Share

This topic contains 19 replies, has 6 voices, and was last updated by Profile gravatar of Luc FULLENWARTH Luc FULLENWARTH 1 week ago.

  • Author
    Posts
  • #138353
    Profile gravatar of Paolo Maffezzoli Paolo Maffezzoli 
    Participant
    • Topics: 10
    • Replies: 25
    Post count: 82
    Member Points: 2,485

    In this topic I collected some info and updates mainly coming from Microsoft about the recent cyberattck by WannaCry Ransomware (detected as WannaCrypt or WanaCrypt0r 2.0 or Ransom:Win32/WannaCrypt).

    Customer Guidance for WannaCrypt attacks

    Today many of our customers around the world and the critical systems they depend on were victims of malicious “WannaCrypt” software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers. This blog spells out the steps every individual and business should take to stay protected. Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

    WannaCrypt ransomware worm targets out-of-date systems

    Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016 have already received the security update MS17-010 in March.

    Security patches are available for Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64 at this link : Microsoft Catalog Update – KB4012598

    Other information :

    What you need to know about the WannaCry Ransomware ( Symantec )

    WannaCry: Are you safe? ( Kaspersky)

    Bitdefender blocks world’s most aggressive piece of ransomware with next-generation detection technologies ( BitDefender )

    Add your comments for any other helpful information.

    1+

    Users who have liked this topic:

    • avatar
  • #138359
    Profile gravatar of Jason Coltrin Jason Coltrin 
    Moderator
    • Topics: 2
    • Replies: 10
    Post count: 20
    Member Points: 338

    Here’s Sophos info:

    https://community.sophos.com/kb/en-us/126733

     

    2+

    Users who have liked this topic:

    • avatar
    • avatar
  • #139604
    Profile gravatar of Paolo Maffezzoli Paolo Maffezzoli 
    Participant
    • Topics: 10
    • Replies: 25
    Post count: 82
    Member Points: 2,485
    • #140774
      Profile gravatar of Michael Pietroforte Michael Pietroforte 
      Keymaster
      • Topics: 135
      • Replies: 273
      Post count: 800
      Member Points: 3,268

      Fascinating analysis. I suppose this is one of the reasons why you want a file auditing solution these days. All the alarm bells must go off if such a large number of files is accessed.

      0
      • #141986
        Profile gravatar of Paolo Maffezzoli Paolo Maffezzoli 
        Participant
        • Topics: 10
        • Replies: 25
        Post count: 82
        Member Points: 2,485

        The article is really interesting, a detailed description how WanaCry Ransomware works. In any case the conclusion is the same: maintain Windows systems regurarly patched. This is the best way to prevent virus attacks. We can also consider to disable SMB, to reduce the attack surface.

        0
      • #164792
        Profile gravatar of Mauro Mauro 
        Participant
        • Topics: 1
        • Replies: 5
        Post count: 15
        Member Points: 191

        Thanks, really interesting

        Just my 2 cents:
        Since those vulnerabilities exploits SMB v1, can’t you simply disable it?

        Stop using SMB1

        0
        • #164813
          Profile gravatar of Luc FULLENWARTH Luc FULLENWARTH 
          Moderator
          • Topics: 2
          • Replies: 15
          Post count: 51
          Member Points: 869

          Mauro, that would be too easy!

          We are all dreaming about…

          0
        • #166066
          Profile gravatar of Paolo Maffezzoli Paolo Maffezzoli 
          Participant
          • Topics: 10
          • Replies: 25
          Post count: 82
          Member Points: 2,485

          Hi Mauro, I agree , smb1 is really an old protocol ( 30 years!). The main problem is about many exceptions in organizations that are running for example Windows 2003 servers or other apps that still need smb1.
          Btw , nice to read in the article the recommendation… Stop using SMB1. Stop using SMB1. STOP USING SMB1!

          1+

          Users who have liked this topic:

          • avatar
        • #166069
          Profile gravatar of Michael Pietroforte Michael Pietroforte 
          Keymaster
          • Topics: 135
          • Replies: 273
          Post count: 800
          Member Points: 3,268

          I’d like to add this: STOP USING APPLICATIONS THAT STILL REQUIRE SMB1, STOP USING APPLICATIONS THAT… 😉

          2+

          Users who have liked this topic:

          • avatar
          • avatar
        • #166095
          Profile gravatar of Mauro Mauro 
          Participant
          • Topics: 1
          • Replies: 5
          Post count: 15
          Member Points: 191

          yep is funny 🙂

          Ciao,
          Mauro

          0
    • #140803
      Profile gravatar of Karim Buzdar Karim Buzdar 
      Moderator
      • Topics: 10
      • Replies: 32
      Post count: 95
      Member Points: 1,472

      Hi Paolo,

      Could you please mark the status (resolved/not a support question) from top left corner of this topic?

      Thank you,

      Karim

      0
      • #141983
        Profile gravatar of Paolo Maffezzoli Paolo Maffezzoli 
        Participant
        • Topics: 10
        • Replies: 25
        Post count: 82
        Member Points: 2,485

        Hi Karim,

        I marked the status as not a support question.

