New ransomware

Print Friendly, PDF & Email

BtCIRT has learned from different sources that a new form of ransomware is spreading massively world wide already  affecting Russia, Ukraine, Spain, France, UK and India.

Therefore, users and administrators are warned not to click on email attachment or links that you are not expecting and refer  Ransomware  for details on  how to be at safer side .

Since the identity of Ransomware has not been confirmed yet, we will keep updating the advisory.

From the sources it is known to exploit SMB(Server Message Block) vulnerabilities, encrypting the master boot records of infected Windows Computer, thus making the machine unusable.  For more details on SMB vulnerability, please visit microsoft’s  Update and advisory Advisory on disabling SMBv1.

It is also found to be spreading through remote access to  WMI(Windows Management Instrumentation)  thus it is recommended to:

  1. Block remote access to WMI
  2. Block the execution of  PSEXEC tool if not required.

According to Guardian and many other sources:  “ it is known to  check for a read-only file, C:\Windows\perfc.dat, and if it finds it, it won’t run the encryption side of the software. Thus users could create the Vaccine, for easy to implement guide visit: Vaccine by bleepingcomputer. But this doesn’t actually prevent infection, and the malware will still use its foothold on your PC to try to spread to others on the same network.”

Use of Pirated/Unpatched or  unsupported software has always been the platform for the cyber attackers to exploit  systems and networks.

Therefore, users and administrators are recommended:

  1. To use software under support  and keep them up to date.
  2. Not to click on links and attachments unless you are sure of the content, always verify.
  3. To Keep offline  backup of the files.

Microsoft has a detailed guide,  please refer  Advisory 1 and  Advisory 2

You might like to visit following sites for more details.