[3rd Update]WCry ransomwsre has possible links to Lazarus Group & PRNK

[Master Disaster]

4 minutes ago, Ryan_Vickers said:

Honestly, can't be that many if they only got ~100 bitcoins and each bitcoin is ~3 ransoms

So at ~$1,000 per BC they made approximately $10,000? Quite honestly I'd be a little pissed off if I were them, all the havok, all the news coverage and they only made away with 10K.

 

Oh shit, nvm its $100,000K. Still not exactly a fortune though.

[vanished]

Just now, Master Disaster said:

So at ~$1,000 per BC they made approximately $10,000? Quite honestly I'd be a little pissed off if I were them, all the havok, all the news coverage and they only made away with 10K.

Well, lets do the math. They asked for $300 per infection iirc, and 1 bitcoin is about $1000, and I heard they made 100 bitcoins (this could well be higher by now though)

So they made about $100,000 off of ~300 PCs

[TAHIRMIA]

If it's only 100k for all that it was not worth it at all

[Marinatall_Ironside]

22 hours ago, Tech_Dreamer said:

Having second thoughts about disabling updates now aren't you 

That's why I always update my shit whenever I plan on not using my computer for gaming or 3D content. Even then, I update prior to going on about my business       

[vanished]

7 minutes ago, TAHIRMIA said:

If it's only 100k for all that it was not worth it at all

say that to the guy who's $100k richer  

[TAHIRMIA]

2 minutes ago, Ryan_Vickers said:

say that to the guy who's $100k richer  

I think he was hoping for a lot more when he realised he hit the NHS

[Foxxer]

16 minutes ago, TAHIRMIA said:

Really slow

was not optimised properly,

RAM HDD usage of the OS was bad

I could agree to some extent. 

The only reason windows pushed Vista is Xp security reasons. 

 

We could keep talking about this topic for a long time bro

But really which version of OS was fully optimized for end users? 

[vanished]

Just now, TAHIRMIA said:

I think he was hoping for a lot more when he realised he hit the NHS

Furthermore, if it was failure monetarily, that's the best thing anyone can hope for.  We don't want these people making a huge profit.  A) it gives them funding so they can make more of these things, and B) it shows others that they can make a profit, thus drawing more people to the "cause".  If that really is all they made, I'd be very impressed, since it means people have learned to not give in and just accept it.

[TAHIRMIA]

Just now, Foxxer said:

I could agree to some extent. 

The only reason windows pushed Vista is Xp security reasons. 

 

We could keep talking about this topic for a long time bro

But really which version of OS was fully optimized for end users? 

 

Yh I know, we could go on for a long time.

 

IMO I think windows 7 was the best and I personally had little problems in my experience. 

[Foxxer]

Just now, TAHIRMIA said:

Yh I know, we could go on for a long time.

 

IMO I think windows 7 was the best and I personally had little problems in my experience. 

Wasn't W7 pushed from Vista?  

I just want to run linux already arghhhh.

[vanished]

Just now, Foxxer said:

Wasn't W7 pushed from Vista?  

I just want to run linux already arghhhh.

7 was polished vista, basically what vista was supposed to be imo.  Remember how long vista took?  I think they were just like "this has gone on long enough, we have to release something" and so they just let it go, and then followed it up later with what they really wanted.  In a way, it was a good thing since it bogged down everyone's crappy computers, forcing them to upgrade while taking the blame, so that when 7 came out, everyone could run it with ease and it was seen as the second coming  

[TAHIRMIA]

Just now, Foxxer said:

Wasn't W7 pushed from Vista?  

I just want to run linux already arghhhh.

 

I think it's only like 10% of the Vista kernel that was used. Everything else was rebuilt

[Foxxer]

1 minute ago, Ryan_Vickers said:

-snip-

I still remember that Aero sh*t from W7 on my thinkpad. 

Collecting dust somewhere.

[Delicieuxz]

So, why is Microsoft only patching this exploit now that it's being targeted by non-government groups? The exploit has been known to exist for a while, and Microsoft could have patched it before now, if they had wanted to. I think this shows that Microsoft willingly leaves exploit-avenues open for the USA government to make use of.

