Kaspersky Lab has analyzed the data and discovered that at least 45,000 attacks in 74 countries, with the majority occurring in Russia.
Malicious code infecting the computer into the blackmail of the victim by exploiting the Microsoft Windows vulnerabilities described in Microsoft Security Bulletin and patch MS17-010. The exploit uses the “Eternal Blue” was published in the Shadowbrokers dump on April 14 past.
Before the information shock about this malicious code is the press mentioned the product of Kaspersky Lab has detected and prevented a large number of ransomware attack around the world. In this attack, the data is encrypted with the extension “. WCRY “is added to the file name.
How do Kaspersky Lab block WannaCry?
Security solutions of Kaspersky Lab have detected the malicious code extortion related to WannaCry, protection of individual and business users safe the dangerous outbreak.
The System Watcher component (System Monitor) available in Kaspersky Internet Security solution for personal user and Kaspersky Security for Business is critical to shield protects the user’s data before the attack of WannaCry or any software to blackmail. System Watcher has the ability to restore the original state of the changes made by software to blackmail in the event a toxic form has overcome other defensive layers.
In addition, Intrusion Detection technology available in the Kaspersky Lab solution can stop the infection of WannaCry from the network level.
Kaspersky Lab‘s findings related to WannaCry are:
The Extension of that malicious code targeted to groups including the encoding format:
- Common office files (.ppt, .doc, .docx, .xlsx, sxi).
- The less popular Office formats and particularity of a country (.sxw, .ODT,. hwp).
- The storage files (. zip, rar, tar, bz2,…, mkv mp4)
- Email database and email (.eml, .msg, .pst, .ost,. edb).
- The database file (. sql, .accdb, .mdb,. dbf, odb,.).
- Source code and project files of the developer (. php, java, cpp,…,. asm).
- Locking and encryption certificate (. pfx key.,. pem, .P12,.,.,. gpg csr aes).
- Graphic design files (. vsd, odg, raw.,.,., svg nf. psd).
- The virtual machine file (vmx, vmdk.,. vdi).
Kaspersky Lab’s experts are currently working on the possibility of creating a decoding tool to help the victims. Users may monitor the website www.nomoreransom.org to find the appropriate code.
How to fight malicious code WannaCry?
- Ensure that all computers have been installed with security software and have anti-virus software (ransomware) turned on.
- Official patch installation (MS17-010) from Microsoft to patch the SMB Server vulnerabilities exploited during the attack.
- Ensure that the products of Kaspersky Lab components enabled System Watcher (the Enable status)
- Done scanning system (Critical Area Scan) in the Kaspersky Lab’s solutions for the detection of infection of the fastest (if not the infection will be detected automatically but the next 24 hours)
- If the detected attack from malware as the name MEM: Trojan.Win64.EquationDrug.gen then the need to reboot the system.
- Again, make sure the patch MS17-010 is installed.
- Conduct regular data backup on the host is not connected to the Internet
The manner and scale of attack
Analysis of Kaspersky Lb shows “WannaCry” was started through the deployment of remote code SMBv2 in Microsoft Windows. This exploit (code named as “EternalBlue”) has been made available on the internet through Shadowbrokers dump on April 14, 2017, and was patched by Microsoft on March 14. Unfortunately, it seems many organizations and users who have not installed this patch.
The Worrying thing is not the unpatched Windows computers are exposing their SMB services can be attacked by exploiting remote “EternalBlue” and infected by WannaCry, which even the nonexistent computer security flaw is still likely to be beaten easily. However, this vulnerability is considered the main factors causing the outbreak of WannaCry.
Note that “the required amount of payment will be increased” after a particular countdown, along with other display increases the urgency to pay, threats that users will completely lose their file after the notice period. Not all ransomware offers this timer as the WannaCry.
To ensure that the user does not miss an alert, the tool will change the user’s background image with instructions on how to find the decoder.
To use bitcoin billing, the malware directs to a page that has a QR code at btcfrog, associated with a 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 keycase. Image metadata does not provide any additional information.
WannaCry designers have prepared the Q & A section in different languages, including English, Chinese, Danish, Dutch, Vietnamese, Filipino, French, Japanese, etc. These “FAQs” look like: Can I recover my files? How do I pay? How to contact? Etc