Straight answers to your questions about WannaCrypt

Topic

New Reply

I try to cut through all the bafflegab in this new post on InfoWorld. If you need instructions for protecting yourself against WannaCrypt, see the nex
[See the full post at: Straight answers to your questions about WannaCrypt]

6 users thanked author for this post.

SueW, Elly, Lori, MrBrian, wdburt1, TonyS

Reply | Quote

Replies

WannaCry FAQ: What you need to know today

3 users thanked author for this post.

SueW, Elly, woody

Reply | Quote

Good stuff.

I’m still not clear on (1) the initial attack vector and (2) whether WannaCrypt uses and/or leaves behind a copy of DarkPulsar.

Strange that so many systems could be hit, and so many security researchers could be looking at it – and we still don’t know the basics.

Reply | Quote

I imagine they want to put as little in the public domain as possible, beyond how people should protect themselves, and in particular they don’t want the malware fraternity to know how much and what exactly the experts know about this attack given that such information can only be useful to those seeking to exploit it in any rehash of the attack.

Reply | Quote

@ woody

Candid Wüest, a threat researcher at Symantec, said the company was carefully monitoring emails over the weekend for any evidence of phishing causing the attack but had not found it.

He said the most likely way the malware spread was through the Windows Server Message Block SMB protocol, a system used to share files between computers. While SMB is typically used for inter-office communications, some connect to the public internet, making them vulnerable to hackers.

“If it’s exposed to the internet then just having a computer online is enough,” Wüest said. The hackers exploited the EternalBlue Microsoft vulnerability stolen from the National Security Agency and dumped online a month ago. Wüest said in that month the cyber criminals behind would have been able to scan internet networks for vulnerable servers.

Once on a computer, the SMB “worm” would have been able to spread through other computers on the network, such as NHS trusts, and to other internet-connected computers.

http://www.telegraph.co.uk/technology/2017/05/15/suspicious-emails-unlikely-cause-global-cyber-attack/ (dated Noon 15 May 2017)

Reply | Quote

… seems, the WannaCry hackers purposely targeted corporations/companies for better monetary/bitcoins return because their computers often store important business/customer data and some of them would have enabled their port 445 to be open to the Internet, eg to use MS Remote Desktop Service.
In comparison, Home-users do not typically open their port 445 to the Internet.

Reply | Quote

Very interesting that you say that Windows XP systems were not infected.

The popular press seems to be under the impression that Windows XP systems were the most likely to have been infected. Here in the UK the news media and radio phone-in shows are all bashing the NHS (Hospitals Trusts and Health Department managers) for allowing this large scale attack by still using a significant percentage of Windows XP computers. Which if your information is correct is a complete red herring (as they say). Do you have a source for the claim that XP systems were not attacked?

Reply | Quote

I agree.

Moreover, I hope we have a lot more independent an authority than Microsoft’s marketing department for the claim that Windows 10 cannot be affected by this kind of attack.

Edit for content

Reply | Quote

Win10 wasn’t infected by WannaCrypt because the underlying code – the NSA infection code from EternalBlue – was stolen before Win10 support was added.

Reply | Quote

Yep. I’ve spoken with two of the foremost researchers on the topic, and both of them say that WannaCrypt does NOT infect Windows XP machines.

WinXP machines are vulnerable to SMBv1 infection, for sure. The EternalBlue code from NSA will infect WinXP machines. But WannaCrypt specifically does NOT infect WinXP.

They aren’t sure why. But they’re very sure that it doesn’t.

Reply | Quote

The NHS(UK) provided an updated statement (May 13), regarding their use of WIN/XP…

While the vast majority are running contemporary systems, we can confirm that the number of devices within the NHS that reportedly use XP has fallen to 4.7 per cent, with this figure continuing to decrease.

https://digital.nhs.uk/article/1493/UPDATED-Statement-on-reported-NHS-cyber-attack-13-May-

I am not finding too many XP systems showing up as being hit by this worm, re: security sites. Those monitoring the situation (and those with honeypots) are still seeing it as a W7 directed attack. It is difficult to get info out of China on this, but it is likely that their XP systems would be more vulnerable (as most are pirated) to the newer variants coming out today and in the future (SMB related).

The Shadow Brokers stole a lot of stuff from the NSA, so there is more to come.

Secondly, Windows 10 does use SMB, e.g if you map networking drives to another W10 device.

Reply | Quote

Yes, in fact, by default, Win10 has SMBv1 enabled.

I still haven’t heard of a single verified report that WinXP was infected – not by WannaCrypt, nor by any of the copycat variations.

That doesn’t mean WinXP CAN’T be infected. Certainly it can, using the same base code as in WannaCrypt. WinXP users definitely need to install the patch Microsoft released. But the reports that say NHS got hit particularly hard by WannaCrypt because they’re using WinXP so much are complete fabrications. Fake news.

Reply | Quote

Some Microsoft pages now have the banner “A wide-spread ransomware attack, WannaCrypt, targets out-of-date Windows devices. Given the severity of this threat, immediately update your Windows devices. Learn more.”

