• Guest, The rules for the P & N subforum have been updated to prohibit "ad hominem" or personal attacks against other posters. See the full details in the post "Politics and News Rules & Guidelines."

Any victims of Wanacry here?

Sean Kyle

Senior member
Aug 22, 2016
255
20
51
Have to got the patch installed on your systems already? And how many of you are affected from this? any other tips to prevent it?
 

[DHT]Osiris

Diamond Member
Dec 15, 2015
9,409
5,558
146
Patch, disable SMB, or block TCP/445 inbound. Also don't open malicious email attachments :p
 

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
Idk man the headlines are scaring people but it seems kind of overblown. Great for job security IN security however :p
 

John Connor

Lifer
Nov 30, 2012
22,840
613
121
A) Never trust E-mail attachments. I reckon 98% of all ransomware and malware enter a system via E-mail. The rest being XSS, scripts, iframes, infected ADs, etc.

B) Do a clone of your computer every now and then to an external HDD and store that external HDD in a fireproof safe.

I do exactly this. BS malware can try, but fail miserably to infect me and if it even does I can clone back a good image.

sudo checkmate
 

Gryz

Golden Member
Aug 28, 2010
1,551
203
106
I don't think it is overblown.

I work for a large tech-company. On Friday I heard that a 100 windows-boxes in our Canadian lab were affected. (We run windows-7 everywhere, on corporate-managed laptops, but also in other places (in labs, privately managed desktops, etc)). No idea if there were more in the company, but I wouldn't be surprised if lots more people in my company got hit. (On the other hand, most people have Win7-laptops, which are managed by IT. Which does do regular updates. So maybe all the corporate users were safe). Of course nobody is gonna release a statement to the outside world about this.

People think it is over. It is not. The variant with the "kill-switch" has been stopped. But there are already variants that do not have a kill-switch.

I think it spreads through firewalls via the old fashioned way (fake emails, etc). But once it is inside a network, all un-patched windows machine are infected in no time. I think consumers at home have a smaller chance of being hit. But for companies it is much more dangerous. If it gets in, it can spread to loads and loads of machines easily.

People seem interested in which companies are targeted. I don't think anyone is targeted specifically. This is a worm. Worms spread around as far as possible, without looking at who they attack next. That makes them so dangerous on a world scale. If anyone is interested in the history of worms, start reading about the Morris worm. That was almost 40 years ago, but the mechanism is exactly the same as today's worms.
 
Last edited:

Crumpet

Senior member
Jan 15, 2017
745
539
96
NSA ransomware.

3/4 targets were in Russia.

Other main targets were telephone companies and oil companies.

This could get nasty real quick.
 

allisolm

Elite Member
Administrator
Jan 2, 2001
24,015
2,264
136
NSA ransomware.

3/4 targets were in Russia.
And it looks like Russians had a hand in its making . "...the ransomware was able to offer "how to pay" documents in dozens of languages, the only language whose writing was perfect was Russian, with the others showing distinct signs that a non-native speaker had written them" according to Kurt Baumgartner, a principal security researcher with Kaspersky Lab in Moscow. https://www.usatoday.com/story/news/2017/05/13/european-cyber-police-battle-unprecedented-global-hacking/101633374/
 

Red Squirrel

No Lifer
May 24, 2003
61,181
9,202
126
www.uovalor.com
I run mostly a Linux environment and Linux is unaffected (even Samba). From sounds of it this enters via an email so I don't open crap like that so at no risk to me. As far as work goes, I work in telecom and not IT. In telecom we don't care what's on the network, we just care that the traffic is flowing. :p

But reality is, we kinda all are affected because the organizations that got hit more than likely have all our personal info. Ex: Medical records.

It's been about 17 years since computers are fairly mainstream. 2000 was kinda the golden age where lot of stuff started to go digital, the internet came out (as being a mainstream thing in many homes), etc. You'd think people would have learned by now to not open suspicious email attachments.
 

sciff

Member
Mar 6, 2017
136
52
71
And it looks like Russians had a hand in its making . "...the ransomware was able to offer "how to pay" documents in dozens of languages, the only language whose writing was perfect was Russian, with the others showing distinct signs that a non-native speaker had written them" according to Kurt Baumgartner, a principal security researcher with Kaspersky Lab in Moscow. https://www.usatoday.com/story/news/2017/05/13/european-cyber-police-battle-unprecedented-global-hacking/101633374/
It may look that way, if you don't know that the Russian language is being widely spoken as a first and second language and taught in schools in countries like Belarus, Kazakhstan and Ukraine (and taught very well). The former two have Russian as their second official language. So it's not that simple.

