facebook_pixel

WannaCry, The Most Severe Malware Attack of 2017… so far.

WannaCry ransomware is a new Trojan virus malware that has swept the global marketplace by force this past week. Security researchers have estimated that about 57,000 computers in more than 150 countries were infected by the end of the day on Friday.

As of this morning (Monday May 15th) the WannaCry virus has infected more than 200,000 systems around the world, and it doesn’t look to be stopping anytime soon.

Our security system team has been tracking the developments of this malware, and are hoping that a solution will ensue very shortly. We put together the top five things you need to know about the WannaCry Ransomware and why our DataVault back up solution will help prevent you from becoming a victim. Sign up today for a 30 day complimentary risk free DataVault solution trial to protect your business from ransomware.

  1. Ransomware is a type of Trojan virus that holds your computer’s files hostage, with the ability to completely wipe out your entire data at any moment’s notice.

There are many types of malware that can cause severe damage to your computer system. One type of malware that can negatively affect your computer is ransomware, this type of virus, like WannaCry will encrypt most or even all of the files on a user’s computer. The software will then demand that a ransom be paid in order to have the files decrypted. If the ransom is not paid, then the software can delete all of the encrypted files on the computer.

  1. WannaCry will increase the ransom amount if it isn’t paid within 3 days.

The WannaCry ransomware will demand that the victim pay $300 in bitcoins at the time of infection in order to decrypt the files. If the victim does not comply within three days, the amount will double to $600. After seven days without payment, WannaCry will delete all of the encrypted files and all data will be lost.

  1. The malware will install a text file on the user’s desktop with the following ransom note.

  1. There is NO cure for an infected computer, the user will need to pay the ransom to decrypt their files.

Antivirus companies and cybersecurity experts are hard at work looking for ways to decrypt the files on infected computers. As of today there is no way of decrypting an infected user’s files beside complying with the malware’s instructions. It is highly advised to install any and all available security updates immediately. Specifically windows users that run Windows XP, or Windows 8. If there is confusion on what immediate steps you should take to protect yourself, please reach out to our team to help walk you through the proper precautions.

  1. If your data is backed up on a regular basis, you can revert your files to the latest back up on your computer instead of paying the ransomware.

It is safe to say that every business small, medium or large should have a backup solution in place so that their data and files are protected. If a business does not have a backup they can become victims of not only WannaCry but any other ransomware that develops in the future.

This troubling malware is still running rampant over the entire world wide web, it is our job to help keep our clients and potential clients safe. Our team of system security experts have developed a DataVault solution that will back up your data in a safe and secure way to prevent such ransomware attacks from keeping your business from succeeding. Click HERE to gain access to our free DataVault solution trial that will protect you from the likes of WannaCry.

Vulnerable Joomla! Installation under active attack

A Core Remote Code Execution Vulnerability (CVE-2015-8562) in the popular content management system (CMS) Joomla! was recently discovered. The vulnerability affects all versions of Joomla! prior to 3.4.6, and while updating the CMS to the latest version will patch the bug, there are still plenty of unpatched targets out there and Symantec has observed attackers actively scanning for and attacking vulnerable servers.

With over 50 million downloads Joomla! is one of the most widely used content management platforms and is used by some very popular websites, meaning the vulnerability potentially puts millions of users at risk. In an attack scenario, an attacker can use this vulnerability to execute commands on the server, tamper with the website or database contents, host malware on the server, or even redirect visitors to  other malicious websites.

How attackers find and exploit vulnerable servers
The exploit code is relatively easy to deploy and doesn’t require much skill, all that is needed is a single HTTP request. According to our telemetry, the methods attackers are using to scan for vulnerable versions of Joomla! is similar to methods we covered in a recent blog on an RCE vulnerability in the vBulletin platform. Attackers are scanning for servers running vulnerable versions of Joomla! by attempting to call a phpinfo() function or printing out an MD5 of a predetermined value. As with the vBulletin RCE exploit attacks, it is likely attackers are scanning and documenting vulnerable web servers for exploitation at a later time.

Let’s take a look at how attackers are doing this.

In one method used by attackers, if the targeted server is vulnerable, the MD5 hash for the value 233333 is printed in the response sent by the server.

Figure1_17.png
Figure 1. MD5 hash printed in the server response

Another method involves the attacker attempting to execute the eval(char()) function and waiting for any output from the die(pi()); function in the response. If this response is received it tells the attacker that the server is vulnerable.

Figure2_10.png
Figure 2. Server response from eval(char()) function

System administrators can look for the methods described previously as possible indicators of attack (IoA) or indicators of compromise (IoC). By examining web access logs, administrators can look for the requests and, if found, compare the time they were made to the time the server was patched to determine if the system was likely to have been breached.

Malicious script injection
Once a system is found to be vulnerable, the attackers can then proceed to the main attack. This usually involves the installation of a back door to enable the attackers to gain full access to the compromised computer.

The section of code shown in Figure 3 is part of an encoded PHP back door which is used against vulnerable Joomla! servers. Once the back door is established on the server, the attacker can execute commands, tamper with websites hosted on the server, or upload and download files at will.

Figure3_7.png

Read the full article at Symantec