A widespread ransomware campaign is affecting enterprises globally with reports of tens of thousands of infections spreading rapidly. Tata Consultancy Services (TCS) is aware of the outbreak of “WannaCry” ransomware and proactively taking all necessary measures including working with our customers globally to address this outbreak on their systems. A ransomware is a malicious code that encrypts files and locks devices like computer, tablet or smartphone and subsequently demands a ransom to unlock it. Understanding the consequences of this malware attack, TCS has proactively communicated information related to this outbreak and implementing various necessary measures to protect its customers and itself across the globe.
We are advising all our customers and partners globally to exercise caution in their online activities. We are also ensuring that our customers keep their systems updated and take a proactive approach to security rather than a reactive one.
It is learned that more than 230,000 computers across 150 countries have been impacted with the ransomware demanding ransom payments in crypto-currency bitcoin. The self-spreading ransomware, exploits a vulnerability in Microsoft’s Windows operating systems called EternalBlue to attack and inject the malware. It goes by the names WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY and is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability which is not patched for MS-17-010. A patch to remove the underlying vulnerability for supported systems (Windows Vista and later versions of Windows OS) had been issued by Microsoft on 14 March 2017. The ransomware scans the network for specific ports, searches for the vulnerability and then exploits it to inject the malware in the new machine and thus it spreads widely across the network. If the ransom is not paid in three days, the ransom amount increases upto 600$ and threatens the user to wipe off all the data. It also installs Doublepulsar backdoor in the machine. Presently, researchers have found an effective kill switch, which has prevented further infections and allowed time to patch machines. Experts are warning of a second wave of the attack from new variants of this WannaCry ransomware without the kill switch.
Advisory & Prevention
- Microsoft has released a Windows security patch MS17-010 for Windows machines. This needs to be applied immediately.
- Block ports 139, 445 and 3389 on production systems.
- Remove old Windows Operating Systems NT4, Windows 2000 and Windows XP-2003 from all production environments.
- Do not click on suspicious links or attachments or emails from people you don't know. Disable SMB service, which is enabled by default on Windows by going to Settings > uncheck the settings > OK
- Keep your files backed up regularly and periodically.
- Use trusted antivirus.
- Be wary of visiting unsafe or unreliable sites.
- Preventing the creation of registry keys (HKLM/Software/wanacrypt0r).
- Identify and remove suspicious files such as “taskdl.exe, taskse.exe, taskche.exe, mssecsvc.exe, @WanaDecryptor@.exe etc in folders like C:\ProgramData, C:\Windows.
- Identify and remove suspicious files batch files such as “131181494299235.bat, 176641494574290.bat, 217201494590800.bat” etc.
- Identification and blocking of the IP addresses already reported.
- Use behavior blocker tools to identify and block suspicious behavior of the programs.
- Institute and practice employee education programs for identifying such scams, malicious links, and attempted social engineering.
- Implement security incident response and business continuity plan. Ideally, enterprises should ensure they have appropriate backups.
TCS Cyber Security