15 May 2017

Global ransomware attacks include Asia

  • WannaCrypt, also known as WannaCry and WCry, encrypts data files and ask users to pay a US$300 ransom in Bitcoin. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.
  • WannaCrypt has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows.

Microsoft discovered the WannaCrypt (also called WannaCry or WCry) ransomware attack fairly early on May 12, 2017 (US time), according to a blog post. As of the time of writing, the ransomware, a new variant of the Ransom.CryptXXX family, has been detected in over 100 countries including Singapore, Indonesia and India.

"We detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the malware, known as WannaCrypt, appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install MS17-010 if they have not already done so," the blog post states.

The company has also taken the unprecedented step of issuing a patch for unsupported versions of Windows, as detailed in another blog post.

"Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers. This blog spells out the steps every individual and business should take to stay protected. Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today," stated the post.

"Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download."

Security firm Acronis has noted that many organisations are waking up to the fact that ransomware isn’t something that just happens to “other people”.

The threat, as demonstrated by this weekend’s attacks, prove that businesses worldwide needs to be protected against ransomware, the company said.

Acronis' VP of Engineering, Nikolay Grebennikov said, “People, and businesses hear ‘ransomware’ and think such an attack can’t happen to them. The fact is that it can...47% of businesses were under ransomware attacks last year and that’s growing."

Grebennikov noted that the real question businesses, hospitals and telcos should be asking is how they can protect themselves from a ransomware attack that is seemingly inevitable. "The answer – a reliable backup solution that includes active protection against ransomware attacks.

He also said that shutting down computers is a short-term solution that will not help. "Only an integrated solution, combining of backup (passive) and proactive security (active) technologies, working together in one product, provides data recovery in any situation. With such sophisticated ransomware, you can’t have limitations on size of the files, number of files.

Source: Symantec blog post. The Wcry display screen.
Source: Symantec blog post. The Wcry display screen.

Symantec has reassured customers that Symantec and Norton customers are protected from the WannaCrypt malware. "Customers should run LiveUpdate and verify that they have the following definition versions or later installed in order to ensure they have the most up-to-date protection - 20170512.009", the company shared in a blog post.

Nick Savvides, Security Advocate, Symantec Asia Pacific and Japan, has the following advice for users:

Once the encryption process starts, there is little the user can do, as it happens very quickly

"It is unlikely that the user will notice the ransomware is encrypting until it’s too late. If the user realises in the seconds after running the malware, they may attempt to power off the machine, then use an external boot disk to boot the machine and run a cleaner tool like Norton Power Eraser. This may prevent the ransomware from encrypting all the files," Savvides said.  

Any computer that has been infected should not be trusted

Security tools like Norton Power Eraser, or Norton Internet Security may be able to remove the infection but the files will still be encrypted. "It is always best to restore the computer either from a backup, or reset to factory using a recovery disk and then immediately update and apply all patches," Savvides advised.

"These are important steps, as we have seen ransomware, that not just ransoms the users’ files, but also installs banking Trojans to clean out the users’ bank accounts, typically capturing the users’ banking details when they log into their bank to pay the ransom. If the backups were not encrypted by the ransomware, it is unlikely that the files were infected."

Symantec recommends affected users not pay any ransom

"Paying criminals is never recommended, as it feeds them and rewards them for their crimes. There is also no guarantee that your files will be released back to you," Savvides said.

Other best practices for protecting against ransomware include: 
  • Always keeping security software up to date
  • Keeping the operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
  • Be wary of unexpected emails especially if they contain links and/or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
  • Backing up important data is the single most effective way of combating ransomware infection. Organisations have to ensure that backups are appropriately protected or stored off-line so that attackers cannot delete them.
  • Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing subscribers to “roll back” their operations to the unencrypted form of their files.

In 2016, Singapore ranked 8th regionally for ransomware, the same position as in 2015. It is the 24th-most targeted country globally for ransomware in 2016, up from 42nd in 2015, accounting for 0.5% of ransomware infections on unique machines. According to the Symantec Internet Security Threat Report, Volume 22:
  • The average ransom per victim grew to US$1,077 in 2016, up from US$294 in 2015, a 266% increase.
  • Ransomware attacks grew to 463,841 in 2016, up from 340,665 attacks in 2015 (a 36% increase).
  • One in 131 emails contained a malicious link or attachment in 2016, the highest rate in five years.
  • There was a twofold increase in attempted attacks against IoT devices over the course of 2016 and, at times of peak activity, the average device was attacked once every two minutes.


Download the patch for Windows XP, Windows 8, and Windows Server 2003

Read the Microsoft blog post about how the ransomware spread

Read the MalwareTech blog post on how registering a command and control domain name stopped the ransomware in its tracksEditor's note: While this was a very happy accident, there is no guarantee that future ransomware attacks can be stopped the same way. 

Read the TechTrade Asia blog post about Kaspersky Lab naming ransomware its security story of the year for 2016