Showing posts with label Security Attacks. Show all posts
Showing posts with label Security Attacks. Show all posts

Wednesday, 17 May 2017

Ransomware virus attack




What is Ransomware? 


Ransomware is a malicious software that encrypts the files and locks device, such as a computer, tablet or smartphone and then demands a ransom to unlock it. Recently, a dangerous ransomware named 'Wannacry' has been affecting the computers worldwide creating the biggest ransomware attack the world has ever seen. This has affected computers in India also. 




 What is WannaCry Ransomware?


WannaCry ransomware attacks windows based machines. It also goes by the name WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY.It leverages SMB exploit in Windows machines called EternalBlue to attack and inject the malware. All versions of windows before Windows 10 are vulneable to this attack if not patched for MS-17-010. After a system is affected, it encrypts the files and shows a pop up with a countdown and instructions on how to pay the 300$ in bitcoins to decrypt and get back the original files. If the ransom is not paid in 3 days, the ransom amount increases to 600$ and threatens the user to wipe off all the data. It also installs DOUBLEPULSAR backdoor in the machine. 


How it spreads? 


It uses EternalBlue MS17-010 to propagate. The ransomware spreads by clicking on links and downloading malicious files over internet and email. It is also capable of automatically spreding itself in a network by means of a vulneability in Windows SMB. It scans the network for specific ports, searches for the vulneability and then exploits it to inject the malware in the new machine and thus it spreads widely across the network. 



 What can you do to prevent infection?



Microsoft has released a Windows security patch MS17-010 for Winodws machines. This needs to be applied immediately and urgently. 
Remove Windows NT4, Windows 2000 and Windows XP-2003 from production environments. 
Block ports 139, 445 and 3389 in firewall. 
Avoid clicking on links or opening attachments or emails from people you don't know or companies you don't do business with. 
SMB is enabled by default on Windows. Disable smb service on the machine by going to Settings > uncheck the settings > OK 
Make sure your software is up-to-date. 
Have a pop-up blocker running on your web browser. 
Regularly backup your files. 
Install a good antivirus and a good antiransomware product for better security 
Below is a consolidated list that we need to block on you firewall/antivirus 



IPs 

16.0.5.10:135 
16.0.5.10:49 
10.132.0.38:80 
1.127.169.36:445 
1.34.170.174:445 
74.192.131.209:445 
72.251.38.86:445 
154.52.114.185:445 
52.119.18.119:445 
203.232.172.210:445 
95.133.114.179:445 
111.21.235.164:445 
199.168.188.178:445 
102.51.52.149:445
183.221.171.193:445 
92.131.160.60:445 
139.200.111.109:445 
158.7.250.29:445 
81.189.128.43:445 
143.71.213.16:445 
71.191.195.91:445 
34.132.112.54:445 
189.191.100.197:445 
117.85.163.204:445 
165.137.211.151:445 
3.193.1.89:445 
173.41.236.121:445 
217.62.147.116:445 
16.124.247.16:445 
187.248.193.14:445 
42.51.104.34:445 
76.222.191.53:445 
197.231.221.221:9001 
128.31.0.39:9191
149.202.160.69:9001 
46.101.166.19:9090 
91.121.65.179:9001 
2.3.69.209:9001 
146.0.32.144:9001 
50.7.161.218:9001 
217.79.179.177:9001 
213.61.66.116:9003 
212.47.232.237:9001 
81.30.158.223:9001 
79.172.193.32:443 
38.229.72.16:443 


Domains:-

• iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com 
• Rphjmrpwmfv6v2e[dot]onion 
• Gx7ekbenv2riucmf[dot]onion 
• 57g7spgrzlojinas[dot]onion 
• xxlvbrloxvriy2c5[dot]onion 
• 76jdd2ir2embyv47[dot]onion 
• cwwnhwhlz52maqm7[dot]onion 


File Names:-

• @Please_Read_Me@.txt 
• @WanaDecryptor@.exe 
• @WanaDecryptor@.exe.lnk 
• Please Read Me!.txt (Older variant) 
• C:\WINDOWS\tasksche.exe 
• C:\WINDOWS\qeriuwjhrf 
• 131181494299235.bat 
• 176641494574290.bat 
• 217201494590800.bat 
• [0-9]{15}.bat #regex 
• !WannaDecryptor!.exe.lnk 
• 00000000.pky 
• 00000000.eky 
• 00000000.res 
• C:\WINDOWS\system32\taskdl.exe 





at No comments:
Labels:

Sunday, 14 May 2017

Microsoft warns ransomware cyber-attack is a wake-up call


Ransomware Cyber-Attack:

A cyber-attack that has hit 150 countries since Friday should be treated by governments around the world as a "wake-up call", Microsoft says.






It blamed governments for storing data on software vulnerabilities which could then be accessed by hackers.

It says the latest virus exploits a flaw in Microsoft Windows identified by, and stolen from, US intelligence.

There are fears of more "ransomware" attacks as people begin work on Monday, although few have been reported so far.

Many firms have had experts working over the weekend to prevent new infections. The virus took control of users' files and demanded $300 (£230) payments to restore access.

