The WannaCry ransomware struck across the globe in May 2017. Learn how this ransomware attack spread and how to protect your network from similar attacks.
By Symantec Security Response
UPDATE as of May 15, 2017 23:24:21 GMT:
Symantec has uncovered two possible links that loosely tie the WannaCry ransomware attack and the Lazarus group:
- Co-occurrence of known Lazarus tools and WannaCry ransomware: Symantec identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry. These earlier variants of WannaCry did not have the ability to spread via SMB. The Lazarus tools could potentially have been used as method of propagating WannaCry, but this is unconfirmed.
- Shared code: As tweeted by Google’s Neel Mehta, there is some shared code between known Lazarus tools and the WannaCry ransomware. Symantec has determined that this shared code is a form of SSL. This SSL implementation uses a specific sequence of 75 ciphers which to date have only been seen across Lazarus tools (including Contopee and Brambul) and WannaCry variants.
While these findings do not indicate a definite link between Lazarus and WannaCry, we believe that there are sufficient connections to warrant further investigation. We will continue to share further details of our research as it unfolds.
A virulent new strain of ransomware known as WannaCry (Ransom.Wannacry) has hit hundreds of thousands of computers worldwide since its emergence on Friday, May 12. WannaCry is far more dangerous than other common ransomware types because of its ability to spread itself across an organization’s network by exploiting a critical vulnerability in Windows computers, which was patched by Microsoft in March 2017 (MS17-010). The exploit, known as “Eternal Blue” was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.
Am I protected from the WannaCry ransomware?
Symantec Endpoint Protection (SEP) and Norton have proactively blocked any attempt to exploit the vulnerability used by WannaCry, meaning customers were fully protected before WannaCry first appeared.
The Blue Coat Global Intelligence Network (GIN) provides automatic detection to all enabled products for web-based infection attempts.
Symantec and Norton customers are automatically protected against WannaCry using a combination of technologies.
Proactive protection was provided by:
- IPS network-based protection
- SONAR behavior detection technology
- Advanced Machine Learning
- Intelligent Threat Cloud
Customers should have these technologies enabled for full proactive protection. SEP customers are advised to migrate to SEP 14 to take advantage of the proactive protection provided by Machine Learning signatures.
Network based protection
Symantec has the following IPS protection in place to block attempts to exploit the MS17-010 vulnerability:
- OS Attack: Microsoft SMB MS17-010 Disclosure Attempt (released May 2, 2017)
- Attack: Shellcode Download Activity (released April 24, 2017)
SONAR behavior detection technology
Sapient Machine Learning
For expanded protection and identification purposes the following Antivirus signatures have been updated:
Customers should run LiveUpdate and verify that they have the following definition versions or later installed in order to ensure they have the most up-to-date protection:
Organizations should also ensure that they have the latest Windows security updates installed, in particular MS17-010 to prevent spreading.
What is the WannaCry ransomware?
WannaCry searches for and encrypts 176 different file types and appends .WCRY to the end of the file name. It ask users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.
Can I recover the encrypted files or should I pay the ransom?
Decryption of encrypted files is not possible at present. If you have backup copies of affected files, you may be able to restore them. Symantec does not recommend paying the ransom.
In some cases, files may be recovered without backups. Files saved on the Desktop, My Documents, or on a removable drive are encrypted and their original copies are wiped. These are not recoverable. Files stored elsewhere on a computer are encrypted and their original copies are simply deleted. This means they could be recovered using an undelete tool.
When did WannaCry appear and how quickly did it spread?
WannaCry first appeared on Friday May 12. Symantec saw a dramatic upsurge in the number of attempts to exploit the Windows vulnerability used by WannaCry from approximately 8:00 GMT onwards. The number of exploit attempts blocked by Symantec dropped slightly on Saturday and Sunday but remained quite high.
Figure 1 Number of exploit attempts blocked by Symantec of Windows vulnerability used by WannaCry per hour
Figure 2 Number of exploit attempts blocked by Symantec of Windows vulnerability used by WannaCry per day
Figure 3. Heatmap showing Symantec detections for WannaCry, May 11 to May 15
Who is impacted?
Any unpatched Windows computer is potentially susceptible to WannaCry. Organizations are particularly at risk because of its ability to spread across networks and a number of organizations globally have been affected, the majority of which are in Europe. However, individuals can also be infected.
Is this a targeted attack?
No, this is not believed to be a targeted attack at this time. Ransomware campaigns are typically indiscriminate.
Why is it causing so many problems for organizations?
