Sushobhan Mukherjee


Leave a comment

Resolution for WannaCry ransomware

What has happened?

UK hospitals, Telefonica, FedEx, and other businesses were hit by a massive ransomware attack on last Friday (12-05-2017). Around 75,000 computers in 99 countries were affected by malware known as “WannaCry”, which encrypts a computer and demands a $300 ransom before unlocking it. The malware was able to spread thanks to flaws in old versions of Windows that were originally used by the NSA to hack into PCs before being made public by the Shadow Brokers group last month.

Among those infected were more than a dozen hospitals in England, a telecom in Spain, FedEx’s offices in the United Kingdom, and apparently, the Russian Interior Ministry. Within half a day, there were instances detected on six continents.

Several firms in Europe were the first to report having their mission-critical Windows systems locked, showing a ransom note. This quickly developed into one of the most widespread ransomware outbreaks currently affecting a large number of organizations around the world. Some affected organizations had to take their IT infrastructure offline, with victims in the healthcare industry experiencing delayed operations and forced to turn away patients until processes could be re-established.

Brief on WannaCry ransomware

WannaCry/Wcry ransomware is a relatively new ransomware variant which has been popped up using the file hosting service Dropbox. This comes on the heels of a Torrent Locker variant that was using abused Dropbox accounts to spread its payload.

Wcry initially spreads via an email, a malicious website, or dropped by another malware. Once the malware gains access to a user’s system, it drops its prerequisite files and components, after which it prompts the user to download files from Dropbox URLs (Dropbox has already been notified of these links, which have since been removed). These files include the TOR Browser Bundle and the executable file “!WannaDecryptor!.exe”. If the user clicks on the executable file, Wcry will display the ransom note shown below:

Who are affected?

This variant of the WannaCry ransomware attacks older Windows-based systems, and is leaving a trail of significant damage in its wake. Europe has the highest detections for the WannaCry ransomware. The Middle East, Japan, and several countries in the Asia Pacific (APAC) region showing substantial infection rates as well.

WannaCry’s infections were seen affecting various enterprises, including those in healthcare, manufacturing, energy (oil and gas), technology, food and beverage, education, media and communications, and government. Due to the widespread nature of this campaign, it does not appear to be targeting specific victims or industries.

What does WannaCry ransomware do?

WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database, multimedia and archive files, as well as Office documents. In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its victims—an amount that increases incrementally after a certain time limit. The victim is also given a seven-day limit before the affected files are deleted—a commonly used fear-mongering tactic.

WannaCry leverages CVE-2017-0144, a vulnerability in Server Message Block, to infect systems. The security flaw is attacked using an exploit leaked by the Shadow Brokers group—the “EternalBlue” exploit, in particular. Microsoft’s Security Response Center (MSRC) Team addressed the vulnerability via MS17-010 released March, 2017.

What makes WannaCry’s impact pervasive is its capability to propagate. Its worm-like behavior allows WannaCry to spread across networks, infecting connected systems without user interaction. All it takes is for one user on a network to be infected to put the whole network at risk. WannaCry’s propagation capability is reminiscent of ransomware families like SAMSAM, HDDCryptor, and several variants of Cerber—all of which can infect systems and servers connected to the network.

Observations

The malware is using the MS17-010 exploit to distribute itself. This is a SMB vulnerability with remote code execution options – details: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

With MS17-010, the attacker can use just one exploit to get remote access with system privileges to copy payload to and transfer control to it later.

By remotely gaining control over victim PC with system privileges without any user action, the attacker can spray this malware in local network by having control over one system inside this network (get control over all system which is not fixed and affected by this vulnerability) and that one system will spread the ransomware in this case all over the Windows systems vulnerable and not patched to MS17-010.

Behavior:

By using command-line commands, the Volume Shadow copies and backups are removed:

Cmd /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

File-size of the ransomware is 3.4 MB (3514368 bytes)

Authors called the ransomware “WANNACRY” – string hardcoded in samples.

Ransomware is writing itself into a random character folder in the ‘ProgramData folder with the file name of “tasksche.exe’ or in C:\Windows\ folder with the file-name ‘mssecsvc.exe’ and ‘tasksche.exe’.

