There are a number of vectors ransomware can take to access a computer and prevent its detection. The detection rate of these vectors depends on how frequently an attacker finds the compromised machines for infection, if you don’t know what a ransomware is you can find a good definition online for this. For example, the detection rate for your computer can be increased by setting up the firewall in your environment, or setting up an alert or flag system that is maintained by your host. This will allow the administrator to respond when the attacks are detected. However, these mechanisms are very laborious and are typically used only if a serious threat is detected on the user’s machine.
WannaCry is the ransomware variant that has attracted a lot of attention. It used a drive-by download technique and its authors found multiple weaknesses in Windows’ protection mechanisms that they exploited. It could inject itself into any process in the system and a large number of other vulnerabilities. The ransomware also targeted China and Europe and resulted in significant outages for businesses, as well as a total loss of data. There have been a large number of previous attacks that have exploited these vulnerabilities as well, but the number of victims and cost-effectiveness have been limited.
The newer variants of WannaCry are much more sophisticated and can block most security tools, but they can be installed by attackers without detection as well.
Who is Involved in this Business?
WannaCry’s malicious code and design appears to have been developed by a criminal cybercriminal gang with a long history of attacks on government organizations and their organizations.
The initial WannaCry code was spread through spam and spear phishing emails. The authors likely used a Russian cybercriminal group, APT28, which has been associated with other attacks like the 2013 Sony Pictures hack. The hackers used a Windows-specific exploit that was called EternalBlue in the original WannaCry attack. However, the new version of WannaCry is spread through an injection process, which takes advantage of the latest Windows patches and remote desktop (RDP) vulnerabilities to infect machines.
This new version of WannaCry is mostly targeted at users in China and other countries in the Asia-Pacific region, but is starting to hit western markets as well. In countries like the United States and Japan, the ransomware has received some attention, but it seems the attackers have opted to create a generic brand name and only target individual users.
This attack is not based on a virus. Instead, it’s a new threat that has been developing and spreading across the internet for a while.
The ransomware creators are extremely sophisticated and know how to tailor their malware to get out of detection. They have been actively distributing the Ransom:Win32/WanaCrypt0r 2.0 ransomware via underground channels and using associated web exploits for the last 3-4 months. As a result, organizations are now being hit by an even more sophisticated ransomware, which has almost no noticeable impact on your network.
What Security Response Are You Receiving?
We continuously see different ransomware variants as ransomware worms. More than ever before, organizations have started to patch their system or use an add-on to patch their security with the latest software versions.
The researchers at Sophos recommend patching with the latest available updates, depending on the target:
1) Always download updated security updates for any system or application you use, and use them immediately.
2) Download and install the latest security patches for all versions of Microsoft Office, Adobe Flash and other software that you use.