0
11

[–] 9093691? [S] 0 points 11 points (+11|-0) ago 

This patch probably also comes with Microsoft spyware included. Don't be surprised that Microsoft is using this ransomware to force windows 10 onto you.

0
4

[–] skidmark-steve 0 points 4 points (+4|-0) ago 

I wouldn't put it past 'em at this point. Remember the underhanded tactics that they used to spread Windows 10, and remember how, near the end, the guy who works for MS even said that they crossed the line? Its kind of like a kid bragging when he breaks the rules and doesn't get in trouble because the teacher favors him. The government wants data about us as much as Microsoft does, so they looked the other way while all of this was going on.

1
1

[–] Mr_YUP 1 point 1 point (+2|-1) ago 

Idk be shocked if they did that. There's no way xp machines could run 10

0
4

[–] tribblepuncher 0 points 4 points (+4|-0) ago  (edited ago)

Microsoft: "Only one way to find out!"

1
7

[–] alalzia 1 point 7 points (+8|-1) ago 

My sympathies to all IT departments that now run like crazy to fix shit because incompetent employees opened infected email attachments . I hope the board of directors in the affected businesses and public services will see the light and drop Windows.

0
5

[–] Kleyno 0 points 5 points (+5|-0) ago 

I provide IT support in the education sector. I dread to think what is waiting for me, come Monday.

0
2

[–] OriginalReaper 0 points 2 points (+2|-0) ago  (edited ago)

They will find the cheapest fix. Changing an OS and retraining staff is high up there. Weekly or monthly and maybe even annual backups make more sense

1
5

[–] Pawn 1 point 5 points (+6|-1) ago 

Gee I never noticed all this shit was happening. Oh wait I run linux THATS WHY. Oh well. I'll pop some corn and enjoy the fireworks.

0
4

[–] jcal22x 0 points 4 points (+4|-0) ago 

This is hitting the company I work for right now. Our servers stretch from Canada to Chile. All of South America has been compromised, and it's starting to show up on the North American computers while IT has been working on pushing patches out all night.

0
3

[–] jerkwad152 0 points 3 points (+3|-0) ago 

It occurs to me that the NSA hacking tool leak could be a really good thing. Being out in the open, it forces M$ to release fixes, and thereby makes it harder for the NSA to fuck with people.

0
2

[–] 1HepCat 0 points 2 points (+2|-0) ago 

It would've been better if the NSA had responsibly disclosed the vulnerability but at least it's disclosed and patched now.

0
2

[–] remola 0 points 2 points (+2|-0) ago 

To all those interested, I work in the industry and we've been busy with putting blocks in place at clients the whole day.

https://kc.mcafee.com/corporate/index?page=content&id=KB89335&elqTrackId=080d6d6426f34a2fb9b7fae0ca16d59a&elq=8c49aa9c79c04309921897488b0e731a&elqaid=7257&elqat=1&elqCampaignId=4054

The campaign sends an e-mail to users with an attached PDF document, that contains an embedded DOCM file with a malicious Macro script. Once clicked on, the script will download and execute the Jaff ransomware. The ransomware targets 423 file extensions, and is capable of offline encryption without dependency on a command and control server. Once a file is encrypted, the '.jaff' file extension is appended

https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/

https://www.alienvault.com/blogs/labs-research/ongoing-wannacry-ransomware-spreading-through-smb-vulnerability?utm_medium

https://intel.malwaretech.com/botnet/wcrypt

Summary: As you may be aware there is a widespread global outbreak of a new variant of ransomware today, known as WannaCry. Whilst this would normally be unremarkable, this variant of ransomware is reported to be spreading via the SMB protocol and believed to be using the MS17-010 vulnerability that was linked with the Shadowbrokers exploit Eternalblue. This exploit enables RCE by sending a specially crafted message to devices using SMB, full Microsoft advisory available here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx. The importance of this delivery method is that it enables the attackers to compromise a single machine on a network and then laterally deploy large amounts of ransomware within that estate, using a P2P infrastructure that can have a large damaging impact to a corporate network. The Countercept team are still analysing the malware seen however initial indicators do suggest that the malware uses SMB to propagate.

