Any victims of Wanacry here?

[Sean Kyle]

Have to got the patch installed on your systems already? And how many of you are affected from this? any other tips to prevent it?

 

[[DHT]Osiris]

Patch, disable SMB, or block TCP/445 inbound. Also don't open malicious email attachments

 

[PliotronX]

Idk man the headlines are scaring people but it seems kind of overblown. Great for job security IN security however

 

[John Connor]

A) Never trust E-mail attachments. I reckon 98% of all ransomware and malware enter a system via E-mail. The rest being XSS, scripts, iframes, infected ADs, etc.

B) Do a clone of your computer every now and then to an external HDD and store that external HDD in a fireproof safe.

I do exactly this. BS malware can try, but fail miserably to infect me and if it even does I can clone back a good image.

sudo checkmate

 

[Gryz]

I don't think it is overblown.

I work for a large tech-company. On Friday I heard that a 100 windows-boxes in our Canadian lab were affected. (We run windows-7 everywhere, on corporate-managed laptops, but also in other places (in labs, privately managed desktops, etc)). No idea if there were more in the company, but I wouldn't be surprised if lots more people in my company got hit. (On the other hand, most people have Win7-laptops, which are managed by IT. Which does do regular updates. So maybe all the corporate users were safe). Of course nobody is gonna release a statement to the outside world about this.

People think it is over. It is not. The variant with the "kill-switch" has been stopped. But there are already variants that do not have a kill-switch.

I think it spreads through firewalls via the old fashioned way (fake emails, etc). But once it is inside a network, all un-patched windows machine are infected in no time. I think consumers at home have a smaller chance of being hit. But for companies it is much more dangerous. If it gets in, it can spread to loads and loads of machines easily.

People seem interested in which companies are targeted. I don't think anyone is targeted specifically. This is a worm. Worms spread around as far as possible, without looking at who they attack next. That makes them so dangerous on a world scale. If anyone is interested in the history of worms, start reading about the Morris worm. That was almost 40 years ago, but the mechanism is exactly the same as today's worms.

 

[Crumpet]

NSA ransomware.

3/4 targets were in Russia.

Other main targets were telephone companies and oil companies.

This could get nasty real quick.

 

[allisolm]

NSA ransomware.

3/4 targets were in Russia.

And it looks like Russians had a hand in its making . "...the ransomware was able to offer "how to pay" documents in dozens of languages, the only language whose writing was perfect was Russian, with the others showing distinct signs that a non-native speaker had written them" according to Kurt Baumgartner, a principal security researcher with Kaspersky Lab in Moscow. https://www.usatoday.com/story/news...attle-unprecedented-global-hacking/101633374/

 

[Red Squirrel]

I run mostly a Linux environment and Linux is unaffected (even Samba). From sounds of it this enters via an email so I don't open crap like that so at no risk to me. As far as work goes, I work in telecom and not IT. In telecom we don't care what's on the network, we just care that the traffic is flowing.

But reality is, we kinda all are affected because the organizations that got hit more than likely have all our personal info. Ex: Medical records.

It's been about 17 years since computers are fairly mainstream. 2000 was kinda the golden age where lot of stuff started to go digital, the internet came out (as being a mainstream thing in many homes), etc. You'd think people would have learned by now to not open suspicious email attachments.

 

[sciff]

And it looks like Russians had a hand in its making . "...the ransomware was able to offer "how to pay" documents in dozens of languages, the only language whose writing was perfect was Russian, with the others showing distinct signs that a non-native speaker had written them" according to Kurt Baumgartner, a principal security researcher with Kaspersky Lab in Moscow. https://www.usatoday.com/story/news...attle-unprecedented-global-hacking/101633374/

It may look that way, if you don't know that the Russian language is being widely spoken as a first and second language and taught in schools in countries like Belarus, Kazakhstan and Ukraine (and taught very well). The former two have Russian as their second official language. So it's not that simple.

Also, there are enough ethnic Russians in Russia itself and around the world who hate Russia or just don't care about it or its citizens. Remember Matt Farrell from "Live Free or Die Hard" hollywood movie? He thought it would be 'fun' to disable his own country. That's what kind of psychology we are probably talking here.

