for this specific threat before the exploit was utilised.

Sometimes, investment in technology is not enough. Despite the immense investments in cybersecurity tech, employees remain the weakest link in an organisation’s cybersecurity environment. It costs little more than a cup of coffee to effect security awareness training for a single employee and saving the face of your organisation in the modern, digital world.

In many ways, the ubiquitous growth of Wannadecrypt0r in the modern digital age may serve as an unforgettable lesson for Kenyans; that cybersecurity is not a priority just for the Mzungu, but the Mwananchi as well.

Previous ArticleNext Article

Why Africans should be worried about PETYA 0 368

  • The malicious software has been identified as a modified version of a previously known ransomware, called Petya or Petrwrap, that has been substantially altered.
  • Due to its unique characteristics, it has been dubbed as NotPetya and ExPetya, which is currently detected by ESET as Win32/Diskcoder.C Trojan.
  • NotPetya can be termed as a worm, which can self-replicate across multiple networks. Petya uses two primary methods to spread across networks. Execution across network shares and SMB exploits
  • The current global ransomware trend utilises the EternalBlue Exploit in order to take advantage of the vast use of the Windows Operating System.
  • More than 80% of enterprise servers and endpoints in the African Digital Economy run on the Windows Operating System.
africans-worried-petya

It all begins with the MS17-010 Exploit

The EternalBlue Exploit, otherwise known as MS17-010, developed by the NSA and pilfered by the Shadow Brokers continues to open opportunities for malicious malware authors as fresh ransomware attacks continue to ravage Europe while spreading through the globe at an alarming pace.

Notably, it has become evident that in the realm of cybersecurity, the adage of once bitten, twice shy, seldom applies as unpatched computer systems have been utilised for a second time by cybercriminals to achieve exponential infection rates, reminiscent of the WannaCry nightmare that the globe experienced only two months ago.

NotPetya

The malicious software has been identified as a modified version of a previously known ransomware, called Petya or Petrwrap, that has been substantially altered, prompting a debate among researchers over whether it is new malware.

Due to its unique characteristics, it has been dubbed as NotPetya and ExPetya, which is currently detected by ESET as Win32/Diskcoder.C Trojan. If it successfully infects the MBR (Master Boot Record), it will encrypt the whole drive itself. Otherwise, it encrypts all files, like Mischa.

How does NotPetya replicate?

In many ways, NotPetya can be termed as a worm, which can self-replicate across multiple networks. Petya uses two primary methods to spread across networks. These include:

  • Execution across network shares: It attempts to spread to the target computers by copying itself to [COMPUTER NAME]\\admin$ using the acquired credentials. It is then executed remotely using either PsExec or the Windows Management Instrumentation Command-line (WMIC) tool. Both are legitimate tools.
  • SMB exploits: It attempts to spread using variations of the EternalBlue and EternalRomance exploits.

Crucially, NotPetya seeks to gain administrator access on a machine and then leverages that power to commandeer other computers on the network: it takes advantage of the fact that far too many organizations employ flat networks in which an administrator on one endpoint can control other machines, or sniff domain admin credentials present in memory, until total control over the Windows network is achieved. It achieves primary access through using phishing techniques to trick administrators into running the malware with high privileges.

What institutions have been adversely affected?

africans-worried-petya

The most severe damage is being reported by Ukrainian businesses, with systems compromised at Ukraine’s central bank, state telecom, municipal metro, and Kiev’s Boryspil Airport. Systems were also compromised at Ukraine’s Ukrenego electricity supplier, although a spokesperson said the power supply was unaffected by the attack. The attack has even affected operations at the Chernobyl nuclear power plant, which has switched to manual radiation monitoring as a result of the attack.

Infections have also been reported in more isolated devices like point-of-sale terminals and ATMs. The virus has also spread internationally. The Danish shipping company Maersk has also reported systems down across multiple sites, including the company’s Russian logistics arm Damco.

The virus also reached servers for the Russian oil company Rosneft, although it’s unclear how much damage was incurred. There have also been several recorded cases in the United States, including the pharmaceutical company Merck, a Pittsburgh-area hospital, and the US offices of law firm DLA Piper.

The attacks have been indiscriminate across every vulnerable vertical as institution after institution falls short against the unique threat posed by NotPetya.

Why Africans should be concerned about the current global ransomware trend

The current global ransomware trend, of utilising the EternalBlue Exploit in order to take advantage of the vast use of the Windows Operating System should send chills down the spines of any executive worth his salt in the African Digital Market for the following reasons.

Firstly, more than 80% of enterprise servers and endpoints in the African Digital Economy run on the Windows Operating System, thus exposing majority of our organisations to the next-generational strains of ransomware being designed by savvy malware authors. Moreover, a significant percentage of these Windows systems are run on legacy platforms such as XP and Windows Vista which exponentially increase the probability that these systems are probably unpatched.

Secondly, there is an astounding number of citizens who are unaware of the cybersecurity risks present within their daily lives. Kenya, serves as a key example to the plight of the African digital economy. With an 85.3% internet penetration rate, Kenya boasts a wealth of 37.7m netizens, actively contributing to their digital ecosystem.

Moreover, due to the proliferation of mobile banking, internet banking continues to rise within the region. However, contrary to logical perception, about 90% of Kenya’s netizens remain unaware of the increased cyber risks within their digital market. This poses a unique and advanced risk as ransomware’s primary source of entry is through A

In conclusion, new strains of ransomware seem to tactically replicate across networks utilising unpatched Windows systems and untrained company personnel through phishing e-mails to wreak havoc across targeted networks. The African Digital Economy is especially vulnerable to these risks as they exploit our unique weaknesses.

Our recommendations:

  1. Invest in new-school cybersecurity awareness training.
  2. Deploy reputable endpoint protection.
  3. Strengthen your business continuity capabilities.
  4. Evaluate and Patch Installed Software.
  5. Monitor access rights.