Ransomware has hit Spectranet and Smile communications (Smile). Here is how it applies to you, how you can resolve and protect your routers in the future.

What is ransomware and how does it apply here?

Ransomware is a financially motivated attack in which the victim's data or access to a service is locked, most times through encryption behind a paywall. As in the typical case of kidnap, a ransom is demanded before the captive is freed. In the cyber world, payment is often required in virtual currency such as bitcoin to protect the identity of the attackers.

Ransomware can be spread via various vectors (channels) like malicious email attachments, previously compromised websites, and infected applications & storage devices.

The ransomware used in the Spectranet and Smile attack is of a particular lock screen variant. Here, the user's data was not encrypted, and the attackers only blocked access to the default homepage of the mobile hotspot device (router). It is easy to reverse-engineer this type of ransomware without having to pay the ransom.

Negligence from both users and the affected manufacturers is what allowed this attack to flourish

We believe this attack on multiple 4G LTE mobile hotspots was possible due to two major reasons. One, many customers failed to change the default passwords on their routers, so the attackers were able to gain access to these internet-connected devices using the default credentials. Two, the affected OEMs[1] (Spectranet and Smile Communications) were negligent enough not to update the firmware in the affected devices, so the attacker(s) could have leveraged an existing vulnerability in the OEM firmware to perform this hack.

An example of an affected Spectranet router with SSID changed

Next, the attackers then changed the devices DNS[2] settings to ensure that all traffic to them would be redirected to their ransom paywall. They then reconfigured the WiFi SSID[3] to Jisatsu (自殺), it was smooth sailing from here on as they further injected malicious code to enable them to show end users their ransom paywall pages.

How to reset an affected router

Affected users could use the reset button to restore the devices back to the factory default settings and set a new admin password. Here are the steps:

  • Turn on your mobile Wi-Fi.
  • Remove the back cover of your device.
  • Reset device by using a pin to press the reset button for 5 seconds. Mobile Wi-Fi will automatically restart and default settings will now be restored.
  • Logon to the device
  • Open your web browser to access the admin web interface—this is often either 192.168.1.1, 192.168.0.1 or 192.168.8.1 (check the package of your router). Also, the login username and password would have been reset to its default (username: admin; password: admin)
  • Go to the settings page and click on network settings.
  • Set the DNS[2] to Auto (or you can use some of the DNS servers we recommend below)
  • Go to the WiFi settings and you can now configure your mobile hotspot to your previously configured WiFi SSID[3] and password
  • Connect to your Hotspot using the configured username and password.

Bonus: We believe the steps shared by this twitter user on how to cleanse an affected device would be useful for some of our readers, so we are sharing a link to it here:

Moving on, curing an affected router is good, but prevention is better than cure. So, compiled a list of seven ways to "prevent" a future ransomware attack.

Seven ways to limit exposure to ransomware attacks

These days ransomware attacks are more prevalent among internet users and connected devices, here are ways to limit your exposure.

  1. Change your admin (web interface) Password

    Out-of-the-box, wireless routers (MiFi/routers) come with default password values. For a majority of routers in Nigeria, the admin username and password is admin, as shown above. It is advisable for users to change their default passwords to something stronger. For a custom secure password, you can try out a password generator like LastPass.

  2. Hide your SSID (like how your interior design can hide whatever you want. Read more here)

    This is less technical and more social. So, if you are tired of people asking you for your WiFi password, hide the SSID. Hiding it doesn't prevent your network from getting hacked, it just makes it one step more difficult for a hacker to target you. Think about it this way, it is easier to talk to someone when you already know their name. The same way you can easily navigate your apartment in the dark. Read more here).  To do this: Log in to the admin, visit "WiFi Settings" on your router and disable "SSID broadcast".

  3. Disable WPS[4]

    WPS is a popular feature on most routers that allow users to connect to the device at the press of a button or entry of a pin code without the longer process of entering a password. While WPS may seem like an easier way to connect to a WiFi network, it is a broken feature because the technology behind WPS is an 8-digit pin with the last digit being a check digit for validation, so basically it is a 7-digit pin that can be easily brute forced by even the easiest to learn hacker tools.

  4. Use a Different DNS server

    Internet Service Providers usually set the default DNS servers for their routers but these DNS servers might have downtime whenever your ISP is updating them or if they are under a DDoS[5] attack. It is advisable to use a backup DNS  server offered by public DNS service providers like Google or CloudFlare. Steps to configuring your router to use either of the above DNS server service providers are here: Google / CloudFlare.

  5. Turn on MAC[6] Filtering

    Mobile hotspot devices would let anyone connect to them provided they have the password to the WiFi, MAC (Media Access Code) filtering provides an extra layer of security to your internet-connected devices. You can either allow or deny devices based off their MAC addresses (you can find the MAC addresses of the devices on your network by checking the status page on your admin or by using a third party app called FING), devices you set to deny would be unable to connect to your network even if they have your password.

    P.S:  MAC filtering isn't infallible as attackers can spoof MAC addresses to connect to your network.

  6. Add a VPN service

    Most modern 4G mobile hotspot devices come out of the box with firmware that allows for a VPN to be easily configured. Read our recommendation on top VPNs of 2019.

  7. Update your router firmware

    This is the most important step. Always update your firmware. Check the device OEM for available updates, ask your ISP for firmware updates. Updating your router firmware improves your home or/and office security at no cost and yet it's the one step that a lot of users forget about. Many users of popular 4G modems in Nigeria have probably never updated their device's firmware.

    But note that updating your firmware could reset your device back to factory setting, so be sure to apply those settings again after it must have updated.

Abbreviations
  1. OEM—Original Equipment Manufacturer
  2. DNS—Domain Name Server
  3. SSID—Set Service Identifier
  4. WPS—Wifi Protected Setup
  5. DDOS—Distributed Denial of Service Attack
  6. MAC—Media Access Control

Updated, 9:06 PM: To reflect the suggestions from another twitter user on how to cure an affected router.