 

[Elixer]

I don't think it is overblown.

I work for a large tech-company. On Friday I heard that a 100 windows-boxes in our Canadian lab were affected. (We run windows-7 everywhere, on corporate-managed laptops, but also in other places (in labs, privately managed desktops, etc)). No idea if there were more in the company, but I wouldn't be surprised if lots more people in my company got hit. (On the other hand, most people have Win7-laptops, which are managed by IT. Which does do regular updates. So maybe all the corporate users were safe). Of course nobody is gonna release a statement to the outside world about this.

MS released the patch to fix this worm's exploit of SMB (the way it spreads) back in March.
If you are saying your machines still got infected, then, smack your IT admin upside the head.

People think it is over. It is not. The variant with the "kill-switch" has been stopped. But there are already variants that do not have a kill-switch.

I think it spreads through firewalls via the old fashioned way (fake emails, etc). But once it is inside a network, all un-patched windows machine are infected in no time. I think consumers at home have a smaller chance of being hit. But for companies it is much more dangerous. If it gets in, it can spread to loads and loads of machines easily.

There are thousands of new malware attacks per week, yeah, most are spread via e-mail, and people opening them up (which is a serious issue itself, enough so that admins should be scrubbing all the e-mail.)
E-mail is #1, then ads (running flash exploits) then booby trapped sites, then people who stick in compromised USB devices into the companies machines.

People seem interested in which companies are targeted. I don't think anyone is targeted specifically. This is a worm. Worms spread around as far as possible, without looking at who they attack next. That makes them so dangerous on a world scale. If anyone is interested in the history of worms, start reading about the Morris worm. That was almost 40 years ago, but the mechanism is exactly the same as today's worms.

Only thing I am interested in is (from all the companies infected), A) why weren't these machines patched, B) why the admin didn't block SMB ports, and C) why allow attachments that haven't been screened?

 

[whm1974]

I run mostly a Linux environment and Linux is unaffected (even Samba). From sounds of it this enters via an email so I don't open crap like that so at no risk to me. As far as work goes, I work in telecom and not IT. In telecom we don't care what's on the network, we just care that the traffic is flowing.

But reality is, we kinda all are affected because the organizations that got hit more than likely have all our personal info. Ex: Medical records.

It's been about 17 years since computers are fairly mainstream. 2000 was kinda the golden age where lot of stuff started to go digital, the internet came out (as being a mainstream thing in many homes), etc. You'd think people would have learned by now to not open suspicious email attachments.

I would still keep an eye out for ransomware attempts on Linux users as the user base gets larger. New users to Linux will be vulnerable to these types of attack until they learn how to protect themselves.

 

[Gryz]

If you are saying your machines still got infected, then, smack your IT admin upside the head.

It's very simple. Not all machines are managed by IT. Every employee gets an IT-managed Win-7 laptop. But those laptops are not good enough for some people to get their job done.

Some people run their own Windows boxes, installed those themselves and manage those themselves. I have a Centos-7 machine for Desktop purposes and I manage that myself. (I hardly ever use the laptop). Other colleagues have chosen to use Win-7 machines for Desktop. I didn't, and one reason was that I feel that managing your own Windows machine is more work than managing a Linux-box.

 

[shortylickens]

NSA ransomware.

3/4 targets were in Russia.

Other main targets were telephone companies and oil companies.

This could get nasty real quick.

I wish you wouldnt lie in the Hardware forum.
Its not NSA ransomware. They found the exploit. They did not pass around malware.

 

[Crumpet]

I wish you wouldnt lie in the Hardware forum.
Its not NSA ransomware. They found the exploit. They did not pass around malware.

No.

WCry copies a weapons-grade exploit codenamed EternalBlue that the NSA used for years to remotely commandeer computers running Microsoft Windows.

https://arstechnica.co.uk/security/2017/05/what-is-wanna-decryptor-wcry-ransomware-nsa-eternalblue/

 

[Genx87]

Reading this is exploiting a vulnerability in SMBv1. I was honestly shocked MS still supports this protocol up through 2012R2. I have heard 2016 has the ability to install but it doesn't by default unlike previous versions. Has anybody disabled this on windows boxes? Any issues encountered?