Examples:

C:\ProgramData\lygekvkj256\tasksche.exe

C:\ProgramData\pepauehfflzjjtl340\tasksche.exe

C:/ProgramData/utehtftufqpkr106/tasksche.exe

c:\programdata\yeznwdibwunjq522\tasksche.exe

C:/ProgramData/uvlozcijuhd698/tasksche.exe

C:/ProgramData/pjnkzipwuf715/tasksche.exe

C:/ProgramData/qjrtialad472/tasksche.exe

c:\programdata\cpmliyxlejnh908\tasksche.exe

Ransomware is granting full access to all files by using the command:

Icacls . /grant Everyone:F /T /C /Q

Using a batch script for operations: 176641494574290.bat 

What can we do?

WannaCry highlights the real-life impact of ransomware: crippled systems, disrupted operations, marred reputations, and the financial losses resulting from being unable to perform normal business functions—not to mention the cost of incident response and clean up.

Here are some of the solutions and best practices that organizations can adopt and implement to safeguard their systems from threats like WannaCry:

Patching

  • The ransomware exploits a vulnerability in SMB server. Patching is critical for defending against attacks that exploit security flaws. A patch for this issue is available for Windows systems, including those no longer supported by Microsoft. Here is the patch details from Microsoft.
  • Additional patches for older OS’es not already included in main MS17-010 bulletin above (http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598)
  • Upgrade from obsolete Windows versions to the latest one. In case there is a concern about commercials, you may easily migrate to linux environment.
  • In case there is old hardwares (which does not support latest windows version), then better to go for desktop virtualization (thin client/zero client) so that next operation/management strategies will be better.
  • The WannaCry ransomware appears to only attack unpatched computers running Windows 10. But this doesn’t mean those whose computers run on Apple or Linux code should feel smug. They, too, should regularly update with software patches as they’re issued.

Endpoint and Gateway Security

  • Ensure Desktop/Laptop/Mobile devices are protected with antivirus, personal firewall, antimalware etc. If possible, it is better to go for total protection from an OEM, which are already internationally bench-marked.
  • Deploying firewalls and intrusion detection / prevention systems can help reduce the spread of this threat. WannaCry reportedly also uses spam as entry point. Identifying red flags on socially engineered spam emails that contain system exploits helps. IT and system administrators should deploy security mechanisms that can protect endpoints from email-based malware
  • A security system and practice must be deployed for continuous monitoring and management for proactively action on potential attacks in the network.
  • WannaCry drops several malicious components in the system to conduct its encryption routine. Application control based on a whitelist can prevent unwanted and unknown applications from executing. Behavior monitoring can block unusual modifications to the system. Ransomware uses a number of techniques to infect a system; defenders should do the same to protect their systems

Regular Backup

  • Ransomware will target the files and software in your system. So it is best to keep them backed up regularly. The best way to protect them offline using external harddisk somewhere away from the reach of the internet.
  • Incase backup is taken on cloud; the backup mechanism should run on intervals. It should not be always connected.
  • Ransomware infects at the system level. Hence complete backup of your Windows OS will also be helpful

Connectivity

  • Ransomware attacks are all through the internet. Hence it is essential to have a control on the path between your computer and the Internet.
  • WannaCry encrypts files stored on local systems and network shares. Implementing data categorization helps mitigate any damage incurred from a breach or attack by protecting critical data in case they are exposed
  • Network segmentation can also help prevent the spread of this threat internally. Good network design can help contain the spread of this infection and reduce its impact on organizations.
  • Whenever connectivity is not needed, the path should be closed or connectivity should be disconnected.
  • When you’re using public WiFi networks, make sure you tell your system that you’re on a public network (many will ask if it’s a public or home computer.) That tells your operating system that it’s functioning in a potentially threat-filled environment and it will close off some of its more vulnerable software ports to the outside.

Proactive Measures instead of Reactive

This is not end of it. Rather more destructive versions will be popping up soon. Hence remediation of present threat will not give us a resolution. Security is a journey, not a resolutions. Hence below measures should give us some breathing space:

  1. Network and Application Audit on regular intervals (vulnerability Assessment and penetration testing)
  2. 3rd Party Risk Assessment and Business Continuity Planning
  3. Information Security Process Adherence as per international bench-marking , certification, compliance and regular governance.
  4. Remediation as per GAP Analysis continuous basis
  5. Deployment of tools and technologies for proactive measures.
  6. Close harmony between people-process and tools.
Advertisements


Leave a comment

Retrospection of Present Recruitment Problems – PART I

Off late, we are observing humongous problems in recruitment. Getting resources, make them work, retain them, get them motivated. Let it be start-up, larger organization, situations are same everywhere. In this blog I will try to search answers and retrospect the root cause. All cannot be written in single blog. Hence, I will try to document it through few episodes.

