What is Ransomware? What is WannaCry Ransomware? How it spreads? What can you do to prevent infection?

What is Ransomware?

Ransomware is a malicious software that encrypts the files and locks device, such as a computer, tablet or smartphone and then demands a ransom to unlock it. Recently, a dangerous ransomware named ‘Wannacry’ has been affecting the computers worldwide creating the biggest ransomware attack the world has ever seen. This has affected computers in India also.

What is WannaCry Ransomware?

WannaCry ransomware attacks windows based machines. It also goes by the name WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY.It leverages SMB exploit in Windows machines called EternalBlue to attack and inject the malware. All versions of windows before Windows 10 are vulnerable to this attack if not patched for MS-17-010. After a system is affected, it encrypts the files and shows a pop up with a countdown and instructions on how to pay the 300$ in bitcoins to decrypt and get back the original files. If the ransom is not paid in 3 days, the ransom amount increases to 600$ and threatens the user to wipe off all the data. It also installs DOUBLEPULSAR backdoor in the machine.

How it spreads?

It uses EternalBlue MS17-010 to propagate. The ransomware spreads by clicking on links and downloading malicious files over internet and email. It is also capable of automatically spreading itself in a network by means of a vulnerability in Windows SMB. It scans the network for specific ports, searches for the vulnerability and then exploits it to inject the malware in the new machine and thus it spreads widely across the network.

What can you do to prevent infection?

  • Microsoft has released a Windows security patch MS17-010 for Windows machines. This needs to be applied immediately and urgently.
  • Remove Windows NT4, Windows 2000 and Windows XP-2003 from production environments.
    Block ports 139, 445 and 3389 in a firewall.
  • Avoid clicking on links or opening attachments or emails from people you don’t know or companies you don’t do business with.
  • SMB is enabled by default on Windows. Disable smb service on the machine by going to Settings > uncheck the settings > OK
  • Make sure your software is up-to-date.
  • Have a pop-up blocker running on your web browser.
  • Regularly backup your files.
  • Install a good antivirus and a good anti ransomware product for better security
  • Below is a consolidated list that we need to block on your firewall/antivirus

IPs

116.0.5.10:135
16.0.5.10:49
10.132.0.38:80
1.127.169.36:445
1.34.170.174:445
74.192.131.209:445
72.251.38.86:445
154.52.114.185:445
52.119.18.119:445
203.232.172.210:445
95.133.114.179:445
111.21.235.164:445
199.168.188.178:445
102.51.52.149:445
183.221.171.193:445
92.131.160.60:445
139.200.111.109:445
158.7.250.29:445
81.189.128.43:445
143.71.213.16:445
71.191.195.91:445
34.132.112.54:445
189.191.100.197:445
117.85.163.204:445
165.137.211.151:445
3.193.1.89:445
173.41.236.121:445
217.62.147.116:445
16.124.247.16:445
187.248.193.14:445
42.51.104.34:445
76.222.191.53:445
197.231.221.221:9001
128.31.0.39:9191
149.202.160.69:9001
46.101.166.19:9090
91.121.65.179:9001
2.3.69.209:9001
146.0.32.144:9001
50.7.161.218:9001
217.79.179.177:9001
213.61.66.116:9003
212.47.232.237:9001
81.30.158.223:9001
79.172.193.32:443
38.229.72.16:443
Domains:

• iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
• Rphjmrpwmfv6v2e[dot]onion
• Gx7ekbenv2riucmf[dot]onion
• 57g7spgrzlojinas[dot]onion
• xxlvbrloxvriy2c5[dot]onion
• 76jdd2ir2embyv47[dot]onion
• cwwnhwhlz52maqm7[dot]onion

File Names:

•@Please_Read_Me@.txt
•@WanaDecryptor@.exe
•@WanaDecryptor@.exe.lnk
•Please Read Me!.txt (Older variant)
•C:\WINDOWS\tasksche.exe
•C:\WINDOWS\qeriuwjhrf
•131181494299235.bat
•176641494574290.bat
•217201494590800.bat
•[0-9]{15}.bat #regex
•!WannaDecryptor!.exe.lnk
•00000000.pky
•00000000.eky
•00000000.res
•C:\WINDOWS\system32\taskdl.exe

Sources :  Kerala Police Cyberdome

 

Hacker gets $15000 reward for finding bug in Facebook

Bengaluru-based Anand Prakash found a vulnerability on Facebook which could have been used to hack into any user account easily without any user interaction. This could give full access to view messages, credit/debit cards stored under payment section, personal photos and much more.

