Ransomware - WannaCry

Discussion in 'Latest Technology News' started by vivek.krishnan, May 14, 2017.

  1. vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    Joined:
    Dec 18, 2009
    Messages:
    6,163
    Likes Received:
    970
    mk76, Emrebel, Crazy_Eddy and 2 others like this.
  2. vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    Joined:
    Dec 18, 2009
    Messages:
    6,163
    Likes Received:
    970
    Here is what I know

    1. If you have not updated your Windows, and it runs SMBv1, you are vulnerable.
    2. Linux/Other OS seem not affected.
     
  3. Emrebel

    Emrebel Active Member
    Disciple

    Joined:
    Nov 14, 2016
    Messages:
    167
    Likes Received:
    35
  4. Julian

    Julian om nom nom
    Veteran

    Joined:
    Jul 31, 2008
    Messages:
    1,251
    Likes Received:
    245
    What is the attack vector(s) used by this?

    Does it encrypt only the OS (system) drive/partition or any/all drives?
     
  5. bobbyprajan

    bobbyprajan Active Member
    Disciple

    Joined:
    Apr 22, 2009
    Messages:
    178
    Likes Received:
    17
    Propagates through email and exploits a vulnerability against specially crafted SMB v1 packets. MS has released patches to plug the vulnerability. Disabling SMB at network boundaries and installing the patch is the solution.
     
    Julian and vivek.krishnan like this.
  6. nimod

    nimod Well-Known Member
    Adept

    Joined:
    Jan 7, 2013
    Messages:
    393
    Likes Received:
    158
    <ot>
    I use Linux - WannaLaugh
    </ot>
     
    6pack and vivek.krishnan like this.
  7. vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    Joined:
    Dec 18, 2009
    Messages:
    6,163
    Likes Received:
    970
    Attack vector is exe inside your organisation LAN which uses the EternalBlue exploit to encrypt the machines running SMBv1 unpatched.

    Have seen both cases - mail and RDP as well as entry vector.
     
    savrom, Julian, 6pack and 1 other person like this.
  8. vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    Joined:
    Dec 18, 2009
    Messages:
    6,163
    Likes Received:
    970
    Disabling SMB is a short term solution, but the best thing people can do is move on to more secure OS.

    My organisation has both 2000 and 2003 as well which cannot be upgraded due to. We were going to put these in separate vLANs with no internet connection - this will ensure ransomware block. But due to budget constraints - we have put them off for this year from last. Now, I expect it will get done ASAP. Or maybe not.
     
    Julian likes this.
  9. vishalrao

    vishalrao Global Moral Police
    Veteran

    Joined:
    Nov 10, 2007
    Messages:
    4,287
    Likes Received:
    409
    It is apparently also a "worm" meaning it needs no human intervention (clicking on shady links) to propagate - it is self replicating too.
     
  10. bobbyprajan

    bobbyprajan Active Member
    Disciple

    Joined:
    Apr 22, 2009
    Messages:
    178
    Likes Received:
    17
    If it is a worm, then isolating SMB v1 systems to a vlan will help ?
     
  11. vishalrao

    vishalrao Global Moral Police
    Veteran

    Joined:
    Nov 10, 2007
    Messages:
    4,287
    Likes Received:
    409
    Yes, it should help, that's probably how it is self-replicating.
     
  12. vishalrao

    vishalrao Global Moral Police
    Veteran

    Joined:
    Nov 10, 2007
    Messages:
    4,287
    Likes Received:
    409
    I should say "isolating" SMB will just probably limit the spread not totally block it. Way to stop this is to patch systems and/or disable the SMB part altogether.
     
    savrom and bobbyprajan like this.
  13. vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    Joined:
    Dec 18, 2009
    Messages:
    6,163
    Likes Received:
    970
    Yes, since they will not be exposed to the main LAN. But it will defeat the purpose of a server, but it's for a small subset of users. We will also be removing internet from those systems, excluding emails only from our mail server and that too limited to our domain only.
     
  14. vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    Joined:
    Dec 18, 2009
    Messages:
    6,163
    Likes Received:
    970
    People should move to a secure OS. I would advocate using Zentyal and Nethserver as free drop in replacements for 2003 server.

    Should you disable v1? Yes if you dont have any 2003 servers (we do). v2? When the time comes I guess.

    We use SMBv3 as well, to take advantage of the multi channel feature.
     
    vishalrao likes this.
  15. vishalrao

    vishalrao Global Moral Police
    Veteran

    Joined:
    Nov 10, 2007
    Messages:
    4,287
    Likes Received:
    409
    I guess if the security updates are installed then no need to disable anything, right?

    This ransomware is spreading only on Windows systems which haven't got the security patch installed I believe.
     
  16. vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    Joined:
    Dec 18, 2009
    Messages:
    6,163
    Likes Received:
    970
    You cant, as of now. You can follow the best practises to ensure you are not affected.
     
  17. vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    Joined:
    Dec 18, 2009
    Messages:
    6,163
    Likes Received:
    970
    Correct.

    However, if per se Microsoft did not patch 2003 or if you are running something older like we are which is not patched, in such cases, isolating that segment is the best way forward. Also, blocking internet access will ensure that even we insert a pen drive with ransomware, it cannot connect, nor can it phone home. However, this is not an answer, but a temp solution. In our case, we have a software which is EOL, running, not generating enough revenue worth replacing.
     
  18. Julian

    Julian om nom nom
    Veteran

    Joined:
    Jul 31, 2008
    Messages:
    1,251
    Likes Received:
    245
    Any specific details of the spread/extent of damage guys? Like does it encrypt entire partitions or Documents & settings types...
     
  19. RakaKaKaka

    RakaKaKaka Active Member
    Adept

    Joined:
    Jun 28, 2016
    Messages:
    417
    Likes Received:
    57
    do i need to worry if i have updated windows 10 ? on windows update screen it says ur computer is updated. i do browse lot of shady sites.
     
  20. drkrack

    drkrack Heart Repairer
    Adept

    Joined:
    Dec 30, 2007
    Messages:
    724
    Likes Received:
    713
    Though Russian hackers have been blamed for introducing this, it may be Chinese as well.. [​IMG]
    Can't vouch for the authenticity of the picture, shared as received
     

Share This Page