Ransomware - WannaCry

Discussion in 'Latest Technology News' started by vivek.krishnan, May 14, 2017.

  1. vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    mk76, Emrebel, Crazy_Eddy and 2 others like this.
  2. OP
    OP
    vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    Here is what I know

    1. If you have not updated your Windows, and it runs SMBv1, you are vulnerable.
    2. Linux/Other OS seem not affected.
     
  3. Emrebel

    Emrebel Active Member
    Adept

  4. Julian

    Julian om nom nom
    Veteran

    What is the attack vector(s) used by this?

    Does it encrypt only the OS (system) drive/partition or any/all drives?
     
  5. bobbyprajan

    bobbyprajan Active Member
    Disciple

    Propagates through email and exploits a vulnerability against specially crafted SMB v1 packets. MS has released patches to plug the vulnerability. Disabling SMB at network boundaries and installing the patch is the solution.
     
    Julian and vivek.krishnan like this.
  6. nimod

    nimod Well-Known Member
    Adept

    <ot>
    I use Linux - WannaLaugh
    </ot>
     
    6pack and vivek.krishnan like this.
  7. OP
    OP
    vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    Attack vector is exe inside your organisation LAN which uses the EternalBlue exploit to encrypt the machines running SMBv1 unpatched.

    Have seen both cases - mail and RDP as well as entry vector.
     
    savrom, Julian, 6pack and 1 other person like this.
  8. OP
    OP
    vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    Disabling SMB is a short term solution, but the best thing people can do is move on to more secure OS.

    My organisation has both 2000 and 2003 as well which cannot be upgraded due to. We were going to put these in separate vLANs with no internet connection - this will ensure ransomware block. But due to budget constraints - we have put them off for this year from last. Now, I expect it will get done ASAP. Or maybe not.
     
    Julian likes this.
  9. vishalrao

    vishalrao Global Moral Police
    Veteran

    It is apparently also a "worm" meaning it needs no human intervention (clicking on shady links) to propagate - it is self replicating too.
     
  10. bobbyprajan

    bobbyprajan Active Member
    Disciple

    If it is a worm, then isolating SMB v1 systems to a vlan will help ?
     
  11. vishalrao

    vishalrao Global Moral Police
    Veteran

    Yes, it should help, that's probably how it is self-replicating.
     
  12. vishalrao

    vishalrao Global Moral Police
    Veteran

    I should say "isolating" SMB will just probably limit the spread not totally block it. Way to stop this is to patch systems and/or disable the SMB part altogether.
     
    savrom and bobbyprajan like this.
  13. OP
    OP
    vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    Yes, since they will not be exposed to the main LAN. But it will defeat the purpose of a server, but it's for a small subset of users. We will also be removing internet from those systems, excluding emails only from our mail server and that too limited to our domain only.
     
  14. OP
    OP
    vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    People should move to a secure OS. I would advocate using Zentyal and Nethserver as free drop in replacements for 2003 server.

    Should you disable v1? Yes if you dont have any 2003 servers (we do). v2? When the time comes I guess.

    We use SMBv3 as well, to take advantage of the multi channel feature.
     
    vishalrao likes this.
  15. vishalrao

    vishalrao Global Moral Police
    Veteran

    I guess if the security updates are installed then no need to disable anything, right?

    This ransomware is spreading only on Windows systems which haven't got the security patch installed I believe.
     
  16. OP
    OP
    vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    You cant, as of now. You can follow the best practises to ensure you are not affected.
     
  17. OP
    OP
    vivek.krishnan

    vivek.krishnan Error Code 451
    Veteran

    Correct.

    However, if per se Microsoft did not patch 2003 or if you are running something older like we are which is not patched, in such cases, isolating that segment is the best way forward. Also, blocking internet access will ensure that even we insert a pen drive with ransomware, it cannot connect, nor can it phone home. However, this is not an answer, but a temp solution. In our case, we have a software which is EOL, running, not generating enough revenue worth replacing.
     
  18. Julian

    Julian om nom nom
    Veteran

    Any specific details of the spread/extent of damage guys? Like does it encrypt entire partitions or Documents & settings types...
     
  19. RakaKaKaka

    RakaKaKaka Active Member
    Adept

    do i need to worry if i have updated windows 10 ? on windows update screen it says ur computer is updated. i do browse lot of shady sites.
     
  20. drkrack

    drkrack Heart Repairer
    Adept

    Though Russian hackers have been blamed for introducing this, it may be Chinese as well.. [​IMG]
    Can't vouch for the authenticity of the picture, shared as received
     

Share This Page