WannaCry has the ability to spread itself within corporate networks without user interaction, by exploiting a known vulnerability in Microsoft Windows. Computers that do not have the latest Windows security updates applied are at risk of infection.
How is WannaCry spread?
While WannaCry can spread itself across an organization’s networks by exploiting a vulnerability, the initial means of infection – how the first computer in an organization is infected remains unconfirmed. Symantec has seen some cases of WannaCry being hosted on malicious websites, but these appear to be copycat attacks, unrelated to the original attacks.
Have many people paid the ransom?
Analysis of the three Bitcoin addresses provided by the attackers for ransom payment indicate that at the time of writing, a total of 31.21 bitcoin ($53,845) had been paid in 207 separate transactions.
What are best practices for protecting against ransomware?
- New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
- Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
- Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
- Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.
- Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to roll back to the unencrypted form.
Signal Interference: A Beginner’s Guide
One of the great issues with any networking technology is always going to be interference. Copper cables had to deal with it, particularly around any strong electrical current. Fiber optics are harder to interrupt, but can still encounter interference in certain situations. Wireless signals can also be disrupted in this manner, sometimes even rendering them useless as nothing can get through whatever is interfering with the bandwidth.
So, now that we have an understanding that interference is bad for pretty much any OTS cable, what can we do about it? To get an idea of how to make this issue not something that crops up regularly, we should first understand what interference is. From there, we’ll figure out what we can do to keep it away.
What is Signal Interference?
Signal interference is anything that can disrupt the transmission of information along the cable. In copper wires, it could be electrical current or electromagnetic fields. For fiber optics, it will be anything that gets in the way of the light stream being reflected properly.
The result is that you lose strength and consistency, perhaps even losing the data entirely. In the best of cases, you only get a mild blip, a minor interruption. At the worst, the cable is made incapable of getting the signal through. This dip or even loss of performance will only go away if the source of the signal interference is removed, which might be more difficult in some instances than others.
Common Types of Interference
Now, let’s look at the most common types of interference you will find. According to industry standards, there are basically four categories. You have static, common mode, magnetic, and crosstalk.
Crosstalk is an old issue, one that was a prevalent concern for telecommunications. It is defined by the superimposition of pulsed DC signals between two or more means of transmission. It can also be caused by standard AC signals. The signal crosses from one wire to the other, garbling up the information in the transmission. The result can make the other end sound choppy or, in some cases, be sent to the wrong receiver.
The typical solution is to use twisted pairs of cable, which reduces the odds of crosstalk. If each wire is individually-shielded, this further mitigates the problem. Since it runs on electrical currents, this is only an issue for copper cables and is not a prevalent issue in fiber optics. Sometimes, it can crop up in wireless signals, though this isn’t typical.
Static noise is also something that comes from electrical currents. In this instance, the field doesn’t jump wires but instead distorts the existing signal. The transmission may gain a great deal of noise, losing clarity. In extreme cases, the data may no longer be readable by the device receiving the information. This is typically an issue with older copper cables.
The common solutions are twofold. The first is to use foil shields, providing efficient protection against outside current and static. The second is to ground the cables properly, maintaining the integrity of their electrical signal in relation to interruptions from outside fields.
Magnetic fields are also potential issues. Knife switches, power transformers, sufficiently large AC equipment, and sources of electrical current can all generate an electromagnetic field. This field then creates noise in the signal that can disrupt it in the same way electrical sources do. This is the reason it is advised not to run ethernet cables parallel to electrical wiring, but instead to line them perpendicular to each other.
Eliminating magnetic noise is the same as electrical noise. You use twisted pairs to deliver the signal. Padding is less helpful here, other than as an additional layer of insulation if the source of interference is electromagnetic in nature.
Common Mode Noise
The term common mode noise refers to the result of different electrical grounds at various points. As the current flows through these points, the signal becomes distorted or degraded due to the changes in grounding. The best preventative measure here is to simply ground the system properly, usually requiring the aid of an electrical engineer. You also want to install a power system that can regulate this issue.
If your cables are fiber optic, external light is also an issue if there is any damage on the protective jacket. The internal components of optical fiber are designed to reflect light as a means of transmitting the data. Anything that causes that light to be lost or causes external light to enter can cause noise. However, this requires extensive damage to the physical coating of the cable, which would be immediately visible.
Another way to protect cables from interference is shielding. The least you can get is foil shielding, which is low cost and protects the core conductors. If you need electromagnetic interference protection, braid shielding is a better choice. However, it is also more expensive. Multi-shield, which consists of both foil and braid shielding, is the best choice because of the comprehensive protection. It is also the priciest of the three.
