WannaCry ransomware attacks windows based machines. It also goes by the name WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY.
It leverages SMB exploit in Windows machines called EternalBlue to attack and inject the malware.
All versions of Windows before Windows 10 are vulnerable to this attack if not patched for MS-17-010.
After a system is affected, it encrypts files and shows a pop up with a countdown and instructions on how to pay the 300$ in bitcoins to decrypt and get back the original files. If the ransom is not paid in 3 days, the ransom amount increases to 600$ and threatens the user to wipe off all the data.
It also installs DOUBLEPULSAR backdoor in the machine.


How it spreads?

It uses EternalBlue MS17-010 to propagate. The ransomware spreads by clicking on links and downloading malicious files over internet and email. It is also capable of automatically spreading itself in a network by means of a vulnerability in Windows SMB. It scans the network for specific ports, searches for the vulnerability and then exploits it to inject the malware in the new machine and thus it spreads widely across the network.


What can you do to prevent infection?

  • Microsoft has released a Windows security patch MS17-010 for Windows machines. This needs to be applied immediately and urgently.

  • Remove Windows NT4, Windows 2000 and Windows XP-2003 from production environments.

  • Block ports 139, 445 and 3389 in firewall.

  • Avoid clicking on links or opening attachments or emails from people you don't know or companies you don't do business with.

  • SMB is enabled by default on Windows. Disable smb service on the machine by going to Settings > uncheck the settings > OK

  • Make sure your software is up-to-date.

  • Have a pop-up blocker running on your web browser.

  • Regularly backup your files.

  • Install a good antivirus and a good anti-ransomware product for better security.



What are we doing on our Windows shared servers?

We are already in the phase of applying Windows updates on all our shared hosting Windows servers.



What you need to do in case of Windows dedicated servers?

You need to patch the Windows dedicated server immediately.

In-addition to this, block the IP addresses, domains and file names mentioned in this link : https://goo.gl/JsSo0v

You can also refer to the following links to apply the necessary fix.

https://technet.microsoft.com/library/security/MS17-010

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://support.microsoft.com/en-in/help/4013389/title

For dedicated servers, once you have applied necessary changes, you need to reboot the server.

 

Found this article interesting?
Subscribe to DomainRegister´s newsletter!

You can unsubscribe at any time by simply clicking the link in the footer of our emails. For information about our privacy practices, please visit our website.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp s privacy practices here.

  • security, Windows
  • 0 Utenti hanno trovato utile questa risposta
Hai trovato utile questa risposta?

Articoli Correlati

 Classi di storage per backup

Per i servizi di backup sono disponibili diverse classi di storage: la differenza è determinata...

 Malware check tools

If you fear your site may be infected by malware, there're several diagnostic on-line tools which...

 Attacchi brute force a WordPress attraverso XML-RPC

XML-RPC è una procedura di chiamata remota tramite la quale WordPress permette di pubblicare...

 Gravi vulnerabilità scoperte in Drupal (SA-CORE-2015-002) (giugno 2015)

Sono state recentemente annunciate alcune gravi vulnerabilità in Drupal, che possono...

 Requisiti hosting "GDPR compliant"

Il rispetto del GDPR impone una serie di regole e misure che, in gran parte, esulano dal mero...