According to a post on Prakash’s blog, he stated that, “Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number/email address and Facebook will then send a 6 digit code on his phone number/email address, which can be used in order to set a new password.” He added that he tried to brute the 6 digit code on Facebook and was blocked after 10-12 invalid attempts.

Prakash looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and found that rate limiting was missing on ‘forgot password’ endpoints. He tried to takeover his own account and was successful in setting new password for it as well. With this method, he could then use the same password to login in the account.

Facebook, on its part, acknowledged the issue promptly and fixed it. The hacker was rewarded $15,000 (approximately Rs 10 lakh) considering the severity and impact of the vulnerability.

YouTube’s release of ‘The Interview’ a chance to show off paid video chops

Google’s decision to screen Sony Pictures’ film “The Interview” may help legitimize its YouTube platform as a serious rival to paid video streaming services, Netflix and Amazon.com. Sony Pictures made the controversial film available online on Wednesday, expanding distribution of a comedy that triggered a destructive cyberattack against the company that has been blamed on North Korea. The studio reversed its decision to halt the movie’s release after it was criticized for self-censorship.

“This is a huge opportunity for YouTube to show the world that it can be used to release professional content and content that is paid for as most people think YouTube is for free content,” said James McQuivey, an analyst who covers the disruption of digital platforms at Forrester Research.

“The message from YouTube is really to other studios, that ‘Look, we’re in the big time now, we can do this, we’re not afraid (of hacks) and we have a massive audience.’”

The release of “The Interview,” one of the highest-profile films to be released digitally on demand so far, comes at a pivotal time for the Internet search company.

In recent years, YouTube has tried to leaven its image as an Internet repository of home-made videos and move toward more professionally produced content to expand its business. Last month, it launched YouTube Music Key, a paid ad-free service.

YouTube does not disclose its content sales, but despite being one of the most heavily visited destinations for video on the Internet with over 1 billion viewers each month, analysts say YouTube has lagged the likes of Amazon, Netflix and Apple in paid content offerings.

One risk for Google is that YouTube could become the target of Sony’s hackers, though security analysts said the company is viewed to have strong cyber defenses. Google has an “enormous” infrastructure that is well-tested in fighting off denial of service attacks and other threats,” said Barrett Lyon, principal strategist with F5 Networks and an expert in Internet network security.

“I wouldn’t imagine seeing ‘lights-out’ out at YouTube.”

The movie starring Seth Rogen and James Franco in a fictional plot to assassinate North Korean leader Kim Jong Un spurred the cyberattack against Sony Pictures.

In addition to YouTube Movies, Google Play, and Microsoft’s Xbox Video, the comedy will be available on a dedicated website, www.seetheinterview.com, to rent for $5.99 or buy for $14.99, Sony Pictures said on Wednesday, a day after agreeing to release it at some 200 independent theaters. No cable or satellite TV operator has yet agreed to make “The Interview” available through video on demand (VOD).

Apple’s iTunes store was noticeably not on Sony’s list.

“If I were at Apple, I would think twice about re-inviting hacking troubles, which is so embarrassing especially when you’re about to get into personal health and Apple Pay. You really want to show people you can preserve their information,” McQuivey said.

“In the case of Google, they have probably been attacked so many times that the threat of being attacked again is so modest or minor in their consideration that they didn’t think twice about this.”

ICANN is the latest organisation to be hacked, claims critical data was protected

Internet Corporation for Assigned Names and Numbers or ICANN, the global authority on providing unique web addresses across the world, was breached by hackers. According to the blog post by ICANN, hackers used ‘spear fishing’ to break into its systems in late November.

Email messages were sent to ICANN staff members which appeared to be coming from ICANN’s own domain. As a result several ICANN employees’ emails were compromised.

According to the post, the hackers accessed internal emails, gained administrative privileges to the Centralised Zone Data Service which was used to gather information such as names, postal addresses, emails and phone numbers. ICANN says the passwords were encrypted, but it has deactivated them as a precautionary measure. A members-only ICANN GAC wiki page was also accessed.

Hackers also accessed the ICANN Blog and ICANN WHOIS, an information portal. However, ICANN says that these two sites did not face much impact.

“Based on our investigation to date, we are not aware of any other systems that have been compromised, and we have confirmed that this attack does not impact any IANA-related systems,” says the post. IANA refers to Internet Assigned Numbers Authority, which is an important section of ICANN responsible for coordinating some of the key elements that keep the internet running smoothly.