Also, there are enough ethnic Russians in Russia itself and around the world who hate Russia or just don't care about it or its citizens. Remember Matt Farrell from "Live Free or Die Hard" hollywood movie? He thought it would be 'fun' to disable his own country. That's what kind of psychology we are probably talking here.
 

Elixer

Lifer
May 7, 2002
10,376
762
126
I don't think it is overblown.

I work for a large tech-company. On Friday I heard that a 100 windows-boxes in our Canadian lab were affected. (We run windows-7 everywhere, on corporate-managed laptops, but also in other places (in labs, privately managed desktops, etc)). No idea if there were more in the company, but I wouldn't be surprised if lots more people in my company got hit. (On the other hand, most people have Win7-laptops, which are managed by IT. Which does do regular updates. So maybe all the corporate users were safe). Of course nobody is gonna release a statement to the outside world about this.
MS released the patch to fix this worm's exploit of SMB (the way it spreads) back in March.
If you are saying your machines still got infected, then, smack your IT admin upside the head.
People think it is over. It is not. The variant with the "kill-switch" has been stopped. But there are already variants that do not have a kill-switch.

I think it spreads through firewalls via the old fashioned way (fake emails, etc). But once it is inside a network, all un-patched windows machine are infected in no time. I think consumers at home have a smaller chance of being hit. But for companies it is much more dangerous. If it gets in, it can spread to loads and loads of machines easily.
There are thousands of new malware attacks per week, yeah, most are spread via e-mail, and people opening them up (which is a serious issue itself, enough so that admins should be scrubbing all the e-mail.)
E-mail is #1, then ads (running flash exploits) then booby trapped sites, then people who stick in compromised USB devices into the companies machines.

People seem interested in which companies are targeted. I don't think anyone is targeted specifically. This is a worm. Worms spread around as far as possible, without looking at who they attack next. That makes them so dangerous on a world scale. If anyone is interested in the history of worms, start reading about the Morris worm. That was almost 40 years ago, but the mechanism is exactly the same as today's worms.
Only thing I am interested in is (from all the companies infected), A) why weren't these machines patched, B) why the admin didn't block SMB ports, and C) why allow attachments that haven't been screened?
 
Last edited:
  • Like
Reactions: PliotronX

whm1974

Diamond Member
Jul 24, 2016
9,460
1,566
96
I run mostly a Linux environment and Linux is unaffected (even Samba). From sounds of it this enters via an email so I don't open crap like that so at no risk to me. As far as work goes, I work in telecom and not IT. In telecom we don't care what's on the network, we just care that the traffic is flowing. :p

But reality is, we kinda all are affected because the organizations that got hit more than likely have all our personal info. Ex: Medical records.

It's been about 17 years since computers are fairly mainstream. 2000 was kinda the golden age where lot of stuff started to go digital, the internet came out (as being a mainstream thing in many homes), etc. You'd think people would have learned by now to not open suspicious email attachments.
I would still keep an eye out for ransomware attempts on Linux users as the user base gets larger. New users to Linux will be vulnerable to these types of attack until they learn how to protect themselves.
 

Gryz

Golden Member
Aug 28, 2010
1,551
203
106
If you are saying your machines still got infected, then, smack your IT admin upside the head.
It's very simple. Not all machines are managed by IT. Every employee gets an IT-managed Win-7 laptop. But those laptops are not good enough for some people to get their job done.

Some people run their own Windows boxes, installed those themselves and manage those themselves. I have a Centos-7 machine for Desktop purposes and I manage that myself. (I hardly ever use the laptop). Other colleagues have chosen to use Win-7 machines for Desktop. I didn't, and one reason was that I feel that managing your own Windows machine is more work than managing a Linux-box.
 

shortylickens

No Lifer
Jul 15, 2003
80,391
13,238
126
NSA ransomware.

3/4 targets were in Russia.

Other main targets were telephone companies and oil companies.

This could get nasty real quick.
I wish you wouldnt lie in the Hardware forum.
Its not NSA ransomware. They found the exploit. They did not pass around malware.
 

Genx87

Lifer
Apr 8, 2002
41,063
495
126
Reading this is exploiting a vulnerability in SMBv1. I was honestly shocked MS still supports this protocol up through 2012R2. I have heard 2016 has the ability to install but it doesn't by default unlike previous versions. Has anybody disabled this on windows boxes? Any issues encountered?
 

