Welcome Guest ( Log In | Register )

Bump TopicReply to this topicRSS feed Start new topic Start Poll

Outline · [ Standard ] · Linear+

> Global WannaCry ransomware outbreak uses known NSA

perfectgrowwell
post May 13 2017, 06:46 PM

Getting Started
**
Group: Junior Member
Posts: 154

Joined: Nov 2015
From: Muar
A virus potentially derived from the CryptoLocker malware crippled NHS trusts across the UK today.

The NHS was left reeling from a ransomware cyber attack this afternoon that led to patients being turned away and emergency services being re-routed.

A statement from the NHS, acknowledging the attack on at least 16 Trusts around the country, pointed to a particular virus called Wanna Decryptor.

"The investigation is at an early stage but we believe the malware variant is Wanna Decryptor," explained a spokesperson.

"At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.
user posted image
"NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations."

Wanna Decryptor first appeared around February 2017 and works by encrypting files on target computers before demanding a ransom be paid in the cryptocurrency Bitcoin.

How does Wanna Decryptor work?

The malware is delivered as a Trojan through a loaded hyperlink that can be accidentally opened by a victim through an email, advert on a webpage or a Dropbox link. Once it has been activated, the program spreads through the computer and locks all the files with the same encryption used for instant messages.

Once the files have been encrypted it deletes the originals and delivers a ransom note in the form of a readme file. It also changes the victim's wallpaper to a message demanding payment to return the files.

How can you remove it?

Not by paying the ransom.

Security experts point out that some antivirus software is capable of catching the Wanna Decryptor virus.

"This particular ransomware is correctly identified and blocked by 30% of the AV vendors using current virus definitions. It is correctly handled by both Kaspersky and BitDefender," said Phil Richards, the CISO at Ivanti.

...

source: What is 'Wanna Decryptor'? A look at the ransomware that brought down the NHS

User is offlineProfile CardPM
Go to the top of the page
+Quote Post
perfectgrowwell
post May 13 2017, 07:00 PM, updated 2 months ago

Getting Started
**
Group: Junior Member
Posts: 154

Joined: Nov 2015
From: Muar
user posted image
Following the emergence of the Jaff ransomware attack campaign earlier this week, another, even bigger outbreak is making headlines. The culprit? A new ransomware family called WannaCry or WCry.

Spotted earlier today, WCry caught the attention of the team due to it being spread via the recently exposed NSA shadow broker exploits. WCry took many businesses and public institutions by surprise, including telco giant Telefonica in Spain and the National Health Service in the United Kingdom, and has already infected tens of thousands of systems across the globe.

Security researcher MalwareTech created a map of overall infections and a real time map of infections to visualise the number of WCry infections, which has surpassed the 70,000 infection mark.

Meet WCry Ransomware
The WCry ransomware, also referred to as WNCry, WannaCry, WanaCrypt0r or Wana Decrypt0r, was originally spotted in campaigns in early February 2017, with more campaigns following in March. But it wasn’t until now that a global attack had been registered.

It has been written in C++ and no attempts have been made to hide the majority of the code. Like most ransomware families, WCry renames files it encrypts, adding the .WNCRY extension.

When infecting a system, it presents a ransom screen asking to pay $300 worth of bitcoins:
user posted image
Unlike most ransomware campaigns, which usually target specific regions, WCry is targeting systems around the globe. So it comes as no surprise that the ransomware authors provide localised ransomware message for more than 20 languages:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese
How do you get infected with WCry ransomware?
At the moment, WCry is primarily spreading via the leaked NSA exploits that the Shadow Brokers group released recently. More specifically, French researcher Kaffine was the first to suspect that WCry was being spread via the ETERNALBLUE exploit.

