Global cyber chaos is spreading Monday as companies boot up computers at work following the weekend’s worldwide cyberattack. Hackers have blocked access to computer programs and demanded money in exchange for solving the problem, a tactic referred to as ‘ransomware’.
The extortion scheme has wreaked havoc in 150 countries and could get worse as more malicious variations appear. The initial attack, known as WannaCry or WannaCrypt, paralysed computers running Britain’s hospital network, Germany’s national railway and scores of other companies and government agencies around the world.
The Indian Computer Emergency Response Team (CERT), a government body, held a webcast this morning to explain the threats posed by WannaCry and what can be done to prevent or respond to an attack. We’ve summarized their report below.
- - Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi)
- - Less common and nation-specific office formats (.sxw, .odt, .hwp)
- - Archive and media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
- - Emails and email databases (.eml, .msg, .ost, .pst, .edb)
- - Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd)
- - Developers’ source code and project files (.php, .java, .cpp, .pas, .asm)
- - Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes)
- - Files used by graphic designers, artists and photographers (.vsd, .odg, .raw, .nef, .svg, .psd)
- - Virtual machine files (.vmx, .vmdk, .vdi)
A Wannacry attack can be prevented by taking the following precautions:
1) Apply the patches to the Windows systems recommended by Microsoft Security Bulletin MS17-010.
2) Maintain updated antivirus software.
3) Keep and regularly update an offline database of important files. Ideally, backups of data should be maintained on separate devices.
4) Organisations connecting to the Internet through Enterprise Edge or perimeter network devices [UDP 137, 138 and TCP 139, 445] should block their SMB ports or disable SMBv1.
5) Users and administrators of older Windows systems such as Windows XP, Vista, Server 2008, and Server 2003 should get an update to a newer version.
Programs such as have been designed specifically to guard against ransomware:
- Sophos: Hitman.Pro
- Malwarebytes Anti-Ransomware (formally Crypto Monitor)
- Trendmicro Ransomware Screen Unlocker
- Microsoft Enhanced Mitigation Experience Toolkit
How to know if your system has been infected, and what to do if it has:
* If you notice that any of the files listed above or the extensions of other important files have changed to (*.wnry), then you are already infected.
* Do not pay the ransom, as this does not guarantee the files will be released. Report such instances of fraud to CERT and law enforcement agencies.
* Disconnect all network connections and external storage immediately.
* Shut down your computer and inform your organisation’s IT department.
* Keep your backups ready before experts assist you.
Some other computer programs and practices that will help keep your data safe:
* Establish an email validation system. These prevent spam and detect phishing emails, the most common tool used by ransomware attacks. Some systems along these lines include Sender Policy Framework, Domain Message Authentication Reporting and Conformance, and DomainKeys Identified Mail.
* Disable or block spam in your mailbox. Don’t open attachments in suspicious and unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in such an e-mail, even if the link seems benign. In cases of genuine URLs, close the e-mail and go to the organization’s website directly through your browser.
* Deploy web and email filters on your network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads with a reputable antivirus program both on the host and at the mail gateway.
* Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. On Windows, specific settings can block macros originating in the Internet from running.
* Configure access controls including file, directory, and network share permissions with least privilege in mind.
* Block attachments of the following file types: exe|pif |tmp |url|vb|vbe|scr|reg| cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
* Keep third party applications — Microsoft Office, browsers, browser plugins — up to date with the latest patches.
* Enable personal firewalls on individual workstations.
(With inputs from The Associated Press)