Ransomware strategy for someone with midlevel skills?

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Jaskalas

Jaskalas

Lifer
Jun 23, 2004
33,438
7,503
136
sonoferu said:
I have a home network, just my desktop with Win7 and my wife's laptop with Win10.
...
So we are both clients, right?
Click to expand...

Of course. It gave me pause when I encountered that needless language, but our desktop operating systems (Windows 7, and Windows 10) are definitely classified as clients in this case.

sonoferu said:
So the command uses sc.exe. Several years ago in my job I ran sc.exe to configure a service we used. That's the same sc.exe?
Click to expand...

I may have used sc.exe once myself, it sounds familiar. I'll have to assume it's the same one but all my PCs are Windows 10. Your analysis of the commands mirrors my own. I just won't commit to their effectiveness without the ability to verify it myself.

sonoferu said:
Looking at the registry here, under "LanmanWorkstation" I see a value named "DependOnService" but not one for "depend". Could that be an error on the MS page? If there is no value for "depend" does the command create one?
Click to expand...

That's a curiosity, however someone with Windows 7 would have to answer that.

sonoferu said:
And final curious - what does SMB do anyway?
Click to expand...

Server Message Block
Enjoy the reading.
 
HutchinsonJC

HutchinsonJC

Senior member
Apr 15, 2007
465
202
126
Elixer said:
There are already quite a few "copy-cats" out there with no kill-switch at all.
It started shortly after the original was released.
Click to expand...

Well, according to some webinars I watched yesterday, that's not true. Big name security solutions haven't encountered a non-kill-switch variation, as of yesterday afternoon. I had some other things to sit in on this morning, so I'm only just now getting to my day.
 
Elixer

Elixer

Lifer
May 7, 2002
10,376
762
126
HutchinsonJC said:
Well, according to some webinars I watched yesterday, that's not true. Big name security solutions haven't encountered a non-kill-switch variation, as of yesterday afternoon. I had some other things to sit in on this morning, so I'm only just now getting to my day.
Click to expand...
Well...
At Rendition we’ve been watching the evolution of the WanaCrypt0r malware. We have become aware of a sample that does not implement the infamous “kill switch” domain check that neutered the original. If you were counting on the kill switch being activated to save your network, we have unfortunate news for you: that approach isn’t going to work anymore.
wanaCrypt0r.png
Click to expand...

Bottom line is, everyone should have patched up by now, there is no excuse for these versions to keep spreading.
 
HutchinsonJC

HutchinsonJC

Senior member
Apr 15, 2007
465
202
126
Since that doesn't show source code and it doesn't show something from wireshark showing an absence of seeking a domain, it's hard to say that that picture definitively proves there's no kill switch. There were 3 different kill-switch domains brought online since the version of the malware released on the 12th.

If the off-set changed where the kill-switch domain was, could it mean the domain it was pointing to changed?
 
HutchinsonJC

HutchinsonJC

Senior member
Apr 15, 2007
465
202
126
Found this:
In a blog post on Saturday, @MalwareTech recounted his experience of registering the WannaCry domain, and how it ultimately quelled that attack variant. The malware tries to connect to the registered domain: if the connection is unsuccessful, it shakes down the machine for ransom. If it gets a handshake, it "exits" the victim's machine, he said.

He said he now believes the domain was not a kill switch to stop the attack if it got out of control, but instead "a badly thought out anti-analysis" tool.

"I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox [and] the malware exits to prevent further analysis," he wrote. WannaCrypt used one hardcoded domain, so when the researcher registered the domain, "it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware."​
http://www.darkreading.com/threat-i...ve-been-a-sandbox-evasion-tool/d/d-id/1328892

I thought the idea of a kill-switch sounded suspicious, anyway.
 
sonoferu

sonoferu

Senior member
Jun 6, 2010
286
5
81
Jaskalas said:
Of course. It gave me pause when I encountered that needless language, but our desktop operating systems (Windows 7, and Windows 10) are definitely classified as clients in this case.



I may have used sc.exe once myself, it sounds familiar. I'll have to assume it's the same one but all my PCs are Windows 10. Your analysis of the commands mirrors my own. I just won't commit to their effectiveness without the ability to verify it myself.



That's a curiosity, however someone with Windows 7 would have to answer that.



Server Message Block
Enjoy the reading.
Click to expand...

Hi there

I tried the reading and got lost in the first sentence

In computer networking, Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS, /ˈsɪfs/),[1][2] operates as an application-layer network protocol[3] mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism.

There is terminology there that I just dont know, so maybe it's not worth trying to translage for me.

But hey, thanks for everyone's inputs [much of which also went over my head but I did learn some interesting stuff]
 
PliotronX

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
The practical application is that SMB is the network file sharing protocol that windows primarily uses and other OS types support varying versions. The key thing to know is that if you don't use it, just turning file sharing off in windows and your router probably blocks it from the internet so you should be good to go but it doesnt hurt to double check.
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
67,371
12,125
126
www.anyf.ca
The strategy against ransomware is the same one as any other malware. Don't have a system facing the internet directly, don't port forward services that could be exploited that are on the same vlan as the rest of the network. Don't open files you don't trust, whether it comes from an email or something you downloaded.

That's for preventative. You still want a reactive strategy in case that fails, and that strategy is good backups. You always want to have some form of cold backups and perhaps a few rotations in case you don't notice the malware and run a backup. If you get hit with ransomware or any malware you're better off to format and reinstall and restore backups. The more individual rotations of backups you can afford to have the better. The really important non replaceable stuff often tends to be smaller data like documents, so you can always use a bunch of USB sticks for those.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom