Share

This topic contains 21 replies, has 6 voices, and was last updated by  Paolo Maffezzoli 3 days, 20 hours ago.

  • Author
    Posts
  • #138353
     Paolo Maffezzoli 
    Participant
    • Topics: 13
    • Replies: 38
    Post count: 124
    Member Points: 6,914

    In this topic I collected some info and updates mainly coming from Microsoft about the recent cyberattck by WannaCry Ransomware (detected as WannaCrypt or WanaCrypt0r 2.0 or Ransom:Win32/WannaCrypt).

    Customer Guidance for WannaCrypt attacks

    Today many of our customers around the world and the critical systems they depend on were victims of malicious “WannaCrypt” software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers. This blog spells out the steps every individual and business should take to stay protected. Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

    WannaCrypt ransomware worm targets out-of-date systems

    Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016 have already received the security update MS17-010 in March.

    Security patches are available for Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64 at this link : Microsoft Catalog Update – KB4012598

    Other information :

    What you need to know about the WannaCry Ransomware ( Symantec )

    WannaCry: Are you safe? ( Kaspersky)

    Bitdefender blocks world’s most aggressive piece of ransomware with next-generation detection technologies ( BitDefender )

    Add your comments for any other helpful information.

    1+

    Users who have liked this topic:

    • avatar
  • #138359
     Jason Coltrin 
    Moderator
    • Topics: 2
    • Replies: 11
    Post count: 23
    Member Points: 414

    Here’s Sophos info:

    https://community.sophos.com/kb/en-us/126733

     

    2+

    Users who have liked this topic:

    • avatar
    • avatar
  • #139604
     Paolo Maffezzoli 
    Participant
    • Topics: 13
    • Replies: 38
    Post count: 124
    Member Points: 6,914
    • #140774
       Michael Pietroforte 
      Keymaster
      • Topics: 136
      • Replies: 309
      Post count: 940
      Member Points: 5,960

      Fascinating analysis. I suppose this is one of the reasons why you want a file auditing solution these days. All the alarm bells must go off if such a large number of files is accessed.

      0
      • #141986
         Paolo Maffezzoli 
        Participant
        • Topics: 13
        • Replies: 38
        Post count: 124
        Member Points: 6,914

        The article is really interesting, a detailed description how WanaCry Ransomware works. In any case the conclusion is the same: maintain Windows systems regurarly patched. This is the best way to prevent virus attacks. We can also consider to disable SMB, to reduce the attack surface.

        0
      • #164792
         Mauro 
        Participant
        • Topics: 1
        • Replies: 5
        Post count: 15
        Member Points: 193

        Thanks, really interesting

        Just my 2 cents:
        Since those vulnerabilities exploits SMB v1, can’t you simply disable it?

        Stop using SMB1

        0
        • #164813
           Luc Fullenwarth 
          Moderator
          • Topics: 3
          • Replies: 24
          Post count: 83
          Member Points: 6,320

          Mauro, that would be too easy!

          We are all dreaming about…

          0
        • #166066
           Paolo Maffezzoli 
          Participant
          • Topics: 13
          • Replies: 38
          Post count: 124
          Member Points: 6,914

          Hi Mauro, I agree , smb1 is really an old protocol ( 30 years!). The main problem is about many exceptions in organizations that are running for example Windows 2003 servers or other apps that still need smb1.
          Btw , nice to read in the article the recommendation… Stop using SMB1. Stop using SMB1. STOP USING SMB1!

          1+

          Users who have liked this topic:

          • avatar
        • #166069
           Michael Pietroforte 
          Keymaster
          • Topics: 136
          • Replies: 309
          Post count: 940
          Member Points: 5,960

          I’d like to add this: STOP USING APPLICATIONS THAT STILL REQUIRE SMB1, STOP USING APPLICATIONS THAT… 😉

          2+

          Users who have liked this topic:

          • avatar
          • avatar
        • #166095
           Mauro 
          Participant
          • Topics: 1
          • Replies: 5
          Post count: 15
          Member Points: 193

          yep is funny 🙂

          Ciao,
          Mauro

          0
    • #140803
       Karim Buzdar 
      Moderator
      • Topics: 20
      • Replies: 55
      Post count: 167
      Member Points: 4,146

      Hi Paolo,

      Could you please mark the status (resolved/not a support question) from top left corner of this topic?

      Thank you,

      Karim

      0
      • #141983
         Paolo Maffezzoli 
        Participant
        • Topics: 13
        • Replies: 38
        Post count: 124
        Member Points: 6,914

        Hi Karim,

        I marked the status as not a support question.

