Wannacry Ransomware

View Latest Activity

Home Forums Radio & Communication Wannacry Ransomware

Viewing 9 reply threads
  • Author
    Posts
    • #97754
      SeanT
      Keymaster

        Anyone else stuck on duty and glued to a chair defending/patching/reporting for 4 straight days like me?

      • #97755
        Joe (G.W.N.S.)
        Moderator

          …for 4 straight days like me?

          Thought you might be busy regarding that, let us know your take when you have time.

          Depending on the source things have ranged from it’s the end of the world fearmongering hype, to attempts at calming fears that are just as full of crap trying to make people feel better.

        • #97756
          CommsPrepper
          Participant

            I have been too busy watching the Fake News.

          • #97757
            SeanT
            Keymaster

              Windows 10 users not vulnerable
              THIS IS THE PATCH for others
              4 observed real variants in the wild
              each has a ‘killswitch’ domain that if ANSWERS, kills the malware. If you rig up a sinkhole, the malware will not get an answer and execute. You need to let it get an HTTP response to kill it. the “Internet” is fake answering for these now, have been for a couple days to halt propogation.
              This is an anti analysis technique. I can elaborate on later if anyone asks. It was also easily defeated once identified so a rookie mistake or a draft version launched initially. There is a sample of a variant without a killswitch but it is broken because it was edited from the original and not compiled from scratch.
              Possible 5th killswitch domain variant, not confirmed
              propogation is via network, it is a worm with a ransomware piggyback
              email(phishing) is not a confirmed vector—yet but none seen in the wild in phishing campaigns
              if you have Windoz XP and it connects to the internet you can get a custom patch they released for this nastyware
              same for server2003
              If you DO still have those, work on your plan to guarantee their isolation and/or replace that unsupported stuff
              Propagation continues to be via the vulnerability that the Supposed NSA tools ETERNALBLUE and DOUBLEPULSAR exploit that were leaked by ShadowBrokers
              a significant volume of affected hosts are around the world and are pirated copies that Microsoft doesn’t recognize and patch. low volume in the USA generally.

            • #97758
              Joe (G.W.N.S.)
              Moderator

                Thanks for the update, good to know and I’ll pass it along to people I know are vulnerable.

                Glad to not be a Windows user. ;-)

              • #97759
                SeanT
                Keymaster

                  not much new on this other than there was another killswitch variant observed but no morphing into different behavior or delivery method.

                • #97760
                  SeanT
                  Keymaster

                    Thankfully this op tempo finally wound down for me. Lots of lessons learned for us but for the most part our response was successful. This was an interesting event because prevention was reasonably easy and the vulnerability was patched in March. The BIG problem people had was not being patched. Going 50 days without deploying critical patches NO MATTER WHAT THE SYSTEM IS DERELICTION.

                    Also there seems to be a wannacry decryption tool floating around now. The chances it will work for any one individual are slim as it depends on pulling a encryption key that is generated out of the RAM (memory) but this only works in some systems and only if the RAM is not changed by other applications on the system.there also might be an artifact written to disk when the operating system swaps out blocks of data from RAM to disk. Good luck with that tho, it takes skill and tools to get that data.

                    Detailed knowledge of attack surface and method was one of my significant contributions to this effort as well as the ability to adequately run Incident command and proper messaging up the chain to White House and dealing with our cyber intel partners and the US-CERT. An event like this takes a good team and the rockstars really shine and those that are not performing as well stand out pretty far too. The AAR on this we do is going to be interesting and hopefully prove that some resource reallocation is necessary.
                    There was some pretty robust finger pointing early on but that shit got whacked hard and I did see one very senior level deferral of authority (read as responsibility) attempted. Not sure how that went since that was at cabinet staff level and thankfully I am just a cyber nerd that does not have SES as a grade.

                  • #97761
                    Joe (G.W.N.S.)
                    Moderator

                      The BIG problem people had was not being patched. Going 50 days without deploying critical patches NO MATTER WHAT THE SYSTEM IS DERELICTION.

                      :wacko:

                      Thankfully this op tempo finally wound down for me.

                      Hope things stay that way for awhile.

                    • #97762
                      SeanT
                      Keymaster

                        Yes Joe, I can use a break…

                        The new threat flying around is called .jaff which is a variant of locky
                        .jaff is distributed by email so once again, don’t get fooled by by the lures and don’t click to enable anything some pop message says when you try to open the attachment THAT YOU SHOULDN’T BE OPENING ANYWAY.yelling was on purpose…

                        The British National Health Service ( among many others) should be embarrassed big time for running critical infrastructure on systems unsupported by the mfg. They still run a ton of Windows XP/Server 2003 in a networked environment. Bad juju.

                      • #97763
                        Joe (G.W.N.S.)
                        Moderator

                          don’t get fooled by by the lures and don’t click to enable anything some pop message says when you try to open the attachment THAT YOU SHOULDN’T BE OPENING ANYWAY.yelling was on purpose…

                          :yes:

                      Viewing 9 reply threads
                      • You must be logged in to reply to this topic.