        Thanks

        Paolo

        0
  • #142003
    Profile gravatar of Paolo Maffezzoli Paolo Maffezzoli 
    Participant
    • Topics: 10
    • Replies: 25
    Post count: 82
    Member Points: 2,485

    On Friday, May 12, attackers spread a massive ransomware attack worldwide using the EternalBlue exploit to rapidly propagate the malware over corporate LANs and wireless networks. EternalBlue, originally exposed on April 14 as part of the Shadow Brokers dump of NSA hacking tools, leverages a vulnerability (MS17-010) in Microsoft Server Message Block (SMB) on TCP port 445 to discover vulnerable computers on a network and laterally spread malicious payloads of the attacker’s choice. This particular attack also appeared to use an NSA backdoor called DoublePulsar to actually install the ransomware known as WannaCry.

    Over the subsequent weekend, however, we discovered another very large-scale attack using both EternalBlue and DoublePulsar to install the cryptocurrency miner Adylkuzz.

    Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24. This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive.

     

    WannaCry stopped by Adylkuzz attack ?
    Ref. : https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar

    0
  • #143262
    Profile gravatar of Paolo Maffezzoli Paolo Maffezzoli 
    Participant
    • Topics: 10
    • Replies: 25
    Post count: 82
    Member Points: 2,485

    If confirmed is a good news …

    Owners of some Windows XP computers infected by the WCry ransomware may be able to decrypt their data without making the $300 to $600 payment demand, a researcher said Thursday.  Adrien Guinet, a researcher with France-based Quarkslab, has released software that he said allowed him to recover the secret decryption key required to restore an infected XP computer in his lab. The software has not yet been tested to see if it works reliably on a large variety of XP computers, and even when it does work, there are limitations. The recovery technique is also of limited value because Windows XP computers weren’t affected by last week’s major outbreak of WCry. Still, it may be helpful to XP users hit in other campaigns.  “This software has only been tested and known to work under Windows XP,” he wrote in a readme note accompanying his app, which he calls Wannakey. “In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!”

    Reference : Windows XP PCs infected by WCry can be decrypted without paying ransom

     

    0
  • #145738
    Profile gravatar of Paolo Maffezzoli Paolo Maffezzoli 
    Participant
    • Topics: 10
    • Replies: 25
    Post count: 82
    Member Points: 2,485

    [Wannacry decryptor tool]

    Some news about WannaCry decrytor tool.

    Reference : WannaCry Ransomware Decryption Tool Released; Unlock Files Without Paying Ransom

    To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry erases the key from the system, leaving no choice for the victims to retrieve the decryption key except paying the ransom to the attacker.

    But here’s the kicker: WannaCry “does not erase the prime numbers from memory before freeing the associated memory,” says Guinet.

    Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory, and works on Windows XP only.

    Here some info in case WannaCry infects your computer :

    Note : WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008

    1+

    Users who have liked this topic:

    • avatar
  • #164818
    Profile gravatar of Luc FULLENWARTH Luc FULLENWARTH 
    Moderator
    • Topics: 2
    • Replies: 15
    Post count: 51
    Member Points: 869

    I’ve published it in the news section, but I think it has its place here.

    This blog post contains all products requiring SMB1, where the vendor explicitly states this in their own documentation or communications. This list is not complete and you should never treat it as complete; check back often.

    https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/

    • This reply was modified 1 week, 2 days ago by Profile gravatar of Luc FULLENWARTH Luc FULLENWARTH. Reason: language improvement
    1+

    Users who have liked this topic:

    • avatar
  • #166088
    Profile gravatar of Paolo Maffezzoli Paolo Maffezzoli 
    Participant
    • Topics: 10
    • Replies: 25
    Post count: 82
    Member Points: 2,485

    This vulnerability attacks not only in Windows system but Linux systems as well. More details available here : SambaCry is coming – Securelist

    At the moment we don’t have any information about the actual scale of the attack. However, this is a great reason for system administrators and ordinary Linux users to update their Samba software to the latest version immediately to prevent future problems.

    1+

    Users who have liked this topic:

    • avatar
    • #166102
      Profile gravatar of Luc FULLENWARTH Luc FULLENWARTH 
      Moderator
      • Topics: 2
      • Replies: 15
      Post count: 51
      Member Points: 869

      I have a solution for them: migrate to Windows 😀

      0
      • #166110
        Profile gravatar of Paolo Maffezzoli Paolo Maffezzoli 
        Participant
        • Topics: 10
        • Replies: 25
        Post count: 82
        Member Points: 2,485

        Or disable Samba and say hello to Windows world! 🙂

        1+

        Users who have liked this topic:

        • avatar
  • #167342
    Profile gravatar of Luc FULLENWARTH Luc FULLENWARTH 
    Moderator
    • Topics: 2
    • Replies: 15
    Post count: 51
    Member Points: 869

    While most of us have probably used the
    How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server official document,
    Microsoft has published today a new post specifically dedicated to
    Disabling SMBv1 through Group Policy

     

    0

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account