        Thanks

        Paolo

        0
  • #142003
     Paolo Maffezzoli 
    Participant
    • Topics: 13
    • Replies: 38
    Post count: 124
    Member Points: 6,914

    On Friday, May 12, attackers spread a massive ransomware attack worldwide using the EternalBlue exploit to rapidly propagate the malware over corporate LANs and wireless networks. EternalBlue, originally exposed on April 14 as part of the Shadow Brokers dump of NSA hacking tools, leverages a vulnerability (MS17-010) in Microsoft Server Message Block (SMB) on TCP port 445 to discover vulnerable computers on a network and laterally spread malicious payloads of the attacker’s choice. This particular attack also appeared to use an NSA backdoor called DoublePulsar to actually install the ransomware known as WannaCry.

    Over the subsequent weekend, however, we discovered another very large-scale attack using both EternalBlue and DoublePulsar to install the cryptocurrency miner Adylkuzz.

    Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24. This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive.

     

    WannaCry stopped by Adylkuzz attack ?
    Ref. : https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar

    0
  • #143262
     Paolo Maffezzoli 
    Participant
    • Topics: 13
    • Replies: 38
    Post count: 124
    Member Points: 6,914

    If confirmed is a good news …

    Owners of some Windows XP computers infected by the WCry ransomware may be able to decrypt their data without making the $300 to $600 payment demand, a researcher said Thursday.  Adrien Guinet, a researcher with France-based Quarkslab, has released software that he said allowed him to recover the secret decryption key required to restore an infected XP computer in his lab. The software has not yet been tested to see if it works reliably on a large variety of XP computers, and even when it does work, there are limitations. The recovery technique is also of limited value because Windows XP computers weren’t affected by last week’s major outbreak of WCry. Still, it may be helpful to XP users hit in other campaigns.  “This software has only been tested and known to work under Windows XP,” he wrote in a readme note accompanying his app, which he calls Wannakey. “In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!”

    Reference : Windows XP PCs infected by WCry can be decrypted without paying ransom

     

    0
  • #145738
     Paolo Maffezzoli 
    Participant
    • Topics: 13
    • Replies: 38
    Post count: 124
    Member Points: 6,914

    [Wannacry decryptor tool]

    Some news about WannaCry decrytor tool.

    Reference : WannaCry Ransomware Decryption Tool Released; Unlock Files Without Paying Ransom

    To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry erases the key from the system, leaving no choice for the victims to retrieve the decryption key except paying the ransom to the attacker.

    But here’s the kicker: WannaCry “does not erase the prime numbers from memory before freeing the associated memory,” says Guinet.

    Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory, and works on Windows XP only.

    Here some info in case WannaCry infects your computer :

    Note : WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008

    1+

    Users who have liked this topic:

    • avatar
  • #164818
     Luc Fullenwarth 
    Moderator
    • Topics: 3
    • Replies: 24
    Post count: 83
    Member Points: 6,320

    I’ve published it in the news section, but I think it has its place here.

    This blog post contains all products requiring SMB1, where the vendor explicitly states this in their own documentation or communications. This list is not complete and you should never treat it as complete; check back often.

    https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/

    • This reply was modified 4 months, 1 week ago by  Luc Fullenwarth. Reason: language improvement
    1+

    Users who have liked this topic:

    • avatar
  • #166088
     Paolo Maffezzoli 
    Participant
    • Topics: 13
    • Replies: 38
    Post count: 124
    Member Points: 6,914

    This vulnerability attacks not only in Windows system but Linux systems as well. More details available here : SambaCry is coming – Securelist

    At the moment we don’t have any information about the actual scale of the attack. However, this is a great reason for system administrators and ordinary Linux users to update their Samba software to the latest version immediately to prevent future problems.

    1+

    Users who have liked this topic:

    • avatar
    • #166102
       Luc Fullenwarth 
      Moderator
      • Topics: 3
      • Replies: 24
      Post count: 83
      Member Points: 6,320

      I have a solution for them: migrate to Windows 😀

      0
      • #166110
         Paolo Maffezzoli 
        Participant
        • Topics: 13
        • Replies: 38
        Post count: 124
        Member Points: 6,914

        Or disable Samba and say hello to Windows world! 🙂

        1+

        Users who have liked this topic:

        • avatar
  • #167342
     Luc Fullenwarth 
    Moderator
    • Topics: 3
    • Replies: 24
    Post count: 83
    Member Points: 6,320

    While most of us have probably used the
    How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server official document,
    Microsoft has published today a new post specifically dedicated to
    Disabling SMBv1 through Group Policy

     

    0
  • #200527
     Paolo Maffezzoli 
    Participant
    • Topics: 13
    • Replies: 38
    Post count: 124
    Member Points: 6,914

    In case you need, here the Eternal Blues ransomware scanner for WannaCry and NotPetya, link :  Security Tools Eternal Blues

    0
  • #289896
     Paolo Maffezzoli 
    Participant
    • Topics: 13
    • Replies: 38
    Post count: 124
    Member Points: 6,914

    I found an interesting PDF manual that describe how to prevent infections, and what to do when you are hit with ransomware.

    Link : Ransomware Hostage Rescue Manual

    Hope it helps.

    0

You must be logged in to reply to this topic.

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account