ICANN has stated that it has already put into force a slew of security measures to limit unauthorised access. Since the attack, there have been more additions to these security parameters.

“We are providing information about this incident publicly, not just because of our commitment to openness and transparency, but also because sharing of cybersecurity information helps all involved assess threats to their systems,” said ICANN in the blog post.

North Korea terms Sony hack accusations as ‘groundless slander,’ seeks joint investigation

North Korea said US accusations that it was involved in a cyberattack on Sony Pictures were “groundless slander,” and that it wanted a joint investigation into the incident with the United States.

An unnamed spokesman of North Korea’s foreign ministry said there would be serious consequences if Washington refused to agree to the probe and continued to accuse Pyongyang, according to the North Korean UN mission and its official KCNA news agency.

The United States stands by its assertion that North Korea was to blame, a White House National Security Council (NSC) spokesman said on Saturday, in response to the remarks.

On Friday, US President Barack Obama blamed North Korea for the devastating cyberattack, which had led to the Hollywood studio cancelling the imminent release of “The Interview,” a comedy on the fictional assassination of North Korean leader Kim Jong Un.

In its first substantive response, the isolated North Korea said it could prove it had nothing to do with the hacking attack.

“We propose to conduct a joint investigation with the US in response to groundless slander being perpetrated by the U.S. by mobilizing public opinion,” the North Korean spokesman was cited as saying by KCNA.

“If the U.S. refuses to accept our proposal for a joint investigation and continues to talk about some kind of response by dragging us into the case, it must remember there will be grave consequences,” the spokesman said.

The North Korean spokesman was quoted as making similar remarks in a statement issued later by North Korea’s U.N. mission.

NSC spokesman Mark Stroh dismissed this, saying: “We are confident the North Korean government is responsible for this destructive attack. We stand by this conclusion.”

“The government of North Korea has a long history of denying responsibility for destructive and provocative actions,” he added.

The US Federal Bureau of Investigation said on Friday it had determined that North Korea was behind the hacking of Sony, saying Pyongyang’s actions fell “outside the bounds of acceptable state behavior.”

Obama said North Korea appeared to have acted alone. Washington began consultations with Japan, China, South Korea, Russia, Australia, New Zealand, and the UK seeking their assistance in reining in North Korea.

Japan and South Korea said they would cooperate. China, North Korea’s only major ally, has yet to respond, but a Beijing-run newspaper said “The Interview” was not a movie for Hollywood or U.S. society to be proud of.

An Obama administration official said on Saturday: “In our cybersecurity discussions, both China and the United States have expressed the view that conducting destructive attacks in cyberspace is outside the norms of appropriate cyber behavior.”

It was the first time the United States had directly accused another country of a cyberattack of such magnitude on American soil and set up a possible new confrontation between longtime foes Washington and Pyongyang.

Obama said he wished that Sony had spoken to him first before yanking the movie, suggesting it could set a bad precedent. “I think they made a mistake,” he said.

“Not Caved In”

Sony Pictures Entertainment Chief Executive Michael Lynton insisted the company did not capitulate to hackers and said it was still looking for alternative platforms to release “The Interview.” This week, a spokeswoman for Sony had said the company did not have further release plans for the $44 million film starring Seth Rogen and James Franco.

Despite Obama’s stern warning to North Korea, his options for responding to the attack by the impoverished state appeared limited. The president declined to be specific about any actions under consideration.

North Korea has been subject to US sanctions for more than 50 years, but they have had little effect on its human rights policies or its development of nuclear weapons. It has become expert in hiding its often criminal money-raising activities, largely avoiding traditional banks.

In a separate statement on Saturday in response to criticism of its rights record, North Korea vowed to boost its “nuclear power” to counter Washington’s hostile policy, saying it had become apparent the United States aimed to invade the North under the guise of human rights abuses.

The FBI said technical analysis of malicious software used in the Sony attack found links to malware that “North Korean actors” had developed and found a “significant overlap” with “other malicious cyber activity” previously tied to Pyongyang.

But it otherwise gave scant details on how it concluded that North Korea was behind the attack.

US experts say Obama’s options could include cyber retaliation, financial sanctions, criminal indictments against individuals implicated in the attack or even a boost in US military support to South Korea, still technically at war with the North.

But the effect of any response would be limited given North Korea’s isolation and the fact that it is already heavily sanctioned for its nuclear program.

There is also the risk that an overly harsh US response could provoke Pyongyang to escalate any cyber warfare.

