BtCIRT has learned from different sources that a new form of ransomware is spreading massively world wide already affecting Russia, Ukraine, Spain, France, UK and India.
Therefore, users and administrators are warned not to click on email attachment or links that you are not expecting and refer Ransomware for details on how to be at safer side .
Since the identity of Ransomware has not been confirmed yet, we will keep updating the advisory.
From the sources it is known to exploit SMB(Server Message Block) vulnerabilities, encrypting the master boot records of infected Windows Computer, thus making the machine unusable. For more details on SMB vulnerability, please visit microsoft’s Update and advisory Advisory on disabling SMBv1.
It is also found to be spreading through remote access to WMI(Windows Management Instrumentation) thus it is recommended to:
- Block remote access to WMI
- Block the execution of PSEXEC tool if not required.
According to Guardian and many other sources: “ it is known to check for a read-only file, C:\Windows\perfc.dat, and if it finds it, it won’t run the encryption side of the software. Thus users could create the Vaccine, for easy to implement guide visit: Vaccine by bleepingcomputer. But this doesn’t actually prevent infection, and the malware will still use its foothold on your PC to try to spread to others on the same network.”
Use of Pirated/Unpatched or unsupported software has always been the platform for the cyber attackers to exploit systems and networks.
Therefore, users and administrators are recommended:
- To use software under support and keep them up to date.
- Not to click on links and attachments unless you are sure of the content, always verify.
- To Keep offline backup of the files.
Microsoft has a detailed guide, please refer Advisory 1 and Advisory 2
You might like to visit following sites for more details.