WannaCry – Tips for avoiding Ransomware attack

Yesterday 5/12/2017, the world saw a massive ransomware cyberattack codenamed WannaCry that spread globally in a only a matter of minutes. Many websites will share analysis of the attack but for now we need to be aware about how it can be secured.  WannaCry, like every other ransomware, encrypts your files and asks to pay Bitcoins for ransom to help you decrypt the files back.

How does WannaCry spread?

The ransomware spreads conveniently through spam email. These messages are typically fake invoices, job offers sent to random email addresses. The email is attached with a .zip file that initiates the WannaCry malware and infects the PC.

The attack is then spreading on internal networks using a P2P exploitation of SMB (Server Message Block) vulnerability in Windows operating system, which means that once a single machine has been infected on your network – all other machines will be probably infected too.

What to do if you are attacked?

As of now there is no way of recovering your files, I will update this space whenever there is a solution available.

How to protect yourself from WannaCry?

WannaCry exploits a vulnerability in Microsoft’s Windows. However Microsoft discovered this vulnerability and patched it in March. If you have Windows update enabled, you are already protected.

Here’s a link to Microsoft’s website for the update patches.

There’s also an IDS rule that you can use in Snort or any other IDS that will get triggered whenever WannaCry will popup in your network:

There are various IDS rules available that can also be used to help stop the spread of this attack; install this on your IDS system and watch for its activation.

alert tcp
$HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)

Leave a Reply

Your email address will not be published. Required fields are marked *