IMP : Windows Vulnerability - WannaCry
Posted by Sumith K on 15 May 2017 05:19 PM
What is Ransomware?
Ransomware is a malicious software that encrypts the files and locks device, such as a computer, tablet or smartphone and then demands a ransom to unlock it. Recently, a dangerous ransomware named 'Wannacry' has been affecting the computers worldwide creating the biggest ransomware attack the world has ever seen. This has affected computers in India also.
What is WannaCry Ransomware?
WannaCry ransomware attacks windows based machines. It also goes by the name WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY. It leverages SMB exploit in Windows machines called EternalBlue to attack and inject the malware. All versions of windows before Windows 10 are vulnerable to this attack if not patched for MS-17-010. After a system is affected, it encrypts the files and shows a pop up with a countdown and instructions on how to pay the 300$ in bitcoins to decrypt and get back the original files. If the ransom is not paid in 3 days, the ransom amount increases to 600$ and threatens the user to wipe off all the data. It also installs DOUBLEPULSAR backdoor in the machine.
How it spreads?
It uses EternalBlue MS17-010 to propagate. The ransomware spreads by clicking on links and downloading malicious files over internet and email. It is also capable of automatically spreading itself in a network by means of a vulnerability in Windows SMB. It scans the network for specific ports, searches for the vulnerability and then exploits it to inject the malware in the new machine and thus it spreads widely across the network.
What can you do to prevent infection?
We are already in the phase of applying Windows updates on all our shared hosting Windows servers. However we need to reboot the servers in-order to apply those security patches. We shall announce the schedule for server reboot in this thread.
What you need to do in case of our Windows dedicated servers?
You need to patch the Windows dedicated server immediately using the steps mentioned in the link 'PatchingWindowsOnADedicatedServer'. In-addition to this, please block the IP addresses, domains and file names mentioned in this link : https://goo.gl/JsSo0v
You can also refer to the following links to apply the necessary fix.
Please feel free to contact our support desk if you have any questions.
Given below is the schedule for the Shared Server Reboot :
All shared servers are rebooted as per the aforementioned schedule. In continuation of our efforts to safeguard our servers from the WannaCry ransomware, we will be patching the following MSSQL servers today as per the schedule provided below :
Please note that all websites using the above mentioned servers as their database server will be affected.
Update : We have blocked the port 445 across all our dedicated servers as a precautionary measure against the SMB attack since this port is used by the exploiters for the attack. Feel free to contact our support desk if you have any questions.