No respect to work:

We have a gardener at home who comes in morning and feeds water to plants in the garden every day with a monthly contract. He takes weekly off on Friday.  One of the week recently, he took a leave on Thursday for a medical checkup of his wife and was reluctant to adjust it with his weekly off on Friday (which was just the next day). But he continued to be absconding on the following Saturday and Sunday as well. Suddenly he appeared on Sunday afternoon to inform that tomm onwards he would continue as usual in the morning. The answer as justification of his absence during Saturday took my blood off. He said he did not turn up for the reason that he was not feeling to work on a Bengali new year’s day ( yes, the Saturday 15th April, 2017 was the kick off of Bengali new year 1424) in order to prevent  his hard work during every day of the proceedings days of the year.

2nd incident was also took place today. Two aspiring drivers came to meet me today as was searching for a new regular driver. He expressed all his expectations like he needs INR 12K as monthly salary on 12hrs working for 6 days a week, more than 12hrs, per hrs overtime charge INR 40, in case some Sunday he needs to work, he will work on extra money as per prevailing Driver Center charges, He will be charging for Rs.3 per km for outstation travel where lodging/boarding etc will be extra on actual. His bonus will be one month’s salary during Puja. In final notes he concluded that the driving job is very tedious job where he has been on the field, staying all the day with the cab, very tiring for out stations, as he has to drive so long. What he tried to mean was even after so many troubles he was favoring myself by charging so little, rather he had accepted the hardworking, suffering for me only to help me.

There are enough examples like this and I can write several books now on similar real life examples ( I am actually  documenting this in “Fools’ Walk” series of books along with my coauthor Pritam).

Both the examples above clearly indicates the vision of a job aspirant or an employee/worker towards a job which feeds him/her money for the survival. Unless you love it, think it is priority, feels from the heart it is important for your family, the result can never be best. The outcome will be percentage output; there will be always distance/unhappy feeling with the employer and in effect most of the times wicket falls.

lollipop Generation

The headline is being qued from one the senior fellow Entrepreneur. This is more applicable for the present generation youth. In present era, there is one or two kids in a nuclear family. Parents have always been protective, possessive and primitive. The social economic standing enforces for best schooling, branded cloth, gadgets, gaming console, and loads of extracurricular activities to have a bight future for the kids. But the too protective pampered environment makes them relaxed, less hard-working, less competent to handle real life situations, inclined towards struggle free life.

There were situations where people declined to visit Arunachal ( north-eastern state of india) since their parents did not approve them going that far and in a disturbed terrain like this ( I really do not know why and how Arunachal  becomes a disturbed terrain). Even there have been instances where people preferred to resign instead of opting an out location travel to Baharampur (in the district of Murshidabad, West Bengal.).

You might have seen latest “Parle” advertisements where teacher called mother to complain about the child behavior in class. The mother was questioned incase if she was about the same and surprisingly she countered that even sir is unaware about the biscuits for parents and kid are manufactured by same biscuit company. Useless advertisement, but reveals true retrospection of the society where teacher can be further questioned in front of the student. That is reason even a teacher slaps a student in class for wrong behaviour,  the same may lead to a police case, media story and personal life threat for the teacher outside school territory.

This philosophy getting started from grassroots stage, will surely impact future professional  life as well.

Entrepreneurship :

Now a days buzz of Entrepreneurship is flowing almost everywhere. All colleges, universities, associations, government, even corporations are floating schemes, facilities,  mentoring, funding, incubation to manufacture entrepreneurs to have self-sufficient independent youth to stand on their feet without any job. But unfortunately that does not happen.  Entrepreneurship does not only about just popping out an idea, but to execute the idea, build teams, sell the product/services to customers and earn money, manage funds, handle statutory, legal etc. More precisely entrepreneurship is not about riding on someone else’s money without any struggle, hard work. Rather the reverse rosy picture is being hallucinated that entrepreneurship is about free-flowing life where you can earn a lot of glories, lime light, fame, name etc without much of struggle.  And most of the people finally fail, but the mindset gets injected of a free-flowing, non-obligatory, hassle free, non-accountable lifestyle and in effect the youth do not get comfort to a job where they are answerable or bound by Kra/appraisal system.

