On May 12, 2017, a new breed of Ransom.CryptXXX ransomware family that was detected as WannaCry ransomware began to spread widely to a large number of companies around the world, including Indonesia.
The emergence of this attack was first reported by several companies in Europe that had failed access because their mission-critical Windows system was locked, and then followed by a warning message to ask for a ransom.
The incident then developed rapidly and broke out into a WannaCry ransomware outbreak that is currently stuck in many organizations around the world. Affected organizations are forced to shut down and keep their IT infrastructure offline for a while. Not a few affected health industries are experiencing operational obstacles, and even some have been forced to refuse patients for a while until the repair process is over.
The WannaCry ransomware variant attacks an outdated Windows-based system, leaving behind a series of fairly severe damage traces. Based on the initial telemetry conducted by Trend Micro, the region most detected in the plague of WannaCry’s ransomware attack is the European region. Nevertheless, the Middle East, Japan and some countries in the Asia-Pacific region also showed a high rate of infection.
WannaCry ransomware infections are known to strike and have a major impact on a wide range of industries, such as healthcare, manufacturing, energy (oil and gas), technology, food and beverage, education, media and communications, and government. Due to the vast nature of the infection, this infection does not seem to be targeted to target specific targets or industries.
WannaCry ransomware encrypts data files and asks users to pay a ransom of USD300 or approximately IDR 4 million in bitcoin. The message about the ransom also shows that the number will double in the next three days. If payment is not made within seven days, the encrypted file will be deleted.
Trend Micro data security company has revealed that they have been searching for WannaCry ransomware since it first appeared wildly in April 2017. Trend Micro XGen security managed to protect users from these threats, as well as other threats, using behavioral analysis techniques and high Fidelity machine learning.
Meanwhile, Symantec has also found two links suspected of dealing with WannaCry ransomware attacks and hacker group Lazarus.
- The appearance of Lazarus and WansCry’s simultaneous ransomware tools: Symantec identifies tools exclusively used by Lazarus on machines previously infected with previous WannaCry variants. This previous WannaCry variant lacked the ability to spread through SMB. This Lazarus tool has potentially been used as a method to deploy WannaCry, but this has not been confirmed yet.
- Shared Code: Like the tweets mocked by Neel Mehta one of Google’s staff, there is some similar code between Lazarus tools and WannaCry’s ransomware. Symantec has determined that this same code is an SSL form. This SSL implementation uses a specific sequence of 75 ciphers that until now only seen in Lazarus tools (including Contopee and Brambul) and WannaCry variants.
Well, what are the best steps to protect against this WannaCry ransomware attack? Symantec provides the following suggestions:
- New types of ransomware appear regularly. Always update your security software to protect yourself against their attacks.
- Make sure your operating system and software are updated. Software updates often include patches for newly discovered security vulnerabilities that attackers can exploit.
- Email is one of the main infection methods. Watch out for suspicious emails especially if there are links and/or attachments.
- Be very careful about Microsoft Office email attachments suggesting that you enable macros to view their contents. Unless you are absolutely sure that the content of the email is a genuine email from a trusted source, do not enable the macros and immediately delete the email.
- Backing up important data is the most effective way to combat this ransomware infection. The attackers use victims by encrypting valuable files and making them inaccessible. If the victim has a backup, they can restore their files after the infection has been cleared. However, companies should ensure that backup files are also protected or stored properly off-line so that attackers can not remove them.
- Using cloud services can help reduce ransomware infections, as many store previous versions of files, allowing you to “see back” unencrypted data.