WannaCry is without doubt the biggest ransomware attack the world has ever seen. Though the impact has been thwarted to a certain extent, it is feared that ransomware could be back in a big way.
How to tackle this new menace?
He says the bug is tapping into NSA’s ETERNALBLUE exploit, originally devised to leverage Microsoft Windows SMB vulnerability (addressed in MS17-10) with the creators of WannaCry integrating this critical exploit into its worm module or initial dropper.
The ransomware also observed in making use of NSA’s DOUBLEPULSAR backdoor.
What are the affected products?
All Windows versions before Windows 10 are vulnerable if not patched for MS17-010. Windows XP and Windows Vista users are completely vulnerable as both these operating systems no longer receives updates and security patches. As a special case, Microsoft has pushed updates for older operating systems and promised more. Refer the listed CVEs in IOCs – WANNACRY RANSOMWARE.xlsx
How does it impact you?
Once the initial worm module is introduced to a system it creates two threads — one that scans hosts on the LAN, and another that gets created 128 times and scans hosts on the wider Internet. The LAN-based scanning happens using the port 445 and attempts to exploit the discovered systems using MS17-010/ETERNALBLUE.
The second thread scans the Internet by generating random IP addresses. If connection to port 445 on that random IP address succeeds, the entire /24 range is scanned, and if port 445 is found open, exploit attempts are made. So, if the target network has the vulnerability unpatched, then there is a high chance it will get affected.
Is your computer affected by "WannaCry"? Call Us before its too late!