Non-conventional capabilities such as cyber warfare and nuclear technology are the weapons of choice for the impoverished North, defectors said in Seoul.

Online Identity Theft is rising: Here’s how to protect yourself against it

Criminals stole personal information from tens of millions of Americans in data breaches this past year. Of those affected, one in three may become victims of identity theft, according to research firm Javelin. Whether shopping, banking or going to the hospital, Americans are mostly at the mercy of companies to keep their sensitive details safe. But there are steps you can take to protect yourself against the financial, legal and emotional impact of identity theft — and most of them are free:

AS A RULE:

— Closely guard your social security numbers — and those of your children — as well as credit and debit card information and account passwords.

— Shred unneeded financial records and credit offers.

DETECTIVE WORK:

— Examine credit card bills for irregularities each month.

— Get a free credit report once a year from at least one of the major reporting agencies (Equifax, Experian, TransUnion), and review it for unauthorized accounts. Ignore services that charge a fee for credit reports. You can order them without charge at www.annualcreditreport.com . If you order from each agency once a year, you could effectively check your history every four months.

DO PAID SERVICES WORK?

— Some experts say there’s not much to be gained from a paid credit monitoring service. But if a business sends you a notice of a data breach, it can’t hurt to sign up for any monitoring they offer for free. These services will tell you if a new account is opened in your name, but they won’t prevent it, and many don’t check for things like bogus cellphone accounts or fraudulent applications for government benefits. Some do offer limited insurance or help from a staffer trained to work with credit issuers and reporting agencies.

SOMEONE STOLE MY IDENTITY, WHAT DO I DO?

— The Federal Trade Commission recommends immediately notifying one of the credit agencies and requesting a 90-day credit alert. (Each reporting agency is supposed to notify the others, but you may want to contact all three yourself.) The alert tells businesses to contact you before opening any new accounts in your name. You can renew the alert every 90 days, or you’re entitled to keep it in effect for seven years if you’ve filed an identity theft report with police.

— Contact the credit issuer to dispute fraudulent charges and have the bogus account closed.

— Request your credit report and ask the reporting agencies to remove bogus accounts or any incorrect information from your record. Consider asking the reporting agencies to place a full freeze on your credit. This blocks any business from checking your credit to open a new account, so it’s a stronger measure than a credit alert. But you should weigh that against the hassle of notifying credit agencies to lift the freeze — which can take a few days — every time you apply for a loan, open a new account or even sign up for utility service.

— Submit a report through the FTC website: www.consumer.ftc.gov . Click the “privacy & identity” tab, which will walk you through creating an affidavit you can show to creditors.

— Keep copies of all reports and correspondence. Use certified mail to get delivery receipts, and keep notes on every phone call.

Sony hacking: Company warns employees that fraudsters could misuse stolen data

Sony Pictures Entertainment advised its current and former employees to be on the alert for fraudsters looking to use their stolen data, which included detailed personal information.

In what is Sony’s most detailed description on the types of data stolen, the company listed information such as social security numbers, credit card details, bank account information, healthcare information and compensation and other employment-related information.

Hackers attacked Sony’s computer network last month and released sensitive data over the Internet. A group calling itself Guardians of Peace claimed responsibility for the cyber attack that shut down most of the studio’s network for more than a week.

Sony, in a memo to staff seen by Reuters on Dec. 2, acknowledged that a large amount of data was stolen by the hackers but had declined to confirm specific documents.

The company is in the process of investigating the scope of the cyber attack and is notifying employees that it would be providing identity theft protection services, Sony Pictures said on late Monday.

Sony Pictures also provided a toll-free number for potentially affected individuals to call to receive information about the identity protection services.

In North Korea, hackers are a handpicked, pampered elite

Despite its poverty and isolation, North Korea has poured resources into a sophisticated cyber-warfare cell called Bureau 121, defectors from the secretive state said as Pyongyang came under the microscope for a crippling hack into computers at Sony Pictures Entertainment.

A North Korean diplomat has denied Pyongyang was behind the attack that was launched last month but a U.S. national security source said it was a suspect.

Defectors from the North have said Bureau 121, staffed by some of the most talented computer experts in the insular state, is part of the General Bureau of Reconnaissance, an elite spy agency run by the military. They have said it is involved in state-sponsored hacking, used by the Pyongyang government to spy on or sabotage its enemies.

Pyongyang has active cyber-warfare capabilities, military and software security experts have said. Much of it is targeted at the South, technically still in a state of war with North Korea. But Pyongyang has made no secret of its hatred of the United States, which was on the South’s side in the 1950-53 Korean War.

