As of May 16, 2017, a ransomware called WannaCry has infected at least 300,000 computer systems worldwide. This attack on cybersystems is unprecedented and together with its speed of transmission, it is expected to result in more infections and the spread of the cyber contagion.
This ransomware attacks computers by freezing the computer and demanding a “ransom” of US$300.00 payable in Bitcoin so the user gets to regain control of his computer. If payment has not been immediately made, then the price escalates and after 3 days, the files will be deleted.
The attack spanned more than 100 countries and has wreaked destruction on industries as diverse as the National Health System hospitals in the UK, telecoms such as Telefonica in Spain, FedEx in the US Banks in Russia, Universities in China and train systems in Germany.
The ransomware attacks continued all throughout the weekend and more was expected upon resumption work last May, 15, 2017.
“It was essentially an indiscriminate attack across the world,” Europol director Rob Wainwright said. “It’s a massive reminder to sectors right across the world cyber security should be a topline strategic priority.”
It was also reported that the rasomware is a weaponized version of what was kept in the US National Security Agency an discovered by the perpetrators during data dump from the NSA.
In the Philippines, the Department of Justice (DOJ) instructed the National Bureau of Investigation (NBI) to tighten Philippine Cyber Security.
A large Philippine Unibank immediately rolled out a “Fix” during the weekend and is awaiting further developments. According to a source that wants to be unrevealed, the problem starts from operating systems that have not been updated with the Windows patch last March. The ransomware appears to infect unupdated operingb systems and older versions of Microsoft Windows.
There has been a “kill switch” discovered by a researcher in UK that seems to have stemmed the attacks somewhat.
Local IT experts interviewed by TechBlade gave recommendations that OS must be updated or editing the registry of the OS be undertaken as stated below:
disable SMBv1 on windows: Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1 REG_DWORD: 0 = Disabled REG_DWORD: 1 = Enabled Default: 1 = Enabled
The IT experts also added that the malware has no site so it is difficult to trace. H lso described how it functions.
"The crucial web address is found in a small section of code, the purpose of which is still unclear. When the program is infecting a new computer, it first checks an obscure web address — iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com — to see if the domain is registered. As long as the domain is unoccupied, the infection proceeds, encrypting the computer’s hard drive and locking it down until the ransom is paid.if unoccupied, the system will just return an error 404, meaning the website does not exist."
Last May 16, 2017, cybersecurity firms hava already attributed the attack as coming from North Korea. “We believe this might hold the key to solve some of the mysteries around this attack,” said researchers at the Russian-based security firm Kaspersky, adding that further research was needed.
Israeli-based security firm Intezer Labs said it agreed with the North Korea attribution.
A second wave of attacks is also expected.
0 Comments