 

Keep in mind that Microsoft reports newly-discovered vulnerabilities to the CIA before attempting to patch them. So, Microsoft likely knew of this vulnerability long before the general public knew of it, and likely were the ones to make the NSA aware of it, specifically so that the NSA could exploit it, resulting in the creation of this ransomware that is now attacking people. And now Microsoft is only lifting a finger to do something about it because somebody other than the NSA is using it.

 

Of course, Microsoft isn't the only company risking everyone's data and security, but they are still one of the very worst offenders.

 

 

[Master Disaster]

56 minutes ago, Delicieuxz said:

So, why is Microsoft only patching this exploit now that it's being targeted by non-government groups? The exploit has been known to exist for a while, and Microsoft could have patched it before now, if they had wanted to. I think this shows that Microsoft willingly leaves exploit-avenues open for the USA government to make use of.

 

Keep in mind that Microsoft reports newly-discovered vulnerabilities to the CIA before attempting to patch them. So, Microsoft likely knew of this vulnerability long before the general public knew of it, and likely were the ones to make the NSA aware of it, specifically so that the NSA could exploit it, resulting in the creation of this ransomware that is now attacking people. And now Microsoft is only lifting a finger to do something about it because somebody other than the NSA is using it.

 

Of course, Microsoft isn't the only company risking everyone's data and security, but they are still one of the very worst offenders.

 

 

Err, MS patched the exploit back in March for 8.1, Server 2012, 10 & Server 2016. Anything older didn't get a patch because they're end of mainstream support.

 

The patches issued recently were emergency patches for everything from 8 back to XP as were reactionary to the cyber attack.

[TAHIRMIA]

1 hour ago, Delicieuxz said:

So, why is Microsoft only patching this exploit now that it's being targeted by non-government groups? The exploit has been known to exist for a while, and Microsoft could have patched it before now, if they had wanted to. I think this shows that Microsoft willingly leaves exploit-avenues open for the USA government to make use of.

 

Keep in mind that Microsoft reports newly-discovered vulnerabilities to the CIA before attempting to patch them. So, Microsoft likely knew of this vulnerability long before the general public knew of it, and likely were the ones to make the NSA aware of it, specifically so that the NSA could exploit it, resulting in the creation of this ransomware that is now attacking people. And now Microsoft is only lifting a finger to do something about it because somebody other than the NSA is using it.

 

Of course, Microsoft isn't the only company risking everyone's data and security, but they are still one of the very worst offenders.

-SNIP-

 

1

Actually according to Jerry A.K.A Barnacles (BarnuclesNergasm), Many governments request access to the source code of the kernel to make sure they are safe. The NSA then go through this code line by line and find any exploits, If they can defend themselves against it and can use it they usually will not tell anyone about it, however, if they know they cannot defend themselves then they will notify Microsoft to fix it.

 

When the files were leaked regarding the exploit Microsoft released a patch as soon as they could(for W10 only), But most companies affected by this use Windows XP, or Windows 7 which Microsoft did not need to patch as they had stated their support of the product was not going to be as mainstream as W10 devices.

 

 

[ross pinder]

The UK Nhs has been hit. Possibly exposing patient records and sensitive patient data. They are underfunded and still running on Windows XP. ?. 

http://www.independent.co.uk/life-style/gadgets-and-tech/news/nhs-cyber-attack-ransomware-wannacry-kill-switch-domain-name-malwaretech-a7734296.html

 

[leadeater]

1 hour ago, Delicieuxz said:

Keep in mind that Microsoft reports newly-discovered vulnerabilities to the CIA before attempting to patch them. So, Microsoft likely knew of this vulnerability long before the general public knew of it, and likely were the ones to make the NSA aware of it, specifically so that the NSA could exploit it, resulting in the creation of this ransomware that is now attacking people. And now Microsoft is only lifting a finger to do something about it because somebody other than the NSA is using it.

 

Of course, Microsoft isn't the only company risking everyone's data and security, but they are still one of the very worst offenders.