Red Squirrel

No Lifer
May 24, 2003
61,181
9,202
126
www.uovalor.com
I would still keep an eye out for ransomware attempts on Linux users as the user base gets larger. New users to Linux will be vulnerable to these types of attack until they learn how to protect themselves.
Yeah but as long as they keep trying to do these trough email attachements it's not going to work for me. They really need to get more creative. :p

TBH I'm surprised we don't see lot of drive by ransomware. Basically you land on a bad web page, like a typo of facebook.com, and boom you're infected. Browsers these days are super insecure and would make it easy to do that.
 

Elixer

Lifer
May 7, 2002
10,376
762
126
No.

WCry copies a weapons-grade exploit codenamed EternalBlue that the NSA used for years to remotely commandeer computers running Microsoft Windows.
What are you saying no about?
What Shorty said is true.
The NSA did NOT create this ransomware, they just had a exploit that someone else used to attack machines.
 
  • Like
Reactions: Ken g6

sm625

Diamond Member
May 6, 2011
8,172
136
106
It is ok to blame guns for gun deaths but it is not ok to blame the NSA for its part in the creation of this ransomware? Clearly they had a part in it. Liberal logic makes my head spin...
 

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
No.

WCry copies a weapons-grade exploit codenamed EternalBlue that the NSA used for years to remotely commandeer computers running Microsoft Windows.

https://arstechnica.co.uk/security/2017/05/what-is-wanna-decryptor-wcry-ransomware-nsa-eternalblue/
The key difference is that "EternalBlue" exploits machines while WannaCry exploits users. I'm no expert on malware but the two basic components you'll see in every briefing is the vehicle (exploit) and the payload (in this case ransomware). It seems to me that you are confusing the vehicle with the payload. The vehicle could be used for an infinite number of objectives.
 
  • Like
Reactions: XSoldier77X

Crumpet

Senior member
Jan 15, 2017
745
539
96
The key difference is that "EternalBlue" exploits machines while WannaCry exploits users. I'm no expert on malware but the two basic components you'll see in every briefing is the vehicle (exploit) and the payload (in this case ransomware). It seems to me that you are confusing the vehicle with the payload. The vehicle could be used for an infinite number of objectives.
Right, sorry okay. That makes it MUCH better. /s
 

thecoolnessrune

Diamond Member
Jun 8, 2005
9,588
485
126
My weekend was a victim of this as I had to come in to assist patching clients who couldn't be arsed to get it done when Microsoft first launched the patch.
 
Last edited:

Fardringle

Diamond Member
Oct 23, 2000
9,049
624
126
It's very simple. Not all machines are managed by IT. Every employee gets an IT-managed Win-7 laptop. But those laptops are not good enough for some people to get their job done.

Some people run their own Windows boxes, installed those themselves and manage those themselves. I have a Centos-7 machine for Desktop purposes and I manage that myself. (I hardly ever use the laptop). Other colleagues have chosen to use Win-7 machines for Desktop. I didn't, and one reason was that I feel that managing your own Windows machine is more work than managing a Linux-box.
Seems to me that the "very simple" solution that most companies implement is that individual users are not allowed to bring their personal computing equipment (apart from phones/tablets) on site, and those mobile devices are not allowed to connect to the corporate network. The situation you described is just BEGGING for problems..
 

Genx87

Lifer
Apr 8, 2002
41,063
495
126
Seems to me that the "very simple" solution that most companies implement is that individual users are not allowed to bring their personal computing equipment (apart from phones/tablets) on site, and those mobile devices are not allowed to connect to the corporate network. The situation you described is just BEGGING for problems..
BYOD is only growing in popularity. The simple solution to this problem is to disable SMBv1 and tell people not to click links within emails they dont know who it came from.
 

Fardringle

Diamond Member
Oct 23, 2000
9,049
624
126
BYOD is only growing in popularity. The simple solution to this problem is to disable SMBv1 and tell people not to click links within emails they dont know who it came from.
For mobile devices, sure. But for desktops/workstations? I wouldn't let people do that in a SMALL office in most cases, and I wouldn't even consider it in a large corporation. It's just not possible to guarantee that somebody's PC from home won't spread malware or otherwise interfere with the company network unless someone brings the hardware, company IT wipes the drive and reinstalls the OS and all security and management software, and then actively manages it at all times. But that's a headache as well trying to manage potentially thousands of different hardware configurations.
 

ASK THE COMMUNITY