That is also applicable for experienced ones. People are losing jobs every now and then. Few people are leaving jobs for bosses, salaries, exploitation by employers, adjustment with the culture, locational problems, office timings, salary disbursements delays and so many other things.  But the very interesting things most of them, first leave jobs and then search for options (those who had not lost job). Then after some time when they fail to get any suitable jobs, these people jumps into business in a “Me Too” model. Finally, most of them either fail or spoil the market by low pricing, desperation of orders, quoting without understanding and so on.

Finally, market dynamics gradually get evolved and in effect expectations from the aspiring job seekers change, which does not fit in to industry needs. In effect, the gap gets prolonged between employer and employee expectations.  And yes, end result yields retrenchment, resignation, leaving absconding etc disrupts business dynamics.

Choosing Job Options

In seven years of my business,  I did not find much of people interested in field jobs be it technical or sales. Everyone expressed inability of hard work in hot humid sunny days, rainy season, out location travel etc.

In a campus interview, we had selected 7 diploma engineers, 3 in technical and 4 in sales. All of them joined and that time we had tried to implement full HR process. Initial 15 days were full in-house training, before they will be placed for production. But after induction process of 15 days, Once the field visits started, 4 Sales guy disappeared by 7 days.  Out of 3 service guys 2 also vanished in 15 days for the reason of out-location travel (someone had to catch morning 6.30am train for a 4 hours journey on a site survey).

I have plenty full of incidents to explain the situation.  During interview for experienced ones, I found the latest trend to leave jobs first and then search for jobs. In effect almost any aspiring job seekers having 3 to 6 months break in career graph.

One of my friends referred me to Prakash two months back. Prakash’s mother works as a cook in my friend’s home. Prakash born and brought up in Bihar, but stays now in kolkata.  He comes with a very needy family background.  During face-to-face discussions, I liked him and decided to offer him the job. I continued discussion with him about his notice period in the present job (he was working in a domestic call canter for last 8months). Interestingly it was revealed that he could join immediately as his notice period was about to be over by next couple of days. I was wondering why he left a job without getting a suitable change. However, he kept me further surprised by the fact that he was rather having a job in his bucket and he was about to join there by coming week. My curiosity took an interrogative tone “Why you are further evaluating a job with us then?”. He said he did not find the culture, atmosphere of that organization very fitting for him, rather the organization was seemed to him as very fishy (that he discovered from few of his friends who were already working there).  “But why you resigned from your present job with this dilemma?” my curiosity continued. His answer was mind-boggling “Sir, I worked for so many days, thought of taking a break!”. My reply was instantaneous” What? You are working here only for 8 months, before that you took a 4 months break for your ear operation, Why you need a break again?”. He answered, “Sir, actually next month is my birthday. Thought of having party and other enjoyment in this month and then again search for a suitable job again”. I was speechless and please note neither a single line of discussion is cultivated nor a single iteration in the dialogue.

This section, I will finish with one more story, very latest (garden fresh).

After so many issues with work force, thought of discarding B Tech, diploma, MBA kind of resources and pursued a campus in government youth training where they teach very basics of computers for the people who could not succeed much in terms in their traditional career. Anyway after one such campus interview, selected one candidate for sales. He was good in communication, body language, attitude and approach. He had not problem in field visits. After selection in campus, we asked him to office next day for the final discussion. We further discussed about job scope, opportunities and off course explanations on field visits. But he was extremely positive and excited to join from the very next day. More interestingly, he posted a Facebook update post leaving office about excitement of getting a first job. But unfortunately he did neither join not intimated next day. Once we investigated through the Institute, we have been apprised that his parents did not approve a job for him where he had to spent time in field jobs in hot humid summer.

THIS IS NOT THE END OF IT, SO MANY OTHER FACTORS. WILL WRITE IN THE NEXT DAY.

(To be continued…..)