New Ransomware Breaks Out Globally, Antiy Releases Emergency Analysis and Solutions

On May 12, 2017(Beijing time), the global outbreak of large-scale ransomware incident happened at about 8:00 p.m. According to BBC news, this kind of ransomware came out in many parts of the world today, the users must pay high ransom (like Bitcoin) for decrypting data; a number of hospitals in UK have been infected, and the patient information leaked. In addition, Russia, Italy, the whole of Europe, including many colleges and universities in China are all infected the ransomware……

Recently, a number of public medical institutions suffered a cyber attack in UK, and a large number of enterprises have also been infected by the same malware. In particular, the education network suffers serious damage. Till May 13, 8:00 a.m., there are about 50 universities have been infected, which caused the paralysis of the teaching system, including the campus card. What’s more, a large number of enterprises have been attacked.

This morning (May 13), many Chinese Internet security vendors quickly responded to the incident, and Antiy released the first report on the outbreak of the extrapolated software, which was named as New Worm-like Ransomware “WannaCry” break out globally, Antiy Releases Emergency Analysis and Solutions. The report includes:

  1. It is a new ransonware family called “WannaCry”, and no methods to decrypt the files which are infected it.
  2. Based on the use of port 445 to spread SMB vulnerability MS17-010(Microsoft released its patch in March this year ), it quickly infected with a large number of hosts around the world
  3. The global mass attack has been discovered. On April 14, 2017, Shadow Brokers released the “network arms” used by Equation Group containing program which were used by the vulnerability

In recent years, ransomware has become the fastest growing, the most affected computer viruses. You can check out whether you are infected according to the following things,

  1. The computer or mobile terminal screen is locked.
  2. By the name of anti-virus software to display faked security threat, thus to trick users buying the so-called “anti-virus software.”
  3. Computer screen pop-ups prompt messages, saying the user’s file is encrypted, and asking to pay ransom.

The biggest impact of ransomware is to affect the normal use of the user’s system and kidnap the user’s data, thus to force users to pay for the normal use of the system.

According to the full analysis, the current domestic security vendors like Antiy, 360 Enterprise Security Group and other top-level network security companies have been upgraded the relevant products and make actions to encounter with the ransomware, and provide effective advice for users.

Xiao Xinguang, the vice president of Cyber Security Association of China (CSAC) and chief technical architect of Antiy pointed out that it is imperative to improve the network within the depth of defense system and the ability.

From leaking XXX exploit tools of the NSA network arms to the outbreak of ransomware using related vulnerabilities, it is the first time this year for Antiy to launch a A-level risk warning to large-scale security risk emergency, which is a second A-level since heart bleeding and Mirai. This time it is gradually from the A-level security risks to large-scale A-level security disaster. In past few years, similar to the CodeRed, Sasser, Blaster and other large-scale worm infection caused network congestion; the corruption events of large number of systems declines. Concerns about large-scale botnets based on PC nodes have also been declining, and Mirai and other IoT botnets have become the focus of attention. It makes a faking “calm” landscape. As the improvement of DEP, ASLR and other aspects in Windows itself, so that vulnerabilities–a blow to kill the system are indeed reduced, the mainstream attack surface began to shift to the application.

Under this calm surface, APT attack aiming to steal the secret, prefabricated objects has not been enough attention, because it is highly secret, it is difficult for IT managers to perceive the attack. With the long kill-chain and targeted features, the crime in black marker cannot be dependent on the extremely large population distribution, but gets a stable illegal income. Therefore, in the past few years, the network security risk is around a high degree of concealment and orientation of the start, the characteristics of this risk is difficult to perceive, which leads to internal network security has not been effectively invested and attention. A major feature of its effect is directly visible. It also shows that we are in a long-term and simple border protection, physical isolation and internal security which are vulnerable and collapse at the first blow.

At present, security capacity in the network security system defects in China. On the one hand, the products cannot be fully deployed and effective use; on the other hand, its planning and construction did not implement the “three synchronization” principle, lacking basic security architecture. Sliding Scale model of Cyber Security is recognized by Antiy, ​​360 and other security vendors, they agree with the theme, namely architecture, passive, active, threat intelligence and so on. All phases comprise a whole body; the right one is dependent on the left one on the sliding scale. Each phase has its own duty and value. From left to right, the investment is gradually increasing, so the left ones can solve the basic problem. From the network security investment point of view, laying the bottom of the work needs more attention and effort; the more protection of high-level assets and you need to make a positive defense and threat to make concessions.

In “4·19” Network Security and Information Work Forum, President Xi Jinping has warned us that ” security sources and means to cyber security are evolving, it is not the right way to keep yourself network safe just relying on the few security equipment and software. It is necessary to establish a dynamic and comprehensive protection concept. He specifically pointed out that the “physical isolation” would be the security risk of cross-network intrusion. We should achieve comprehensive and 7*24 situational awareness. In the National Security Work Forum on February 17th, President Xi has further stressed that “To achieve comprehensive and 7*24 situational awareness and effective protection.” The validity of the protection will eventually be tested in the confrontation with the attacker. Although the loss of the incident is distressingly grievous, we need to be alert to the relatively deep and hidden attacks against critical information infrastructure. This kind of consequences can be seen as a large-scale disaster, and it is an obvious risk, still. Therefore, it is necessary to effectively improve the defense system and ability in depth.