RANSOMWARE EXTORTION: SOME FAQ’s

1. Security tips to Protect against Ransomware

  • Backup is the best strategy against RANSOMWARE
  • Assure that you are running the latest version of your operating system with the latest security operations installed and run up-to-date anti-virus software from a trusted company,also make sure your device’s software is up to date, regularly using Windows Update or the Software Update feature on a Mac will help insulate you from problems. But you can also set your devices to install those updates automatically. Hackers hit on complacency. So create backups of your most important files, either by downloading them to an external hard drive (offline)or by storing them in a cloud based storage service(online)Use a password manager to create and keep track of unique, hard to break passwords for each of your services. It’s a little counterintuitive, but experts say it’s much more secure than the alternative, which is reusing the same password across multiple websites.
  • Remember to treat unexpected emails with caution, and read up on phishing – one of the most common types of social engineering attacks used by attackers to compromise machines.
  • Newer versions of Microsoft Antimalware Software can be more convenient detecting malwares/threats by using behaving monitoring by using MAPS. It is recommended customers to enable MAPS functionality to get extra protection.
  • Although this strain of Ransomware was not spread by email, always beware suspicious emails asking you to click links or download attachments.
  • Criminals will often use a widely publicised virus outbreak to send scam emails, pretending to offer help.

 

2. Is the Ransomware effective only if the user has administrative rights on the client machine?

No. This piece of Ransomware, like most of others, once executed, encrypts all files it can reach in the context of a user, if the user is an admin on the box the outcome is more devastating. In addition this Ransomware also tries to disable shadow copies and make some registry changes in HKLM hive which require administrative privileges.

When it tries to spread it uses a vulnerability, which once exploited gives the malware SYSTEM level access on the target system. All this means that this attack maybe very successful and destructive even if the users don’t have admin privileges on their unpatched workstations/servers.

 

3. Is only disabling SMB v1 Server (LanmanServer) on all our machines helps us to protect from this vulnerability?

Patch installation would be the first option. To answer the question, Yes. SMBV1 should be removed, but in a planned way. Please refer the below link:  Stop using SMB1

 

4. Do we need to disable SMB v1 client (Lanmanworkstation) as well on all our machines?

No. It is only the SMBv1 server component (which means Lanmanserver), on the client machine and not Lanmanworkstation on the client machine.

 

5. What is the impact of removing SMBv1?

  • If you’re still running XP or WS2003 under a custom support agreement
  • Windows XP will not be able to access shares on a Windows 2003 Server or any other Operating System
  • Windows Vista and above Operating System will not be able to access shares on a Windows 2003 Member Server or Domain Controller (if you still have them in the environment)
  • You have some decrepit management software that demands admins browse via the ‘network neighborhood’ master browser list
  • You run old multi-function printers with antique firmware in order to “scan to share

When you use SMB1, you lose key protections offered by later SMB protocol versions:

  • Pre-authentication Integrity Protects against security downgrade attacks
  • Secure Dialect Negotiation Protects against security downgrade attacks.
  • Encryption  Prevents inspection of data on the wire, MiTM attacks. In SMB 3.1.1 encryption performance is even better than signing!
  • Insecure guest auth blocking (SMB 3.0+ on Windows 10+) . Protects against MiTM attacks.
  • Better message signing. HMAC SHA-256 replaces MD5 as the hashing algorithm in SMB 2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+. Signing performance increases in SMB2 and 3.

 

6. If we have to disable smb v1 Server service, what are the registry values to disable it?

When using operating systems older than Windows 8.1 and Windows Server 2012 R2, you can’t remove SMB1 but one can disable it: KB 2696547- How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

You can enable SMBv1 usage auditing on Windows 10 and Server 2016; but there isn’t an easy way to say if it’s actually in use on lower versions of the Windows OS.

 

7. How do we know SMB v1 is active in our environment?  Can we proactively check it?

Yes. Please test this, before using in the production environment. Windows 2016 and Windows 10 provides a way to audit usage of SMBv1.

 

8. Is Windows 10 affected as of now?

The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack as of now.
Customers running Windows 10 were not targeted by the attack today.

That being said, Windows 10 systems also need to be patched, because the variants can be developed. In addition to this, it would be recommended to remove SMBv1 from the clients and Windows servers, after doing a complete review of the below mentioned article.

 

9. How the aftermath of Ransomware is harming INDIA:

It has not been harming India as much as faced by other countries. The mutual fund and broking industries were not affected by the malware attack, said top officials. “All exchange operations went on normally,” said Ashishkumar Chauhan, MD & CEO, BSE.

RBI has asked banks to functionalise their ATMs only after software updates are installed.

The systems run by the National Informatics Centre, which maintains the government’s online infrastructure, were secure and protected; the Minister said. Cyber coordination centre to take precautions against such attacks would start operations by June. A software upgrade of all government systems will also be in place by then, he said.

The banking sector has been upgrading software since the attack came to light. Though most of the main financial systems are under strong defences, the front-end software is exposed and is now being secured.

 

10. What about Windows 2003 R2?

The Windows 2003 update should get applied on Windows 2003 R2 as well.

 

11. Will the installation of the patch, prevent the occurrence of ransomware?

No. Applying MS17-010  is just preventing the malware from spreading, not giving protection against the infection itself. Based on reports, this malware is using Social Engineering to target companies.Please warn your users to not open, click or enable macros on email reception.

  • The priority is that your anti-virus can detect the malware.
  • Verify that you have up-to-date signatures, along with patching the Windows systems
  • Make sure that users have the level of knowledge required to never click on suspicious attachments even if they are displayed with a familiar icon (office or PDF document). Where an attachment opening offers the execution of an application, users must under no circumstances should accept the execution and in doubt, users should you consult and/or consult the administrator.

 

12. Where can I find the official guidance from Microsoft?

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

13. Is the update available for Windows 2003 & Windows XP as well?

Yes. The link for download of the update is available at the end of this article

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

14. Will the update run on unlicensed Windows?

It is recommended that the update is run on a license.

 

15. What are Bitcoins? Are there other ways to pay?

Bitcoin is one kind of electronic currency that use peer-to-peer (P2P) networks to track and verify transactions. This bitcoins can be used to pay for various online services like web hosting, mobile app development, and even cloud file storage, for products like games, music, gift cards, and books. Bitcoin use is not limited to online transactions, the actual fact is that the bitcoin system does not have a central authority to control this form of currency; cyber criminals usually utilize this as a mode of payment transactions.

 

Leave A Comment