Computers across the world were rendered useless on Friday. The files of the users were held for ransom when dozens of countries were hit in a cyber-extortion attack that targeted hospitals, companies and government agencies.
Going by the name of WannaCry, the ransomware attack was indeed a massive extortion onslaught which managed to wreak havoc, crippling systems worldwide.
Here's a look at how malwares and ransomwares work and what people can do if they fall victim to such attacks.
WHAT IS MALWARE AND RANSOMWARE?
Malware is a general term that refers to a computer program that's harmful to your computer, said John Villasenor, a professor at the University of California, Los Angeles.
Ransomware is a type of malware that essentially takes over a computer and prevents users from accessing data on their own computer until a ransom is paid, he said.
HOW DOES YOUR COMPUTER BECOME INFECTED WITH RANSOMWARE?
In most cases, the malicious program infects computers through links or attachments in messages known as phishing emails.
"The age-old advice is to never click on a link in an email," said Jerome Segura, a senior malware intelligence researcher at Malwarebytes, a San Jose-based company that has released anti-ransomware software.
"The idea is to try to trick the victim into running a malicious piece of code."
The malicious program is usually hidden within the links or attachments which come in emails. The clickbait might just compel the user to click on the link. When the user clicks on such links or downloads such documents, it is then when the malware is installed in the background without the knowledge of the user.
BUT HOW DOES A RANSOMWARE WORK?
"Ransomware, like the name suggests, is when your files are held for ransom," said Peter Reiher, an adjunct professor at UCLA who specialises in computer science and cybersecurity.
"It finds all of your files and encrypts them and then leaves you a message. If you want to decrypt them, you have to pay."
The ransomware encrypts data on the computer using an encryption key that only the attacker knows. If the ransom isn't paid, the data is often lost forever.
When the ransomware takes over a computer, the attackers are pretty explicit in their demands, Segura said.
In most cases, they change the wallpaper of the computer and give specific instructions telling the user how to pay to recover their files.
Most attackers demand between $300 and $500 to remove the malicious ransomware; the price can double if the amount isn't paid within 24 hours.
Law enforcement officials have discouraged people from paying these ransoms.
HOW CAN PEOPLE PREVENT ATTACKS LIKE THESE?
The first step is being cautious, experts say. But Villasenor said there is "no perfect solution" to the problem.
Users should regularly back up their data and ensure that security updates are installed on your computer as soon as they are released. Up-to-date backups make it possible to restore files without paying a ransom.
MICROSOFT TAKES THE RANSOMWARE'S HIT
Friday's attack exploited vulnerabilities in some versions of Microsoft Windows. Microsoft has released software patches for the security holes, although not everyone has installed those updates.
Microsoft released a patch (MS17-010) for the vulnerability on March 14, 2017. However, many users have not yet installed the patch on their computers.
Screenshot: Microsoft Website
According to the company, WannaCry ransomware apparently affected computers that have not applied the patch yet.
"If your software is not patched, you can exploit that user. Anyone who applied the patch that Microsoft released likely wasn't affected by this," Reiher said.
Users should also look for malicious email messages that often masquerade as emails from companies or people you regularly interact with online.
It's important to avoid clicking on links or opening attachments in those messages, since they could unleash malware, Villasenor said.
The company also said that WanaCrypt0r 2.0 uses an exploit code that was designed to work only against unpatched Windows 7 and Windows Server 2008 or earlier operating systems. Therefore, PCs running on Windows 10 are not affected by this ransomware attack.
WANNACRY RANSOMWARE
The troublesome ransomware did have its impact globally but a small mistake by the cyber-criminals helped a young security researcher discover a "kill switch" that can disable all functionality of the "WanaCrypt0r 2.0" (aka WannaCry or WCry) ransomware and stop it from spreading further, at least for now, according to an International Business Times report.
After running the ransomware on a victim's computer, the WannaCry ransomware tries to connect to an unregistered domain.
The 22-year-old researcher came across this domain and found that registering the domain name prevented it from spreading.
According to the researcher, "a bit of analysis" led him to the discovery of this unregistered domain, but finding the kill switch was accidental.
WANNACRY RANSOMWARE AND INDIA
The ransomware has affected as many as 79 countries but India is largely safe.
After the systems were hit globally, Gulshan Rai, the Cyber Security Chief in the PMO, said a better impact assessment would be possible only on Monday when offices open, according to The Hindu.
Referring to the malware that penetrated the police cyber networks in Andhra Pradesh, Mr Rai said, "Since this has happened here on the weekend, we are expecting a better impact assessment on Monday."
CERT-In also explained that the WannaCry ransomware encrypts the computer's hard drive and then spreads laterally between computers on the same local area network.
Pradipto Chakrabarty, Regional Director, CompTIA India told The Hindu that the police system in Andhra Pradesh was impacted which may be "because they were using an older version of Microsoft operating system and poor patch maintenance".
According to Moscow-based cybersecurity and anti-virus company Kaspersky, it recorded 45,000 WannaCry attacks in malware-hit countries out of these, about 5 per cent attacks were in India.
SOME TECHNICAL DETAILS ON HOW TO PROTECT AGAINST WANNACRY
- Apply Windows update MS17-010.
- Disable the outdated protocol SMBv1.
- Add a rule on your router or firewall to block incoming SMB traffic on port 445.
- Enable Windows Defender Antivirus to detect this ransomware. (It identifies the ransomware as Ransom:Win32/WannaCrypt as of the 1.243.297.0 update)
- Use Office 365 Advanced Threat Protection, which can block dangerous email threats, such as the emails carrying ransomware using its machine-learning capability.
- Monitor your network with Windows Defender Advanced Threat Protection.
No comments:
Post a Comment