[3rd Update]WCry ransomwsre has possible links to Lazarus Group & PRNK

[Andreas Lilja]

Oh OK, didn't know this was possible.

 

[vanished]

22 minutes ago, Raskolnikov said:

Oh OK, didn't know this was possible.

 

True or not, this is the exact kind of thing people point to when they say "macs (and linux) don't get viruses" (aside from the simple fact there are just less of them in total of course).  Any system can get infected if you intentionally download and install one, but these kind of exploits that just pwn you uncontrollably, that's where it comes down to system design quality

[vanished]

30 minutes ago, LAwLz said:

Hell, even Windows XP was patched.

Was it?  I heard they didn't...

30 minutes ago, LAwLz said:

It uses several different methods and for different parts of the malicious code, but it heavily relies on an exploit in SMBv1.

It's not a Trojan though. From what I can tell, simply being connected to someone on the same network, or being reachable with SMB over the Internet can get you infected. No user input necessary.

 

Quote from Talos:

Alright, thanks, that's pretty much what I thought was going on, but no one had clearly spelled it out until now  

30 minutes ago, LAwLz said:

I doubt it. The exploit is not in SMB by itself, but rather how SMBv1 is handled by Windows.

That's what I figured too

[Foxxer]

2 minutes ago, Ryan_Vickers said:

-Snip-

How is Canadia holding up after this?  Any reports? 

 

Things are going crazy on local news, Telecommunication authority didn't register any incident, yet.

[Master Disaster]

39 minutes ago, Raskolnikov said:

Oh OK, didn't know this was possible.

 

Yeah, its basically a very specific set of circumstances here...

 

A remote code execution exploit was leaked (it was zero day as ms had no prior knowledge of it), the hackers used the exploit to create a worm that basically sniffs every IP it has access to (locally or externally) looking for other vulnerable machines, when it finds another machine it zips itself up and sends itself to the other machine then uses the zero day to execute itself on the new machine infecting it, the new machine then also starts sniffing and the whole thing turns into a snowball, the more machines get infected the more become infected.

 

MS did patch the exploit in March but in the case of large corporations updates aren't generally pushed as frequently as in the consumer market, most businesses have internal infrastructure to handle updating OSes and it can be months or even years before updates get pushed. Also a large amount of infected machines were running XP which was never patched. MS have now issued patches for XP and Server 2K3 plus Win 8.

[vanished]

7 minutes ago, Foxxer said:

How is Canadia holding up after this?  Any reports? 

 

Things are going crazy on local news, Telecommunication authority didn't register any incident, yet.

I haven't heard anything bad happening here yet

[Master Disaster]

I've just realised something, MS have patched XP, Server 2K3 and Win 8 but ignored Vista?

[vanished]

11 minutes ago, Master Disaster said:

I've just realised something, MS have patched XP, Server 2K3 and Win 8 but ignored Vista?

What?  Where are you people getting this?   

I'm going based on this: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

which seems to show (only) Vista and newer are patched

[TAHIRMIA]

13 minutes ago, Master Disaster said:

I've just realised something, MS have patched XP, Server 2K3 and Win 8 but ignored Vista?

Vista was a bad OS anyway

[Master Disaster]

11 minutes ago, Ryan_Vickers said:

What?  Where are you people getting this?   

I'm going based on this: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

which seems to show (only) Vista and newer are patched

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

[LAwLz]

23 minutes ago, Master Disaster said:

A remote code execution exploit was leaked (it was zero day as ms had no prior knowledge of it)

It was not a zero day. Like you said, they had a patch for it out in March.

 

20 minutes ago, Master Disaster said:

I've just realised something, MS have patched XP, Server 2K3 and Win 8 but ignored Vista?

They patched Vista too.

 

9 minutes ago, Ryan_Vickers said:

What?  Where are you people getting this?   

I'm going based on this: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

which seems to show (only) Vista and newer are patched

Here are download links for it.