1 user thanked author for this post.

woody

Reply | Quote

New ‘WannaCry’ variant surfaces, stopped from harming computers: Check Point

http://www.reuters.com/article/us-cyber-attack-virus-idUSKCN18B2IT (Mon May 15, 2017 | 5:34pm EDT)

Reply | Quote

Cyber attack: Hackers in China try to seize control of WannaCry ransomware’s ‘kill switch’

http://www.independent.co.uk/news/uk/home-news/nhs-cyber-attack-wannacry-ransomware-kill-switch-hackers-china-take-control-a7735571.html

https://www.theverge.com/2017/5/15/15643226/wannacry-ransomware-north-korea-attribution-wannacrypt

Reply | Quote

In fact, WannaCry has caused so much damage with such little profit that some security researchers have begun to suspect that it may not be a money-making scheme at all. Instead, they speculate, it might be someone trying to embarrass the NSA by wreaking havoc with its leaked hacking tools—possibly even the same Shadow Brokers hackers who stole those tools in the first place. “I absolutely believe this was sent by someone trying to cause as much destruction as possible,” says Hacker House’s Hickey.

https://www.wired.com/2017/05/wannacry-ransomware-hackers-made-real-amateur-mistakes/

Reply | Quote

Just seen this on ibtimes …

http://www.ibtimes.co.uk/mysterious-hacking-group-threatens-leak-more-cyber-carnage-stolen-nuclear-missile-data-1621797

“TheShadowBrokers is launching new monthly subscription model. Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month.”

Cheeky.

Reply | Quote

@ No Loki … From your link, this link ….

https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition

Sale is buy or no buy, no bad things happen if no buy. Ransom is buy or bad things happen to you. Yes?

(Sounds like a hacker in China or NKorea)
.

Despite what scumbag Microsoft Lawyer is wanting the peoples to be believing Microsoft is being BFF with theequationgroup. Microsoft and theequationgroup is having very very large enterprise contracts millions or billions of USD each year. TheEquationGroup is having spies inside Microsoft and other U.S. technology companies. Unwitting HUMINT. TheEquationGroup is having former employees working in high up security jobs at U.S. Technology companies. Witting HUMINT. Russian, China, Iran, Israel intelligence all doing same at global tech companies. TheShadowBrokers is thinking Google Project Zero is having some former TheEquationGroup member. Project Zero recently releasing “Wormable Zero-Day” Microsoft patching in record time, knowing it was coming? coincidence?

Reply | Quote

woody wrote:

Good stuff. I’m still not clear on (1) the initial attack vector and (2) whether WannaCrypt uses and/or leaves behind a copy of DarkPulsar. Strange that so many systems could be hit, and so many security researchers could be looking at it – and we still don’t know the basics.

I too am no longer certain whether or not WannaCrypt actually installs DoublePulsar. MalwareBytes still reports that WannyCrypt installs DoublePulsar. See:

https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/

Symantec has updated their documentation about how WannaCrypt operates. See:

https://www.symantec.com/security_response/writeup.jsp?docid=2017-051310-3522-99&tabid=2

Both of the above web pages are worth reading since we are likely to see variants of WannaCrypt in the future and since many people do not understand the difference between Worms (such as WannaCrypt) and computer Viruses. The era of simple computer Viruses is mostly long gone. The era of Worms, Backdoors, and exploitable operating system and program vulnerabilities is far nastier than the olden days of simple computer viruses.

Some online sources suggest that many computers were already infected with DoublePulsar. It is still unknown if this is correct since we have conflicting information from MalwareBytes and Symantec as to whether or not WannaCrypt actually installs DoublePulsar.

The following Symantec page has a couple of neat graphs which show when the malware started being seen and blocked by Symantec’s AV products, and how many potential infections were prevented by their AV software. Note that I am not making any endorsement for Symantec since VirusTotal shows that many other AV products were able to detect elements of WannaCrypt, although possibly not until after infection had occurred. The interesting stuff on Symantec’s web page is in Figures 1 through 3. See:

https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware

From Figure 1 in the above link, it appears that the infection started on last Thursday and not on last Friday. Figure 2 is more interesting in that it shows the number of infections prevented per hour.

Spain’s CERT has twice updated their tools to prevent WannaCrypt infections. They offer two tools. One tool is a script file which creates zero length t.wnry files in several folders, and which then denies access to everyone on the computer. For the time being, this prevents the currently known variants of WannyCrypt from being able to infect a computer. The other tool is an executable which either must be run every time you reboot your computer, or which you could add to either your StartUp folder or run by adding the appropriate entry into your Windows registry. This tool creates three mutexes which also prevent the currently known variants of WannaCrypt from being able to execute. Documentation for these two tools is provided in both English and Spanish. See:

https://loreto.ccn-cert.cni.es/index.php/s/tYxMah1T7x7FhND

On the above web page, the link to download the Spain CERT’s ZIP file which contains both tools and related documentation is the Descargar link at the top right of the web page. I would have provided the link for the English version of the above web page, but that link isn’t working.

Finally and no matter what, PLEASE follow Woody’s instructions for making sure that you have installed, at the very least, the one update needed for your Windows computer which fixes the SMB1 vulnerability which is exploited by WannaCrypt and by any future malware which uses the EternalBlue exploit.

Best regards,

==GTP

 

 

Reply | Quote

Trojan.Adylkuzz

https://www.symantec.com/security_response/writeup.jsp?docid=2017-051707-0237-99

https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar

( . . . ) we discovered another very large-scale attack using both EternalBlue and DoublePulsar to install the cryptocurrency miner Adylkuzz. Initial statistics suggest that this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection.

Sigh . . .

~ Group "Weekend" ~

Reply | Quote

It looks like Adylkuzz predates WannaCry….

https://www.askwoody.com/forums/topic/massive-cryptocurrency-botnet-used-leaked-nsa-exploits-weeks-before-wcry/

Reply | Quote