ETERNALBLUE exploits a vulnerability in the Microsoft SMBv1 protocol, allowing an attacker to take control over systems which:

-have the SMBv1 protocol enabled
-are accessible from the internet and
-are have not been patched by the MS17-010 fix released back in March 2017

Please visit the following website to know more details.
source: Global WannaCry ransomware outbreak uses known NSA exploits


User is offlineProfile CardPM
Go to the top of the page
+Quote Post
gogoshop
post May 14 2017, 08:07 PM

New Member
*
Group: Junior Member
Posts: 38

Joined: May 2017
what precaution action do we need to take? update our windows with latest security patches?
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
flexus90
post May 14 2017, 11:48 PM

On my way
****
Group: Senior Member
Posts: 570

Joined: Jun 2009
From: North Pole oF Msia


Apply this update
https://technet.microsoft.com/en-us/library...y/ms17-010.aspx

Choose your Operating System correspondingly.

In addition you may use this method to secure your computer from this ransomware attack.

1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
3. Restart the system.

The attacker use an exploit that exist in SMBv1 to perform the attack, so disabling SMBv1 would protect ones from this attack.

This attack only affects Windows PC. It is the first major and widespread ransomware attack in history. Luckily Malaysia is not the primary target.
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
perfectgrowwell
post May 15 2017, 08:10 AM

Getting Started
**
Group: Junior Member
Posts: 154

Joined: Nov 2015
From: Muar
QUOTE(gogoshop @ May 14 2017, 08:07 PM)
what precaution action do we need to take? update our windows with latest security patches?
*
Exactly.
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
horns
post May 15 2017, 04:08 PM

\m/
*******
Group: Senior Member
Posts: 2,667

Joined: Nov 2009
one-line administrative powershell command: disable-windowsoptionalfeature -online -featurename smb1protocol

edit: you can watch it spread here, https://intel.malwaretech.com/WannaCrypt.html

This post has been edited by horns: May 15 2017, 04:49 PM
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Gneko86
post May 15 2017, 09:06 PM

Getting Started
**
Group: Junior Member
Posts: 71

Joined: Jul 2011
My Computer (windows 7), the SMB1 is not listed in my windows feature. Is my computer ok ?
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
AlexisStarZ
post May 16 2017, 12:06 AM

Getting Started
**
Group: Junior Member
Posts: 178

Joined: Mar 2012
QUOTE(flexus90 @ May 14 2017, 11:48 PM)
Apply this update
https://technet.microsoft.com/en-us/library...y/ms17-010.aspx

Choose your Operating System correspondingly.

In addition you may use this method to secure your computer from this ransomware attack.

1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
3. Restart the system.

The attacker use an exploit that exist in SMBv1 to perform the attack, so disabling SMBv1 would protect ones from this attack.

This attack only affects Windows PC. It is the first major and widespread ransomware attack in history. Luckily Malaysia is not the primary target.
*
does windows 10 users need to do this?
as I found the wannacry decrpt only affect those non windows 10 machine hmm.gif
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
linuxscriptshub
post May 16 2017, 09:16 PM

New Member
*
Group: Newbie
Posts: 2

Joined: May 2017
https://linuxscriptshub.com/wanna-crytrue-3...ted-ransomware/

Its wasn't over yet....crazy ransom
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
perfectgrowwell
post May 17 2017, 07:46 AM

Getting Started
**
Group: Junior Member
Posts: 154

Joined: Nov 2015
From: Muar
Waiting for second wave. Backup data and update windows or security software.
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
horns
post May 17 2017, 04:08 PM

\m/
*******
Group: Senior Member
Posts: 2,667

Joined: Nov 2009
QUOTE(perfectgrowwell @ May 17 2017, 07:46 AM)
Waiting for second wave. Backup data and update windows or security software.
*
a tool set called paybreak announced few hours ago was reported to be able to break this, and maybe some other ransomware too (read the whitepaper); but you need to install it first BEFORE infection, https://eugenekolo.com/blog/paybreak-generi...uding-wannacry/ source and everything at github: https://github.com/BUseclab/paybreak


User is offlineProfile CardPM
Go to the top of the page
+Quote Post
wh0cares
post May 19 2017, 04:22 PM

