This is an ongoing cyber-attack of the WannaCry
ransomware computer worm targeting the Microsoft Windows operating system.
The
attack started on Friday, 12 May 2017, infecting more than 230,000 computers in
150 countries, with the software demanding ransom payments in the cryptocurrencyBitcoin in 28 languages. The attack has been described by Europol as
unprecedented in scale.
Basically what happens is that a user data is locked,
encrypted or even stolen and held at ransoms. The attacker then asks for pay in
various forms mostly in bitcoins (it’s hard to retract the money back) and once paid they give
you the decrying key or send back your data. (Not 100% guaranteed)
It’s discovered over a
million internet-connected devices that expose SMB on port 445. Of those, more
than 800,000 run Windows, given
that these are nodes running on the internet exposing SMB – it is likely that a
large percentage of these are vulnerable versions of Windows with SMBv1 still
enabled.
While scanning for devices
that expose port 445 has been observed for quite some time, the volume of scans
on port 445 has increased since 2017-05-12 (Friday), and a majority of those
scans are specifically looking to exploit MS17-010, the SMB vulnerability that
the WannaCry[pt] malware looks to exploit," Rapid7 reports.
These attacks has affected many of the large companies
including FedEX, Britain Natinal health service, Latam airlines. Russia was
among the worst hit by this attack, but analysts say the hackers may not be
Russians as the county has very strict policy and one may face a very long jail
term if gulity.
Targeted machines are used
to mine for the Monero cryptocurrency. Monero is an alternative to Bitcoin
recently adopted by the AlphaBay darknet market to trade in drugs, stolen
credit cards, and counterfeit goods.
Previously the attackers
would infect the victim’s machine with the malware that would give them the
ability to take over or use the victim’s machine resources in crypocurrency
mining. This consequently made users machine slow.
"Once infected through use of the EternalBlue exploit, the
cryptocurrency miner Adylkuzz is installed and used to generate cybercash for
the attackers," said Robert Holmes, vice president of products at
Proofpoint.
Handling the attacks
What happens if you are already under attack? These is a
solution? Can I get my data back?
All these are questions that run on the victims mind when
a ransom has been placed. As an expert
the reverse process of obtaining the data is a 50/50 situation.
First do not pay the attacker under any given condition. Secondly
do not try and retrieve the data yourself you may end up messing everything.
Secondly make offline the attacked machine. These prevents
further damage.
Lastly contact a cyber-security expert. (Definitely not
your ISP, computer repair technician).
This is due to the fact that they are
able to reverse the ransom and even track the hacker.
This process will definitely be expensive but if the data
is sensitive (servers and the likes) you basically have no option.
Prevention
First goes to all system administrators: for the love of Moses
patch and update your server’s whichever operating system. Hackers take
advantage of these loop holes in your server to gain access. Remember also to
close open ports that you don’t use. For more contact me…..
Secondly, dear users what’s up with clicking links and
opening suspicious attachments? If you get attachments that you did not expert
contact your system administrator (these people are employed to handle that not diagnose your personal cell phone)
Thirdly lets update our antivirus as well as renew
expired once. It might seem lame but it goes along way. Don’t disable it as
well. Let it run in the background, trust me it does a lot that you do not see.
In an art shell prevention is better than cure. In Kenya we
are not vastly affected but that does not mean we are safe. Let’s keep our eyes
open and servers guarded.