[3rd Update]WCry ransomwsre has possible links to Lazarus Group & PRNK

[Ezio Auditore]

What exactly do you mean when you say smb over the internet? Will an office with a server whose data is not accessible over the Internet but only through LAN although the  pcs connected to it are on the Internet be affected? 

Edited May 15, 2017 by Ezio Auditore

[TAHIRMIA]

Just now, Ezio Auditore said:

What exactly do you mean when you say smb over the internet? Will an office with a server whose data is not accessible over the Internet but only through LAN although the  pcs connected go it are on the Internet be affected? 

 

Yes as long as the computer has a public IP which it probably does then it may get affected unless you are all up to date 

[ObscureMammal]

Here's an interesting podcast discussing the WannaCry ransomware outbreak and how it effects businesses in the coming weeks

https://threatpost.com/matthew-hickey-on-wannacry-ransomware-outbreak/125674/

 

https://twitter.com/hackerfantastic?s=09

[Zodiark1593]

4 minutes ago, TAHIRMIA said:

Yes as long as the computer has a public IP which it probably does then it may get affected unless you are all up to date 

I'm not exactly well versed in networking, but if I were to connect over a smartphone Hotspot, will it be the Smartphone that has the public IP instead of the PCs connected (thus I would be reasonably safe to download the updates required)? 

[TAHIRMIA]

Just now, Zodiark1593 said:

I'm not exactly well versed in networking, but if I were to connect over a smartphone Hotspot, will it be the Smartphone that has the public IP instead of the PCs connected (thus I would be reasonably safe to download the updates required)? 

 

The PC would get its own public IP but as Hotspots and if you are using Mobile Data then your Network provider block ports on Smartphones you should be safe to do so 

[Guest]

12 minutes ago, TAHIRMIA said:

Yes as long as the computer has a public IP which it probably does then it may get affected unless you are all up to date 

It probably doesn't.

[Bleedingyamato]

29 minutes ago, Zodiark1593 said:

In the interest of security, I shall sacrifice a couple GB of my data plan and update my systems.  

 

 

I'm sure it sucks a bit to have to use up data on Windows updates but I'd say it's better than the alternative of getting infected by this.  

 

I just realized a few minutes ago that my Windows 7 laptop is way behind on updates so it's likely vulnerable.  

 

Worse it's only got the free version of Bitdefender and Malwarebytes so it may be lacking active protection.  At least from Malwarebytes.  

[Master Disaster]

1 hour ago, leadeater said:

If there is no system exposed to the internet for SMB (tcp 445) then you would need that initial infection point triggered by human error, after that it will spread across the network.

 

Edit:

This is why you should NEVER port forward SMB ever, use a VPN or RDP or anything just never expose SMB to the internet.

I'm going to regret asking this because I know people can be dumb but what possible reason could you have to expose an SMB share to the internet?

 

That's like saying here you go everyone in the world, look at my shared folder.

[TAHIRMIA]

4 minutes ago, AUniqueName said:

It probably doesn't.

Sarcasm? 

[AnonymousGuy]

3 minutes ago, Master Disaster said:

I'm going to regret asking this because I know people can be dumb but what possible reason could you have to expose an SMB share to the internet?

 

That's like saying here you go everyone in the world, look at my shared folder.

I'm guessing nearly all the infections are someone getting phished and then spreading it internally on port 445.  Considering you would have to go out of your way to publicly expose port 445 to the internet and as I said earlier, my ISP doesn't even allow this because it's so worm-happy.

[Master Disaster]

19 minutes ago, TAHIRMIA said:

Yes as long as the computer has a public IP which it probably does then it may get affected unless you are all up to date 

Not really, the worm port sniffs IP addresses and looks for a specific port, thankfully its not a port that should be forwarders outside of a local network so yes, theoretically you can get infected by just being connected to the internet but it takes a very specific and rare circumstance for that to happen.

[Guest]

2 minutes ago, TAHIRMIA said:

Sarcasm? 

 

[Master Disaster]

3 hours ago, The Benjamins said:

@Master Disaster

 

Here are the 3 know BTC address if you want to add it to the OP. 

 

we can watch the money flow.

https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Added, thanks

[ObscureMammal]

59 minutes ago, Master Disaster said:

 

Someone made a twitter bot that's monitoring the bitcoin wallets tied to the WannaCry ransomware and will tweet every time it sees a new payment

https://twitter.com/actual_ransom?s=09

[Zodiark1593]

So, how long does Windows Update take before actually downloading updates. Mine has been stuck at 0% for quite some time, with no network activity. 

[mark_cameron]

5 minutes ago, Zodiark1593 said:

So, how long does Windows Update take before actually downloading updates. Mine has been stuck at 0% for quite some time, with no network activity. 

You might want to restart as it appears to have stalled. If you are actually in windows and still downloading.

[Zodiark1593]

3 minutes ago, mark_cameron said:

You might want to restart as it appears to have stalled. If you are actually in windows and still downloading.

I've restarted several times to the same result. Running their troubleshooting tool, but that seems to have stalled out to at "checking for pending restart". 

