WannaCry attack in 5 questions
NEWS CENTER - ILKHA ARGE Unit investigated the WannaCry attack spread across more than 100 countries around the world in 5 questions.
Ilke News Agency (ILKHA) ARGE Unit has investigated the method, damage and protection reflexes of this attack in 5 questions. In the past days, the WannaCry cyber-attack has affected more than 100 countries.
With the harmful software Ransomware, the WannaCry cyber-attack has deeply embraced more than 100 countries around the world, especially those that are fully integrated into the computing technology. Countries that were not under the full influence of this technology were not affected by the large scale of the cyber-attack.
While the UK was the most vulnerable to the attack, many banks and the health sector suffered a major collapse. Russian banks and European automobile factories also effected. ICTA [Information and Communication Technologies Authority] President Ömer Fatih Sayan explained that 74 countries including Turkiye were affected from the attack.
It is reported that Ransomware, which is used for WannaCry attack, is affected by many official institutions, including banks, which have captured and encrypted important data in many countries.
Although Ransomware has not been used completely for attack purposes until now, it is known that money was asked for encrypted data that is encrypted through this software.
1-What is WannaCry (WCRY), what are the damages, what kind of damages give to the systems?
In April, the National Security Agency (NSA) leaked an exploit kit called FUZZBUNCH. When this exploit is used together with the DOUBLEPULSAR payload contained in another exploit, it is possible to run the command line as administrator without the administrator login of the relevant system by using the vulnerability of SMB service in Windows operating systems.
This method encrypts the important data found on the computers that are infected and demands a ransom for the recycling of this information. If the desired 300 dollars is not paid within the specified time, the ransom is also increased for each day.
If the fund is paid, the software becomes a complicated structure, and it also eliminates the possibility of determining who goes to the paid fund. The reason for this is considered to be the use of ‘Bitcoin’, which is called virtual money.
If payment is made, it is not known whether decrypted information will be decoded again.
2-How is the ransom software spread, what is the origin?
Using the information leaked by the NSA, the Worm virus used in the WannaCry attack was able to exploit the vulnerability and infiltrate Windows operating systems using the Windows SMB protocol. By exploiting this vulnerability ransom software has also begun to be developed.
3-What are the affected operating systems?
All active Windows operating systems are affected by this weakness.
-Microsoft Windows Vista SP2
- Windows 8.1
-Windows RT 8.1
-Windows Server 2008 SP2 / R2 SP1
-Windows Server 2016 / R2
-Windows Server 2016
4-How to update the operating system and how to strengthen it?
It has been announced that Microsoft will not support all operating systems that were previously under Windows 8.1. However, after this vulnerability emerged, it was said that Windows 8 and Windows 7 Operating Systems, including Windows XP, would support the removal of this vulnerability.
To turn off the vulnerability, it is necessary to open the updates, to install the update in the name SMB. Microsoft has begun offering users to update via the official website in order to remove this vulnerability.
5-How do you overcome the virus used in the 5-WannaCry attack?
According to reports of leading technology and security companies worldwide, the virus used in the WannaCry attack is generally infected with malware coming down the computer as a result of clicking on links sent to the E-mail.
Recommendations to institutions
The following suggestions and recommendations should be taken into consideration, considering the fact that the most affected by such attacks are official and private organizations:
- Shutdown of the 445/TCP port in the used Windows Operating Systems.
- The authorization transactions of the users in the operating systems should be minimized and the common accounts should be avoided and each system specific accounts should be opened.
- You should investigate security weaknesses in your network and perform penetration tests for it.
-Do not only organize and educate your employees not only for such attacks, but also for training programs related to phishing or social engineering concepts.
- Do not forget to backups regularly and keep backups on a computer that does not have internet connection.
- DKIM, DMARC, SPF checks should be performed by passing the AntiSpam services in sight.
Individual suggestions and recommendations
- Remember to backups of your important information, keep your backups on an external hard drive that computers do not have internet connection.
- To protect your computer from this vulnerability, remember to update, especially check that the update named SMB has been installed.
- Do not open unknown, unidentified E-Mail, do not click on links, do not download files randomly.
- Avoid using programs on websites like Crack, Warez.
- Do not forget that viruses are structures that can hide files like Pdf, Word, and Excel,
- Using Linux open source operating systems instead of Windows Operating Systems, you can be 80 percent more secure than Windows Operating Systems.
- Do not click on abbreviated URLs that you do not know in social media, like links you do not know from E-Mail. Do not forget that people who install malware can use social engineering concepts such as link abbreviations and they can harm users.
Worm: Viruses are small in diameter, described as harmful worms on the Internet. These viruses have the ability to copy on infected computers. It also has the ability to spread on the network.
Exploit: System code is encoded by the open particles.
Payload: is a piece of harful software such as viruses or worms that perform malicious actions. It is used for data clearing, spam sending or encryption.
DK I: Specified by RFC4871 standard is e-mail authentication method.
DMARC: “Domain-based Message Authentication, Reporting, and Conformance,” is a method of showing up E-mails like someone you know.
SPF: Is a connection protocol basis server and mail server. (Ömer Özbey - ILKHA)