What to do now !!! It’s Not Over, WannaCry 2.0 …

The Hacker News just announced “It’s Not Over, WannaCry 2.0 Ransomware Just Arrived With No ‘Kill-Switch’

“The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack,” Microsoft says.

And so ??? What to do

As a CISO and Cyber Security consultant working for companies with fragile asset or sensible information or process, it is critical to call for a Crisis Meeting to prepare today’s and Monday’s actions:

  1. Explain the situation and
  2. Explain the preventive measures in play to both stop the WannaCryptor Ransomware from infecting a computer and limit the damage done to data if an infection does occur;
  3. Ask for some preparation and feedback about IT Systems :
    1. Do we have fresh backups of critical systems and others important machines that run our Business and support ?  It is essential to have a reliable backup method that ensures that computer users and IT servers can recover their files from the backup copy rather than having to pay the WannaCryptor Ransomware ransom amount to recover their files after an attack.
    2. Force internal AntiVirus definition updates and upgrade the old AV versions (because there are some obsolete AV in your computer park);
    3. Are Internal servers protected behind NextGen Firewalls that can block SMBv1;
    4. Install Security Patches & Disable SMBv1 where you can plan a maintenance. As we notified today, Microsoft took an unusual step to protect its customers with an unsupported version of Windows — including Windows XP, Vista, Windows 8, Server 2003 and 2008 — by releasing security patches that fix SMB flaw currently being exploited by the WannaCry ransomware.
  4. Do a communication to the internal staff, consultants and 3rd parties who will use internal systems. Because of this, threats like the WannaCryptor Ransomware relies on social engineering, deception, and manipulating human error overwhelmingly, to ensure that the victims themselves install the WannaCryptor Ransomware by opening a fake application or a corrupted spam email attachment. It is because of this that education and training are such an important part of dealing with and preventing attacks like the WannaCryptor Ransomware and other Trojans.

1) 7 Easy Steps to Protect Yourself

Currently, there is no WannaCry decryption tool or any other solution available, so users are strongly advised to follow prevention measures in order to protect themselves.
  • Keep your system Up-to-date: First of all, if you are using supported, but older versions of Windows operating system, keep your system up to date, or simply upgrade your system to Windows 10.
  • Using Unsupported Windows OS? If you are using unsupported versions of Windows, including Windows XP, Vista, Server 2003 or 2008, apply the emergency patch released by Microsoft today.
  • Enable Firewall: Enable firewall, and if it is already there, modify your firewall configurations to block access to SMB ports over the network or the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.
  • Disable SMB: Follow steps described by Microsoft to disable Server Message Block (SMB).
  • Keep your Antivirus software up-to-date: Virus definitions have already been updated to protect against this latest threat.
  • Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.
  • Beware of Phishing: Always be suspicious of uninvited documents sent an email and never click on links inside those documents unless verifying the source.

2) Some Details about the WannaCryptor Ransomware Attack

The WannaCryptor Ransomware uses the AES-128 encryption to encrypt the victim’s files. The WannaCryptor Ransomware will search for the following file types on the victim’s computer, encrypting them during the attack:

.123, .3dm, .3ds, .3g2, .3gp, .602, .7z, .aes, .ai, .ARC, .asc, .asf, .asp, .avi, .backup, .bak, .bmp, .brd, .c, .cgm, .class, .cpp, .crt, .cs, .csr, .csv, .db, .dbf, .dch, .dif, .dip, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .edb, .eml, .fla, .flv, .frm, .gif, .gpg, .gz, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .js, .jsp, .key, .lay, .lay6, .ldf, .m3u, .m4u, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .msg, .myd, .myi, .n, .nef, .odb, .odg, .odp, .ods, .odt, .ost, .otg, .otp, .ots, .ott, .p12, .PAQ, .pas, .pdf, .pem, .php, .pl, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .psd, .pst, .rar, .raw, .rb, .rtf, .sch, .sh, .sin, .slk, .sql, .sqlite3, .sqlitedb, .stc, .std, .stw, .suo, .swf, .sxc, .sxd, .sxm, .sxw, .tar, .tarbz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vb, .vdi, .vmdk, .vmx, .vob, .vsd, .vsdx, .wav, .wb2, .wk1, .wks, .wma, .wmv, .xlc, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .zip.

Be the first to comment

Leave a Reply

Your email address will not be published.