 

I'm not sure when Microsoft was aware of this bug in SMBv1 or when they may have told Government agencies about it but it's been known and advised for a long time in the IT security community to disable SMBv1 if you can, we would but we have some legacy systems that only talk SMBv1 which we at least now have some solid evidence to finally say no you will upgrade that old shit. It's extremely annoying when you say something is a security risk and it's not taken seriously until something happens, having to say told you so every time is freakin bullshit.

 

Also advanced warnings of patches get sent out to Premier Support customers, we get about 4-5 days warning in advance. I can't post any of them as they come with confidentially clauses and warning not to redistribute. There are also weekly newsletters sent out to us covering more general security related stuff etc.

[LAwLz]

By the way, this might be a good time to disable SMBv1 even if you are fully patched.

Basically everything these days use SMBv2 anyway, so it should not have any drawbacks, while protecting you from future attacks like this.

 

Open powershell as admin and type in:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

 

You can also enable it again with:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force

 

Instructions taken from Microsoft's website.

 

SMBv2 was released with Vista so as long as you don't use network file sharing with an XP machine or older regularly, then you will be fine. Samba has also supported it since 2011 (version 3.6).

[Delicieuxz]

1 hour ago, Master Disaster said:

Err, MS patched the exploit back in March for 8.1, Server 2012, 10 & Server 2016. Anything older didn't get a patch because they're end of mainstream support.

 

The patches issued recently were emergency patches for everything from 8 back to XP as were reactionary to the cyber attack.

March is still recent. The leaked CIA hacking files date up to 2016, which means the NSA had been using this exploit since at least 2016.

 

It could be as TAHIRMIA said:

56 minutes ago, TAHIRMIA said:

The NSA then go through this code line by line and find any exploits, If they can defend themselves against it and can use it they usually will not tell anyone about it, however, if they know they cannot defend themselves then they will notify Microsoft to fix it.

 

But it could also be as I theorized.

[mark_cameron]

1 hour ago, TAHIRMIA said:

Actually according to Jerry A.K.A Barnacles (BarnuclesNergasm), Many governments request access to the source code of the kernel to make sure they are safe. The NSA then go through this code line by line and find any exploits, If they can defend themselves against it and can use it they usually will not tell anyone about it, however, if they know they cannot defend themselves then they will notify Microsoft to fix it.

 

When the files were leaked regarding the exploit Microsoft released a patch as soon as they could(for W10 only), But most companies affected by this use Windows XP, or Windows 7 which Microsoft did not need to patch as they had stated their support of the product was not going to be as mainstream as W10 devices.

 

 

Windows 7 has Microsoft security support until January 14, 2020

 

 

Windows XP ended years ago. Organisations were having to pay Microsoft to continue it.

 

Windows Vista, Microsoft ended security support on April 11, 2017

 

This means when ended: no hotfixes, no critical updates and no patches unless you pay Microsoft.

 

Microsoft only released the patch yesterday for XP - as governments would have forced them to do so. With hospitals being attacked.

[Tommy59375]

Just to confirm... is it only Windows OSs being affected by this ransomware / worm?

[mark_cameron]

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

Mirosoft really needs to stop with BS lines like this. Windows 10 users were targeted. All Windows OS were. Just unpatched/unprotected systems were vulnerable.

 

Quote

 

Microsoft solution available to protect additional products

Today many of our customers around the world and the critical systems they depend on were victims of malicious “WannaCrypt” software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers. This blog spells out the steps every individual and business should take to stay protected. Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

 

This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks

 

[MercuryRain]

This blew up. Good grief.  My office IT department sent out a mass alert at 6PM on a friggin' Saturday to tell everyone they were pushing Malwarebytes to all the company computers that didn't already have it.

[2FA]

7 hours ago, Master Disaster said:

So at ~$1,000 per BC they made approximately $10,000? Quite honestly I'd be a little pissed off if I were them, all the havok, all the news coverage and they only made away with 10K.

 

Oh shit, nvm its $100,000K. Still not exactly a fortune though.

 

7 hours ago, Ryan_Vickers said:

Well, lets do the math. They asked for $300 per infection iirc, and 1 bitcoin is about $1000, and I heard they made 100 bitcoins (this could well be higher by now though)

So they made about $100,000 off of ~300 PCs

Bitcoin is at $1800.