WannaCry Ransomware Epidemic « Giveaway of the Day Forums

Back to Giveaway of the Day

Giveaway of the Day Forums » Technical notes

WannaCry Ransomware Epidemic

(5 posts) (3 voices)

Started 7 years ago by mikiem2
Latest reply from ChrisS

mikiem2
Moderator

A short, short version because this seems to be hitting so many news sites, and of course when that happens some get it wrong.

Basically this is a very large attack campaign delivering ransomware. The initial fee was $300 but soon changed to $600 -- I haven't read of further price increases but it's of course possible. [At the same time, per Threatpost: "A new malware family called Jaff has been identified by researchers who say they are currently tracking multiple massive spam campaigns distributing the malware via the Necurs botnet." It's asking for ~$3,000.]

Two things make WannaCry newsworthy... One, it reportedly near shut down the UK's National Health Service, along with victims in a reported 99 countries. Two, rather than use the much more common methods of infection, e.g. spam, it uses one of the alleged NSA tools released by the Shadow Brokers. And yes, that vulnerability was patched 2 months ago via Windows Updates.

If nothing else this ransomware's success hints at the large numbers of people and businesses who do not update Windows. While it'll be a while before postmortems are published, WannaCry also seems wormable, meaning it just needs to get one foot in the door so-to-speak, infect one device on a network. Probably most security software also blocks WannaCry by now.

Posted 7 years ago #
mikiem2
Moderator

If there's anyone still running XP or Windows 8 [Not 8.1], Microsoft has patched this vulnerability on no longer supported versions of Windows.

As far as XP goes, problems updating via Windows Update are back. The VBox VM took maybe an hour to find the updates, all the while with svchost.exe using 100% CPU. Same story with the XP Mode VM, except there it wouldn't find updates for (2) periods of 3 hours each -- a 3rd try today worked after 2 hours, then took an hour to install the 17 updates [I've applied the POS registry hack so I still get updates].

Posted 7 years ago #
Robert
StrayCat

Standalone Security Update for Windows XP SP3 (KB4012598):
(WannaCry)

You can get the security patch over here:
https://www.microsoft.com/en-us/download/details.aspx?id=55245

Posted 7 years ago #
mikiem2
Moderator

AFAIK no one has developed a full decryptor for this ransomware. There is a decryptor that might work if the device has not rebooted or shut down -- it exploits a bug or weakness in Windows encryption, where values are left in memory. It's spread was limited because security researchers found a kill switch... basically the ransomware tried to connect to a non-existent web site, & if it succeeded, it would shut itself down. The most common theory I've read is that a test VM might try to emulate any server or site that malware tries to connect to, attempting to mimic a real world infection, so the malware could be monitored & studied. Since the target web site didn't exist, if the ransomware was able to connect to it, then it must be running in a test VM. The ransomware developers' mistake was not registering that web site name -- a security researcher registered it, so every time a fresh copy of the ransomware tried to connect it was successful, & shut itself down.

Versions of WannaCry soon appeared without the kill switch, but they were/are believed to be the work of copycats. And more malware is looking to use the same NSA tools, along with 6 more. So security experts & Microsoft are recommending that everyone disable or remove the SMBv1 that the NSA tool used by WannaCry requires.

securelist[.]com/blog/research/78411/wannacry-faq-what-you-need-to-know-today/

threatpost[.]com/eternalrocks-worm-spreads-seven-nsa-smb-exploits/125825/

support[.]microsoft[.]com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows-server

Posted 7 years ago #
ChrisS
Administrator

Per this article: The Windows Malicious Software Removal Tool has been updated for WannaCry.

It's unlikely that it would decrypt an infected system so it's probably not much different from what the other anti-malware providers supply.

Direct link to The Malicious Software Removal Tool if you don't want to read the article.

Posted 7 years ago #

RSS feed for this topic

Reply

You must log in to post.