As you can see, it's the same KB number as mentioned in the document you posted.

[Foxxer]

10 minutes ago, TAHIRMIA said:

Vista was a bad OS anyway

Can you tell me why?

[vanished]

Just now, Master Disaster said:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Hm, so even though these are all dead, they made an exception and rolled out an update for XP, server 2003, and 8 (specifically 8, not 8.1, which anyone with 8 should have had long long ago)

[Master Disaster]

2 minutes ago, LAwLz said:

It was not a zero day. Like you said, they had a patch for it out in March.

It was a zero day when it was leaked though, that's what I meant.

[Master Disaster]

7 minutes ago, Ryan_Vickers said:

Hm, so even though these are all dead, they made an exception and rolled out an update for XP, server 2003, and 8 (specifically 8, not 8.1, which anyone with 8 should have had long long ago)

Pretty sure they had no real choice, they couldn't expect all the major corps that were hit to upgrade overnight, they either patched it back to XP or risked it all happening again when Wcry V2 is launched without the domain check kill switch.

 

In case you missed it you need to read this - https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

 

@LAwLz So they have patched Vista too, its just that none of the 20 people still using it have noticed and MS decided to not bother mentioning it.

[vorticalbox]

22 hours ago, Master Disaster said:

The attack is over, a British expert managed to kill the worm by accident

its not over it's still spreading from infected systems it just isn't delivering it's payload anymore. 

[vanished]

Just now, vorticalbox said:

its not over it's still spreading from infected systems it just isn't delivering it's payload anymore. 

Not to mention they could release a new one that can't be killed in the same way at any moment and I fully expect they will

[Master Disaster]

2 minutes ago, vorticalbox said:

its not over it's still spreading from infected systems it just isn't delivering it's payload anymore. 

Fair point, I'll change the wording.

[vorticalbox]

Just now, Ryan_Vickers said:

Not to mention they could release a new one that can't be killed in the same way at any moment and I fully expect they will

all they need to change is the url check to random pick letters as a url and any unpatched system will be hit but my guess is that they are laying low until it all blows over before coming back for round 2. 

[vanished]

Just now, vorticalbox said:

all they need to change is the url check to random pick letters as a url and any unpatched system will be hit but my guess is that they are laying low until it all blows over before coming back for round 2. 

imo they would be wise to do it as soon as possible.  With every day that passes, more and more systems will become protected from this

[TAHIRMIA]

Just now, Ryan_Vickers said:

imo they would be wise to do it as soon as possible.  With every day that passes, more and more systems will become protected from this

 

1 minute ago, vorticalbox said:

all they need to change is the url check to random pick letters as a url and any unpatched system will be hit but my guess is that they are laying low until it all blows over before coming back for round 2. 

 

I'll get to updating it

[Master Disaster]

1 minute ago, vorticalbox said:

all they need to change is the url check to random pick letters as a url and any unpatched system will be hit but my guess is that they are laying low until it all blows over before coming back for round 2. 

The expert said he expected some kind of algorithm built in that randomly changes the domain on a timer. That's a scary thought.

[TAHIRMIA]

31 minutes ago, Foxxer said:

Can you tell me why?

Really slow

was not optimised properly,

RAM HDD usage of the OS was bad

[Master Disaster]

4 minutes ago, Ryan_Vickers said:

imo they would be wise to do it as soon as possible.  With every day that passes, more and more systems will become protected from this

The problem they have now is round 1 was so effective, all the PCs hit by it will certainly be patched as part of the clean up operation. I'd be considering whether round 2 would be worth it at all.

 

I wonder how many people paid the ransom though?

[vanished]

Just now, Master Disaster said:

The problem they have now is round 1 was so effective, all the PCs hit by it will certainly be patched as part of the clean up operation. I'd be considering whether round 2 would be worth it at all.

 

I wonder how many people paid the ransom though?

Honestly, can't be that many if they only got ~100 bitcoins and each bitcoin is ~3 ransoms