The Department of Information and Communications Technology (DICT) confirms that a global ransomware attack is currently in progress. The malicious software, known as “WannaCry” or “Wanna Decryptor,” infects computers running on older versions of Microsoft operating systems such as XP.
According to DICT, the said malware is “designed to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.”
How does it work?
WannaCry first appeared around February 2017 and works by encrypting files on target computers. The malware is delivered through a hyperlink that you can accidentally open through an email, advert on a website, or a suspicious link. Once it has been activated, the program spreads through the computer and locks all the files in the system.
Once the files have been encrypted, it deletes everything and delivers a ransom note in the form of a readme file. Consequently, it also changes the victim's wallpaper to a message demanding payment to return the files.
How can you remove it?
DICT advises that whatever happens, you should not pay the ransom and do the following instead:
1) Contact the Philippines National Computer Emergency Response Team (NCERT) of the DICT and CICC for law enforcement escalation by sending an email to: firstname.lastname@example.org. Maintain and provide relevant logs.
2) Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup.
How do you prevent it?
DICT suggests you do the following ASAP:
1) Immediately deploy the security update associated with Microsoft Security Bulletin MS17-010. “Those that have automatic updates enabled or have deployed this update are already protected from the vulnerability these attacks are trying to exploit.”
2) Manage the use of privileged accounts. “Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.”
3) Configure access controls including file, directory, and network share permissions with least privilege in mind. “If a user only needs to read specific files, they should not have write access to those files, directories, or shares.”
4) Disable macro scripts from Microsoft Office files transmitted via e-mail. “Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications. Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.”
5) Enable strong spam filters to prevent phishing e-mails from reaching the end users. “Also, authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.”
6) Have regular penetration tests run against the network. “No less than once a year. Ideally, as often as possible/practical.”
Additional precautions include:
1) Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
2) Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
3) Test your backups to ensure they work correctly upon use.
For further information, please contact DICT at 920-0101 LOC 1200; email at email@example.com or visit https://www.facebook.com/CICC.PH. Future updates will be provided as more information becomes available.