Military hackers are among the most talented, and rewarded, people in North Korea, handpicked and trained from as young as 17, said Jang Se-yul, who studied with them at North Korea’s military college for computer science, or the University of Automation, before defecting to the South six years ago.

Speaking to Reuters in Seoul, he said the Bureau 121 unit comprises about 1,800 cyber-warriors, and is considered the elite of the military.

“For them, the strongest weapon is cyber. In North Korea, it’s called the Secret War,” Jang said.

One of his friends works in an overseas team of the unit, and is ostensibly an employee of a North Korean trading firm, Jang said. Back home, the friend and his family have been given a large state-allocated apartment in an upscale part of Pyongyang, Jang said.

“No one knows … his company runs business as usual. That’s why what he does is scarier,” Jang said. “My friend, who belongs to a rural area, could bring all of his family to Pyongyang. Incentives for North Korea’s cyber experts are very strong … they are rich people in Pyongyang.”

He said the hackers in Bureau 121 were among the 100 students who graduate from the University of Automation each year after five years of study. Over 2,500 apply for places at the university, which has a campus in Pyongyang, behind barbed wire.

“They are handpicked,” said Kim Heung-kwang, a former computer science professor in North Korea who defected to the South in 2004, referring to the state hackers. “It is a great honor for them. It is a white-collar job there and people have fantasies about it.”

SIMILAR TOOLS

The technology news site Re/code reported on Wednesday that Sony intends to name North Korea as the source of the attack. But when asked about the Re/code report, a Sony spokeswoman said no announcement from the studio was coming. The company declined comment on Thursday.

Sony Pictures, a unit of Japan’s Sony Corp, is the distributor of “The Interview,” a forthcoming comedy featuring a plot to assassinate North Korean leader Kim Jong Un. North Korea has described the film as an “act of war”.

Last year, more than 30,000 PCs at South Korean banks and broadcasting companies were hit by a similar attack that cybersecurity researchers widely believe was launched from North Korea.

Months later, the South Korean government’s online presence was targeted, with the president’s website defaced with a banner reading “Long live General Kim Jong Un, president of reunification!”

Neither attack was particularly sophisticated, but South Korean authorities said North Korea was to blame, even though ‘hacktivist’ groups – online activists who hack high-profile targets in order to spread political messages – first appeared to claim responsibility.

Those attacks used rudimentary but effective malware which security researchers later dubbed DarkSeoul.

Also known as the DarkSeoul Gang, the hackers have been involved in a five-year spree against South Korean targets, according to a report last year by computer security firm Symantec, which estimated the group included 10 to 50 hackers and described it as “unique” in its ability to carry out high-profile and damaging attacks over several years.

Some security experts have cast doubt on North Korean involvement in the attack on Sony, citing the publicity-seeking hacktivist style of the attacks. However, the use of an unknown name by the group behind the Sony attacks, “Guardians of Peace”, is similar to previous attacks by the DarkSeoul gang.

It remains unclear if the DarkSeoul gang are outsiders working on behalf of North Korea, or some of Pyongyang’s troops in the isolated country’s own ‘cyber army’.

FBI warns firms of destructive malware use by hackers

The US Federal Bureau of Investigation (FBI) has warned that cyber-hackers have used malicious software to launch destructive attacks in the US.

A five-page confidential warning was issued to US businesses on Monday, according to Reuters news agency.

The software would make it impossible to recover any lost data, the FBI said.

The warning follows a confirmation from the FBI that it is investigating last week’s hack into Sony Pictures Entertainment’s network.

Sony Pictures was forced to shut down its corporate network in the attack and some of its unreleased films have also been leaked online.

But the warning from the US authorities did not name any victims that have been targeted.

Instead, it provided some technical details about the malicious software and advice on how to handle such an attack.

North Korea in the spotlight
There have been accusations that North Korea may have been responsible for the attack on Sony Pictures after the country’s government described a film due to be released by the studio on Christmas Day as an “undisguised sponsoring of terrorism as well as an act of war”.

The Interview, starring Seth Rogan and James Franco, tells the story of a CIA plot to assassinate the North Korean leader.

Pyongyang has written letters to the UN Secretary General and President Barack Obama asking for the film to be blocked, but when asked if it was involved in the cyber-attack on Sony, a spokesman only said “wait and see”.

Sony has not accused North Korea of involvement and said it was investigating the source of the hacking.