Signal interference can ruin a network before it gets set up. Understanding where it comes from and what you can do to reduce or avoid it is critical. Fortunately, it’s not that hard to do. A little forethought can go a long way in avoiding interference.
Putting Up Cell Sites in Philippines is Telecom Industry’s Single Biggest Challenge
Being one of the Asian countries with lowest cell site density, the Philippines is forced to serve more internet users per cell site compared to most of its neighbors. Setting up more telecommunications infrastructure continues to be challenging in the country, hampered by lengthy permit applications and some uncooperative stakeholders.
Latest data from TowerXchange and We Are Social showed that user-per-cell site density in the Philippines is now about 4,036, based on estimates of 16,600 total cell sites against internet users of around 67 million internet users as of first quarter of the year. This shows a stark difference when compared to some of its neighboring countries like India, Indonesia, China, and Vietnam.
India, with 1.459 million cell sites against 462 million internet users, has a user-per-site density of 316. Indonesia, with over 91,700 cell sites against 132.7 million internet users, has a user-per-site density of 1,446. China, with 1.95 million cell sites against 751 million internet users, has a user-per-site density of 384. While Vietnam, with 70,000 cell sites against 64 million internet users, has a user-per-site density of 914.
The disproportionate number of cell sites versus internet users in the Philippines is mainly attributed to difficulties in securing permits from various local government units (LGUs), homeowner associations (HOAs), and other stakeholders, causing considerable delay in the construction of such facilities, Globe Chief Technology and Information Officer Gil Genio said.
For Globe Telecom, more cell sites are needed as its network saw mobile data traffic soar by 49 percent to 641 Petabytes during the first nine months of 2018, from 430 Petabytes recorded in the same period in 2017. As of end September 2018, Globe clocked in 65.4 million mobile customers, the majority of which are internet users. For instance, around 246,700 Globe active customers in Cotabato City in Maguindanao are forced to share only 13 cell sites. This shows the urgent need to build more towers in order to serve the current data traffic that continuously grows exponentially over the past months.
“Consumer demand for mobile data is growing at an explosive rate. This means more and more cellular towers have to be deployed to keep up with the demand. But deployment is only the final step to a potentially long, costly site acquisition process,” Genio said.
To cater to the rising demand for data, Globe has been accelerating the deployment of cell sites across the Philippines. This is part of its initiative to continue building on its network capacities for better quality of internet experience. But in the absence of regulations on the construction of passive telecommunications infrastructure, LGUs impose their own requirements, slowing down the deployment of cell sites.
Aside from LGU permits, HOAs, exclusive subdivisions, and building administrators also impose certain guidelines and requirements based on Housing and Land Use Regulatory Board (HLURB) Resolution No. R-626 issued in 1998. From negotiations and documentation of prospective cell site location to securing structural permits and approvals, Globe estimates an average of eight months and over 25 permits before it can build one cellular tower.
Non-present health risks
Several exclusive villages and HOAs in the Philippines also refuse to have network-boosting cell sites deployed in their vicinity because of unfounded health risk linked with exposure to radiation emitted from cell sites.
Global authorities in radiation safety, like Environmental Protection Agency (EPA) and World Health Organization (WHO), have affirmed that proximity to cell sites does not cause any known health risks, contrary to what many HOAs and exclusive villages in the country believe. Even the Department of Health has taken all the necessary precautions in ensuring that the Philippine standard of thermal emissions from local cell sites are at least four times lower than what has been approved globally.
In a bid to bring the Philippines closer to first-world internet connectivity, Globe continues to push for cooperation among all stakeholders, from the public sector, down to the barangay level, property developers, and homeowners.
Snapcart Offline Shopper funding of US10 Million Dollars
Snapcart, the real-time offline shopper and consumer insights startup, late last month closed a USD10 million series A funding from several investors, which include Kickstart Ventures, the wholly-owned venture capital company of Globe Telecom.
The amount, which is significant for a data B2B startup, would be used to advance further Snapcart’s AI-based OCR technology, as well as expand its operations and teams in the Philippines and Indonesia, where it currently operates. Snapcart is pushing to widen its market to include other Southeast Asian countries.
“A sizable amount of the fund will be used to further enhance our product’s proposition. Given our unique organization structure, where our Data Science team is based in Manila, we would ultimately ramp up the Philippines organization,” says Teresa Condicion, co-founder and chief data & operations officer of Snapcart.