The spread of the virus slowed over the weekend but the respite might only be brief, experts have said. More than 200,000 computers have been affected so far.




  • Is my computer at risk?
  • Blogger halts ransomware 'by accident'
  • How roots can be traced to the US
  • 'Use NHS wisely' amid cyber-attack
But on Monday South Korea said just nine cases of ransomware had been found, giving no further details.

Australian officials said so far only three small-to-medium sized businesses had reported being locked out of their systems while New Zealand's ministry of the business said a small number of unconfirmed incidents were being investigated.

In Japan, both Nissan and Hitachi reported some units had been affected, while in China energy giant PetroChina said that at some petrol stations customers had been unable to use its payment system.
'Like stealing Tomahawks'

A statement from Microsoft president and chief legal officer Brad Smith on Sunday criticised the way governments store up information about security flaws in computer systems.


"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," he wrote.




"An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen."

He added: "The governments of the world should treat this attack as a wake-up call."
The organization also said that many organizations had failed to keep their systems up to date, allowing the virus to spread.

Microsoft said it had released a Windows security update in March to tackle the problem involved in the latest attack, but many users were yet to run it.

"As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems," Mr Smith said.

Analysis: 

There are going to be some tough questions on Monday for those institutions which didn't do enough to keep their networks secure, as well as the organizations that were best placed to stop it happening in the first place - the NSA and Microsoft.

The NSA keeps a chest of cyber weapons to itself so it can hit targets, but Microsoft has long argued that this is dangerous. If there is a flaw in Windows, the company said, surely the safest thing to do is to let its team know straight away so it can be fixed.

But then Microsoft also needs to consider what obligation it has to update all users - not just the ones who pay extra for security on older systems.

Updating your computer if you're an individual is a piece of cake, but for a network the size of Britain's National Health Service?

 Tough - time-consuming, expensive and complex.
For a company like Microsoft to say it won't keep those systems safe unless they shell out more money, then that in itself is something of a ransom.



Meanwhile, Europol's chief told the BBC the ransomware was designed to allow "infection of one computer to quickly spread across the networks", adding: "That's why we're seeing these numbers increasing all the time."

Although a temporary fix earlier slowed the infection rate, the attackers had now released a new version of the virus, he said.

A UK security researcher known as "MalwareTech", who helped to limit the ransomware attack, predicted, "another one coming... quite likely on Monday".

MalwareTech, who wants to remain anonymous, was hailed as an "accidental hero" after registering a domain name to track the spread of the virus, which actually ended up halting it.

Becky Pinkard, from Digital Shadows, a UK-based cyber-security firm, told AFP news agency that it would be easy for the initial attackers or "copy-cat authors" to change the virus code so it is difficult to guard against.

"Even if a fresh attack does not materialize on Monday, we should expect it soon afterward," she said.


In England, 48 National Health Service (NHS) trusts reported problems at hospitals, doctor surgeries or pharmacies, and 13 NHS organizations in Scotland were also affected.
Other organisations targeted worldwide included Germany's rail network Deutsche Bahn, Spanish telecommunications operator Telefonica, French carmaker Renault, US logistics giant FedEx and Russia's Interior Ministry.





Massive Ransomeware attack...Total 74 countries affected...Please do not open any email which has attachments with "tasksche.exe" file. Please send this important message to all your computer users
By now all of we have heard of the global ransomware attack. It has created a lot of confusions in the mind of computer users. Over 60,000 companies of more than 100 countries have become the victim of this malware. So how this ransomware works and what are the possible solutions......

 The term 'RANSOMWARE' itself gives the idea of its nature. It is somehow related to some kind of ransom. Yes, exactly it is. It is a type of malware which gets into your computer and locks down all the files. Afterwards it seeks for money from the user in order to get access to the locked files. The recent ransomwares are smarter than ever. It just not only locks down the files rather it encrypts the files which makes it really impossible to crack open the locked files. As a result the users do not have any other way to regain access to their locked files but to pay the money and get the decryption code.

 So how does it get into your computer..???

 The easiest to get into someone's computer is through attachments of spam emails or by entering into any unknown link. The extension of these files are different than the conventional files. Usually users turn off the file extensions, so they can not know what kind of file they are clicking on. The virus file pretends like a doc file or any other text file. But if you turn on the file extension of your computer you will see that the file extensions are different. As you click on the file all your data start encrypting and eventually asking you for ransom.

 In case if you are interested these are the possible real extensions of ransomware files......( .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7 length extension consisting of random characters.)

 The recent ransomware which is causing mass loss is known as #WannaCry. This asks for opening a javascript file in your email in the format (.js). So it is now recommended not to open any unknown attachments sent through emails.

 How to recover a ransomware infected computer........?

 Well, for now there is no way to open the encrypted files. As I mentioned earlier you have to pay through bitcoins in order to get the decryption code.

 Safety measures :

 1. Keep your Operating System up to date.
2. Keep you Anti-Virus up to date.
3. Create back up for the most important files either in a secured hard drive or in a secured cloud storage.
4. Do not open any email attachments from unknown senders.
5. Be careful while opening and downloading from any unknowing third party websites.
Stay safe.......... :)



at 6 comments:
Labels:
Subscribe to: Comments (Atom)