[mark_cameron]

2 hours ago, AnonymousGuy said:

Can someone answer this question:

 

Can your system get infected "just sitting there" on its own, or does someone on your network have to get compromised first thru email / whatever?  No article I've read explains whether you need to be worried if you know all the computers on your network.

Symantec has a nice little blog about it.

 

Others have posted AV and Kaspersky's take on it.

 

The Symantec is 'readable' by average joe. There are some nice graphs about the infection rates and how it works to.

 

https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware

 

Quote

What you need to know about the WannaCry Ransomware

The WannaCry ransomware struck across the globe in May 2017. Learn how this ransomware attack spread and how to protect your network from similar attacks.

By: Symantec Security Response

Created 12 May 2017

A virulent new strain of ransomware known as WannaCry (Ransom.Wannacry) has hit hundreds of thousands of computers worldwide since its emergence on Friday, May 12. WannaCry is far more dangerous than other common ransomware types because of its ability to spread itself across an organization’s network by exploiting a critical vulnerability in Windows computers, which was patched by Microsoft in March 2017 (MS17-010). The exploit, known as “Eternal Blue” was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.

Am I protected from the WannaCry ransomware?

[see article]....

 

What is the WannaCry ransomware?

WannaCry searches for and encrypts 176 different file types and appends .WCRY to the end of the file name. It ask users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.

Can I recover the encrypted files or should I pay the ransom?

Decryption of encrypted files is not possible at present. If you have backup copies of affected files, you may be able to restore them. Symantec does not recommend paying the ransom.

In some cases, files may be recovered without backups. Files saved on the Desktop, My Documents, or on a removable drive are encrypted and their original copies are wiped. These are not recoverable. Files stored elsewhere on a computer are encrypted and their original copies are simply deleted. This means they could be recovered using an undelete tool.

When did WannaCry appear and how quickly did it spread?

WannaCry first appeared on Friday May 12. Symantec saw a dramatic upsurge in the number of attempts to exploit the Windows vulnerability used by WannaCry from approximately 8:00 GMT onwards. The number of exploit attempts blocked by Symantec dropped slightly on Saturday and Sunday but remained quite high.

 

 

 

 

Who is impacted?

Any unpatched Windows computer is potentially susceptible to WannaCry. Organizations are particularly at risk because of its ability to spread across networks and a number of organizations globally have been affected, the majority of which are in Europe. However individuals can also be infected.

Is this a targeted attack?

No, this is not believed to be a targeted attack at this time. Ransomware campaigns are typically indiscriminate.

Why is it causing so many problems for organizations?

WannaCry has the ability to spread itself within corporate networks without user interaction, by exploiting a known vulnerability in Microsoft Windows. Computers that do not have the latest Windows security updates applied are at risk of infection.

 

How is WannaCry spread?

While WannaCry can spread itself across an organization’s networks by exploiting a vulnerability, the initial means of infection – how the first computer in an organization is infected remains unconfirmed. Symantec has seen some cases of WannaCry being hosted on malicious websites, but these appear to be copycat attacks, unrelated to the original attacks.

 

 

 

 

[mark_cameron]

4 minutes ago, Zodiark1593 said:

I've restarted several times to the same result. Running their troubleshooting tool, but that seems to have stalled out to at "checking for pending restart". 

You might want to download the patch on a different computer and then use an USB offline.

 

Also check your line speed.

[Zodiark1593]

I 

9 minutes ago, mark_cameron said:

You might want to download the patch on a different computer and then use an USB offline.

 

Also check your line speed.

My line speed exceeds 50 mbps. 

 

Also the Linus rule of asking for help seems to work. Soon as I complain, things start to work. 

 

Wish it wouldn't waste data on display drivers (yes, two) though. 

[mark_cameron]

14 minutes ago, Zodiark1593 said:

I 

My line speed exceeds 50 mbps. 

 

Also the Linus rule of asking for help seems to work. Soon as I complain, things start to work. 

 

Wish it wouldn't waste data on display drivers (yes, two) though. 

 

Its fine. I use the Linus Rule of Moan all the time.

 

Incidentally, some potential indications this might be a North Korea attack: using stolen US NSA exploit(s)

 

 

https://en.wikipedia.org/wiki/Lazarus_Group

 

[RadiatingLight]

Any update on the total amount of bitcoins these people have amassed?

[LAwLz]

2 hours ago, mynameisjuan said:

Actually if you are not logged in as a admin (like unix), keep your system up to date and have AV (or atleast keep defender up to date and running), windows is pretty close to as safe and secure. Most infections are from out of date pcs running full admin access. But since people dont follow basic security rules, yeah it happens way more on windows.

Windows has waaaay more privilege escalation exploits than GNU/Linux and OS X.

I would be very surprised if it Windows was actually well written in terms of security (or most things for that matter).

[mark_cameron]

3 minutes ago, RadiatingLight said:

Any update on the total amount of bitcoins these people have amassed?

See my last post. There's some indications that this is not about money but might be a DPRK (North Korean) provocation/attack.

 

 

[ObscureMammal]

3 minutes ago, RadiatingLight said:

Any update on the total amount of bitcoins these people have amassed?