WannaCry Ransomware Strikes Worldwide

Computers and networks around the world fell victim to WannaCry ransomware over the past two days. The attack successfully shut down hospitals, transit systems, and businesses in every point of the globe. The threat significantly affected the United Kingdom, Taiwan, Chile and Japan.

Last year, hackers announced that they had hacked and downloaded tools from the NSA. One of the tools acquired utilizes a vulnerability to attack (code named EternalBlue).

The vulnerability drops a file on the vulnerable system which executes as a service. The service then drops the actual ransomware file onto the affected system, encrypting files with the .WNCRY extension. A separate component file for displaying the ransom note would also be dropped.

The ransomware encrypts files with a total of 166 extensions, including those commonly used by Microsoft Office, databases, file archives, multimedia files, and various programming languages.

To spread to other systems, it uses the file that was dropped and runs as a service. The service uses the name “Microsoft Security Center (2.0)“. This service scans for other SMB shares on the network, and uses the EternalBlue vulnerability to spread to other systems.

Figure 3. Added service

Microsoft already patched supported Windows operating systems to address the SMBv1 vulnerability used in this attack in March. Even before that, in September 2016 Microsoft strongly urged users to migrate away from SMBv1, which dates back to the early 1990s. US-CERT issued similarly strong recommendations as well. Organizations that had followed best practices—both in patching and in proper configuration of SMB services—would not be affected by this attack.

The infected machines either do not have the patch installed or still operate the Windows XP, Vista, or Windows 8 operating systems.

In the wake of the largest ransomware attack in the history that has already infected over 114,000 Windows systems worldwide in the last twenty-four hours, Microsoft just took an unusual step to protect its customers with out-of-date computers. Microsoft just released an emergency security patch update for all its unsupported version of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions.

Digital Age Solution customers with DAS Safe & Secure contracts do not have to worry!

Our security software identifies and blocks this threat and file encryption regardless of your operating system.

DAS Sync protects against ransomware by keeping file history back-ups on our cloud servers. We can easily recover files for customers.

DAS Remote Monitoring and Management also applies patches to protect our customer’s computers. For outdated systems, we have already pushed the new update to computers.

If you want to be sure your systems are protected with DAS Safe & Secure, contact us to get Safe and Secure.

Google Phishing Attack

If someone invites you to edit a file in Google Docs today, don’t open it — it may be spam from a phishing scheme that’s been spreading quickly this afternoon. As detailed on Reddit, the attack sends targets an emailed invitation from someone they may know, takes them to a real Google sign-in screen, then asks them to “continue to Google Docs.” But this grants permissions to a (malicious) third-party web app that’s simply been named “Google Docs,” which gives phishers access to your email and address book.

The key difference between this and a very simple email phishing scheme is that this doesn’t just take you to a bogus Google page and collect your password — something you could detect by checking the page URL. It works within Google’s system, but takes advantage of the fact that you can create a non-Google web app with a misleading name. Here’s what the permissions screen looks like, for example:

Google Docs phishing screen

If you check the title for developer information, though, you’ll get something like this:

Gdocs Phishing attempt

  •  If you’ve clicked the link, your account may have already sent spam messages to the people in your address book. But you can revoke future access through Google’s “Connected Apps and Sites” page; where it will appear as “Google Docs.”
  • Google Docs phishing access