 

[Red Squirrel]

I would still keep an eye out for ransomware attempts on Linux users as the user base gets larger. New users to Linux will be vulnerable to these types of attack until they learn how to protect themselves.

Yeah but as long as they keep trying to do these trough email attachements it's not going to work for me. They really need to get more creative.

TBH I'm surprised we don't see lot of drive by ransomware. Basically you land on a bad web page, like a typo of facebook.com, and boom you're infected. Browsers these days are super insecure and would make it easy to do that.

 

[Elixer]

No.

WCry copies a weapons-grade exploit codenamed EternalBlue that the NSA used for years to remotely commandeer computers running Microsoft Windows.

What are you saying no about?
What Shorty said is true.
The NSA did NOT create this ransomware, they just had a exploit that someone else used to attack machines.

 

[sm625]

It is ok to blame guns for gun deaths but it is not ok to blame the NSA for its part in the creation of this ransomware? Clearly they had a part in it. Liberal logic makes my head spin...

 

[sciff]

Not guns but rather those who sell them to god knows who.

 

[PliotronX]

No.

WCry copies a weapons-grade exploit codenamed EternalBlue that the NSA used for years to remotely commandeer computers running Microsoft Windows.

https://arstechnica.co.uk/security/2017/05/what-is-wanna-decryptor-wcry-ransomware-nsa-eternalblue/

The key difference is that "EternalBlue" exploits machines while WannaCry exploits users. I'm no expert on malware but the two basic components you'll see in every briefing is the vehicle (exploit) and the payload (in this case ransomware). It seems to me that you are confusing the vehicle with the payload. The vehicle could be used for an infinite number of objectives.

 

[Crumpet]

The key difference is that "EternalBlue" exploits machines while WannaCry exploits users. I'm no expert on malware but the two basic components you'll see in every briefing is the vehicle (exploit) and the payload (in this case ransomware). It seems to me that you are confusing the vehicle with the payload. The vehicle could be used for an infinite number of objectives.

Right, sorry okay. That makes it MUCH better. /s

 

[thecoolnessrune]

My weekend was a victim of this as I had to come in to assist patching clients who couldn't be arsed to get it done when Microsoft first launched the patch.

 

[Fardringle]

It's very simple. Not all machines are managed by IT. Every employee gets an IT-managed Win-7 laptop. But those laptops are not good enough for some people to get their job done.

Some people run their own Windows boxes, installed those themselves and manage those themselves. I have a Centos-7 machine for Desktop purposes and I manage that myself. (I hardly ever use the laptop). Other colleagues have chosen to use Win-7 machines for Desktop. I didn't, and one reason was that I feel that managing your own Windows machine is more work than managing a Linux-box.

Seems to me that the "very simple" solution that most companies implement is that individual users are not allowed to bring their personal computing equipment (apart from phones/tablets) on site, and those mobile devices are not allowed to connect to the corporate network. The situation you described is just BEGGING for problems..

 

[Genx87]

Seems to me that the "very simple" solution that most companies implement is that individual users are not allowed to bring their personal computing equipment (apart from phones/tablets) on site, and those mobile devices are not allowed to connect to the corporate network. The situation you described is just BEGGING for problems..

BYOD is only growing in popularity. The simple solution to this problem is to disable SMBv1 and tell people not to click links within emails they dont know who it came from.

 

[Fardringle]

BYOD is only growing in popularity. The simple solution to this problem is to disable SMBv1 and tell people not to click links within emails they dont know who it came from.

For mobile devices, sure. But for desktops/workstations? I wouldn't let people do that in a SMALL office in most cases, and I wouldn't even consider it in a large corporation. It's just not possible to guarantee that somebody's PC from home won't spread malware or otherwise interfere with the company network unless someone brings the hardware, company IT wipes the drive and reinstalls the OS and all security and management software, and then actively manages it at all times. But that's a headache as well trying to manage potentially thousands of different hardware configurations.