Condicion added: “The participation of Kickstart in our Series A fund-raising will definitely boost our business development efforts in the country as well, given their vast network.”
Snapcart is the 34th firm to receive funding from Kickstart, which invests in digital startups globally. It is Kickstart’s second portfolio company from Indonesia.
“Kickstart supports entrepreneurs and accelerates the growth of new businesses in the digital technology space. It is co-creating a dynamic innovation ecosystem in the Southeast Asian region, and helping to promote partnerships between startups and large enterprises. Snapcart has an excellent founding team, possibly the most diverse we’ve seen at this stage. The product is innovative and robust, and the business model demonstrates good traction as can be seen from its A-list corporate clients. We believe in what Snapcart offers and we’re thrilled to support its growth,” said Minette Navarrete, Kickstart President.
The Series A round was led by Vickers Ventures Partners, with participation from Social Capital and Endeavor Catalyst. Existing investors also followed on like Wavemaker Partners and SPH Ventures.
Snapcart previously closed a USD3 million pre-series A round in early 2017.
Launched in September 2015, the app has over 700,000 users and is collaborating with more than 75 FMCG brands across the region such as Unilever, L’Oreal, Unilab, and Nestlé.
Globe Joins NTC-led assisted Registration in 30 More Areas #SimCardRegistration
Globe, the leader in Mobile, is kicking off February with its continuing participation in the SIM registration assistance initiative led...
LOOK: Mega Crowd at HONOR X9a 5G’s First Day Sale #HONORX9a5G
The much-awaited HONOR X9a 5G is now officially available in-store and online. For its first day sale, fans crazed over...
vivo Philippines Offers a FREE Bouquet of Flowers and a Premium Necklace Perfect for Valentine’s Day #vivoValentinesPromo2023 #VLoveSweet #vivoPhilippines #ValentinesDay2023
Valentine’s Day celebration may seem complex especially when it comes to deciding what to give as gifts. But don’t worry,...
#Theatrhythm Final Bar Line Free Demo Available Now On Playstation 4 And Nintendo Switch #APPSGADGET #Gaming
Enjoy a Selection of 30 Songs Featured in the Full Game, including Legendary Tracks from FINAL FANTASY VII...
Power your lifestyle with HONOR X9a 5G through Home Credit
The grind of the new generation of Filipinos has begun. Young professionals, gigsters and hustlers, student dreamers and aspiring content...
Viral phone #HONORX9a5G Stocks up due to Buzz and Popular Demand
Great news! HONOR restocks the number of HONOR X9a 5G phones due to high demand from the public. GMA artist...
#Fortinet Expands its Services and Training Offerings to Further Support SOC Teams in Preventing and Defending Against #CyberThreats
Multi-Faceted Approach Accelerates Fortinet’s Global Commitment to Eliminate the Cybersecurity Skills Gap John Maddison, EVP of Products and CMO at...
Dine-In ‘Sinulog Eats’ and more: foodpanda Treats Pandapro Dine-in Subscribers in Cebu #SinulogEats #foodpanda #Cebu
The on-demand delivery subscription platform made this year’s Sinulog Festival extra special with exciting discounts and surprises Aside from marking...
VIVO3 weeks ago
Celebrate 2023 with vivo Smartphones and Get Exclusive Freebies at vivo Concept Stores or Kiosks! #VivoY22s #vivoY35 #vivoV25e #vivoV25 #vivoV25Pro
Globe3 weeks ago
Globe’s 5G network expands to 237 sites in VisMin, Connects more Consumers and Businesses #Globe5G #VisMin
ASUS4 weeks ago
8 Reasons Why Choose the ASUS Vivobook S 14 OLED as your Next Laptop
Vertiv3 weeks ago
Vertiv’s Liebert® itON-SOHO UPS: The Best Tech Gift to Buy for Yourself #Vertiv
Globe7 days ago
Globe Logs over 11M Prepaid SIM Registrants, urges Customers to Register before April 26 Deadline
Honor4 weeks ago
HONOR X9a 5G Ultra Tough Premium OLED Curved Screen to Launch on January 19
VIVO3 weeks ago
#vivo dominates the Top 10 Best Performing Flagship Phones by Antutu for December 2022 #vivoX90Pro #iQOO11Pro
VIVO4 weeks ago
Usher in a Prosperous New Year with vivo’s Powerful and Reliable Smartphones #vivoV25 #vivoY35 #vivoY22s #vivoChristmasParoleta2022 #vivoChristmasRaffleWin2022 #PaskongLavivoLoca