What can be confirmed at this stage is that there is a large outbreak of ransomware that is spreading at a rapid rate globally and also seems to be able to spread internally within a network once the first host is compromised. The new variant of malware is known as WannaCry 2.0 and encrypts files with the .wncry extension.

https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack?CMP=Share_iOSApp_Other

Wanna Cry Rasomware Since 12th Apr 2017, a Ransomware exploiting MS17-010 has been wreaking havoc worldwide. Precautions to be taken 1 - Patch Management Ensure all Workstations and Servers have the latest Microsoft patches, especially the ones related to MS17-010. 2 - Antivirus Ensure AV signatures are updated on all assets. Identify critical assets and target them first. Block IOCs on AV solution. Get the details with regards to the name of the malware and verify if this malware has been detected in the logs for last 1 week. 3 - IPS Ensure IPS signatures are updated. Verify if the signature that can detect this vulnerability / exploit attempt is enabled and is in blocking mode. Get the details with regards to the name of the Signature and verify if this Signature has been detected in the logs for last 1 week. 4 - eMail Gateway Ensure eMail Gateway solutions has all relevant updates for detecting possible mails that may bring the Trojan in the environment. 5 - Proxy Ensure Proxy solution has updated database. Block IOCs for IP Address and Domain names on the Proxy. Verify last one week logs for the IOCs on Proxy and take action on sources of infection. 6 - Firewall Block the IP addresses on Perimeter Firewall. Verify logs for last one week. 7 - Anti - APT Solutions (FireEye, Trend Micro) Ensure signatures are up to date. Check for possible internal sources of infection and take actions. 8 - SIEM Check logs to verify if any of the IOCs have been detected in 1 week logs.

Some additional recommendations we have implemented and communicate with some clients in Mexico are: Traffic filtering to the SMBv1 and v1 Ransomware Recollect known IOCs and implement them in the perimeter of security devices and intrusion prevention devices (internal and external) Block IOCs associated with the know files hashes as malicious related with the ransomware: https://otx.alienvault.com/pulse/5916115b0d3cde73f7669850/ Add block policies to the firewall from know IP addrees related as infection: a. 154.35.175.225 b. 171.25.193.78 c. 178.162.194.210 d. 192.99.212.139 e. 195.154.165.112 f. 154.35.175.225 g. 171.25.193.78 h. 178.162.194.210 i. 192.99.212.139 j. 195.154.165.112 k. 91.219.236.222 l. 188.166.23.127 m. 193.23.244.244 n. 2.3.69.209 o. 146.0.32.144 p. 50.7.161.218 q. 192.42.113.102 r. 83.169.6.12 s. 158.69.92.127 t. 86.59.21.38 u. 62.138.7.171 v. 51.255.203.235 w. 51.15.36.164 x. 217.79.179.177 y. 128.31.0.39 z. 213.61.66.116 aa. 212.47.232.237 bb. 81.30.158.223 cc. 79.172.193.32 dd. 163.172.149.155 ee. 167.114.35.28 ff. 176.9.39.218 gg. 192.42.113.102 hh. 193.11.114.43 ii. 199.254.238.52 jj. 89.40.71.149

Additional IP addrees can be found in: https://otx.alienvault.com/pulse/591608484da25870a4eaf2f6/ Enable IPS signatures related with the Ransomware (depends on the actual provider

I love this stuff. But as interesting as you can get.

0
2

[–] derram 0 points 2 points (+2|-0) ago 

https://archive.is/VH8S7 | :

74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+ • The Register

"It also scans the infected system's settings to work out the user's language, and pulls up a ransom demand in the correct lingo for the victim."

'"Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt," a Microsoft spokesperson told The Reg. ', "To counter the spread of the malware, security firms pushed out file and network traffic signatures to detect the ransomware-worm hybrid's presence and kill it.", "Connections to the magic domain – iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – were sinkholed to a server in California, and the admins of the infected systems reaching out to the dot-com will be notified, we're told."

'FedEx told The Reg: "Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware. '

This has been an automated message.

0
1

[–] DestroyerOfSaturn 0 points 1 point (+1|-0) ago 

Omg a windows xp update!

load more comments ▼ (2 remaining)