On my way
****
Group: Senior Member
Posts: 557

Joined: Jun 2008
Server are updated with ms17-010

If desktop pc within the LAN infected with ransomware, will it spread to the server as well through share folder , even already patched?
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
horns
post May 19 2017, 07:53 PM

\m/
*******
Group: Senior Member
Posts: 2,667

Joined: Nov 2009
QUOTE(wh0cares @ May 19 2017, 04:22 PM)
Server are updated with ms17-010

If desktop pc within the LAN infected with ransomware, will it spread to the server as well through share folder , even already patched?
*
if the server is patched then the risk is lower, because the hole to carry out automated attack on the server was closed.

to be sure, just disable the smbv1 protocol on the server too.
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
digitalifelesss
post May 20 2017, 01:44 PM

New Member
*
Group: Junior Member
Posts: 17

Joined: May 2017
QUOTE(Gneko86 @ May 15 2017, 09:06 PM)
My Computer (windows 7), the SMB1 is not listed in my windows feature. Is my computer ok ?
*
Yea I checked several W7 PC and they aren't listed on feature list. But that doesn't mean that feature isn't there.
A bit of lookup found this guide here to disable SMB1.0 on W7: https://support.microsoft.com/en-us/help/26...-windows-server

This post has been edited by digitalifelesss: May 20 2017, 01:44 PM
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
horns
post May 20 2017, 03:06 PM

\m/
*******
Group: Senior Member
Posts: 2,667

Joined: Nov 2009
QUOTE(digitalifelesss @ May 20 2017, 01:44 PM)
Yea I checked several W7 PC and they aren't listed on feature list. But that doesn't mean that feature isn't there.
A bit of lookup found this guide here to disable SMB1.0 on W7: https://support.microsoft.com/en-us/help/26...-windows-server
*
this is a good find. now we know how to control this feature if threats affect these protocols.

edit: good news - decryptor is on the way; IF YOUR COMPUTER IS INFECTED DO NOT SHUT DOWN OR REBOOT!

source - https://blog.comae.io/wannacry-decrypting-f...mo-86bafb81112d

the decryptor, wanakiwi - https://github.com/gentilkiwi/wanakiwi/releases

edit.2: Over 98% of All WannaCry Victims Were Using Windows 7, https://www.bleepingcomputer.com/news/secur...sing-windows-7/

Attached Image

This post has been edited by horns: May 23 2017, 01:13 AM
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
odnesse
post May 26 2017, 09:12 PM

New Member
*
Group: Newbie
Posts: 1

Joined: Jan 2017


It is possible to decrypt files after jaff ransomware attack? Because I've used Recuva - https://www.piriform.com/recuva and this guide - http://manual-removal.com/jaff/, but they didn't helped.
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
ahhann
post Jul 29 2017, 12:27 AM

On my way
****
Group: Senior Member
Posts: 500

Joined: Mar 2006
From: The Weirdo River O_o


QUOTE(odnesse @ May 26 2017, 09:12 PM)
It is possible to decrypt files after jaff ransomware attack? Because I've used Recuva - https://www.piriform.com/recuva and this guide - http://manual-removal.com/jaff/, but they didn't helped.
*
unfortunately, without the actual master key, no way you can decrypt your file
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
perfectgrowwell
post Jul 29 2017, 11:51 AM

Getting Started
**
Group: Junior Member
Posts: 154

Joined: Nov 2015
From: Muar
QUOTE(odnesse @ May 26 2017, 09:12 PM)
It is possible to decrypt files after jaff ransomware attack? Because I've used Recuva - https://www.piriform.com/recuva and this guide - http://manual-removal.com/jaff/, but they didn't helped.
*
Recuva professional is recovering your deleted files, Recuva is not a decryption tool.
Always backup your data and update your software security. Prevention is better than cure.
User is offlineProfile CardPM
Go to the top of the page
+Quote Post

Bump TopicReply to this topicTopic OptionsStart new topic
 

Switch to:
| Lo-Fi Version
0.2142sec    2.94    6 queries    GZIP Disabled
Time is now: 27th September 2017 - 04:01 AM