Notebook
Addon Developer
- Joined
- Nov 20, 2007
- Messages
- 11,965
- Reaction score
- 765
- Points
- 188
Internet Ransomware attacks reported in Europe.
- Thread starter Notebook
- Start date
Urwumpe
Not funny anymore
- Joined
- Feb 6, 2008
- Messages
- 38,965
- Reaction score
- 3,937
- Points
- 203
- Location
- Wolfsburg
- Preferred Pronouns
- Sire
Not sure about any special campaign going on.
The Ransomware attack mostly targets British hospitals right now.
https://www.heise.de/newsticker/mel...t-zahlreiche-Krankenhaeuser-lahm-3713235.html
The Ransomware attack mostly targets British hospitals right now.
https://www.heise.de/newsticker/mel...t-zahlreiche-Krankenhaeuser-lahm-3713235.html
jedidia
shoemaker without legs
Not sure about "campaign"... RansomWare attacks are a constant and common threat especially to small businesses. It's more likely that a security leak was discovered somewhere and people took the opportunity.
Thunder Chicken
Resident Lua Script Rabble-Rouser
What is the vector for this? Is it email?
RisingFury
OBSP developer
The article on BBC claims that the attack is called WannaCry. The wikipedia page for it claims that people believe that one of NSA's exploit, called ETERNALBLUE is being utilized.
If this ends up being true, you might as well rename NSA to National UnSecurity Agency.
Here's a list of Microsoft Windows versions that are affected:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
If this ends up being true, you might as well rename NSA to National UnSecurity Agency.
Here's a list of Microsoft Windows versions that are affected:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Urwumpe
Not funny anymore
- Joined
- Feb 6, 2008
- Messages
- 38,965
- Reaction score
- 3,937
- Points
- 203
- Location
- Wolfsburg
- Preferred Pronouns
- Sire
The "WannaCry" ramsonware that mostly hits Spain right now is first email, but then uses a known windows vulnerability to spread in the local network.
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Damn, ninjaed by RisingFury.
Artlav
Aperiodic traveller
- Joined
- Jan 7, 2008
- Messages
- 5,814
- Reaction score
- 869
- Points
- 203
- Location
- Earth
- Website
- orbides.org
- Preferred Pronouns
- she/her
SMB1 protocol, a file sharing subsystem of Windows, is the origin.
No actions are needed from the user - a computer would get infected as readily as it was infected with Win10 in the old days.
Affected are every version at least from Vista up to Win10.
That, gentlemen, is what a real virus looks like.
At least there is a quick registry hack that can plug that hole.
...no, i don't think i can be sarcastic about such stuff any more.
No actions are needed from the user - a computer would get infected as readily as it was infected with Win10 in the old days.
Affected are every version at least from Vista up to Win10.
That, gentlemen, is what a real virus looks like.
At least there is a quick registry hack that can plug that hole.
How can a Ministry of Truth be producing falsehoods? Don't you want to be safe?
...no, i don't think i can be sarcastic about such stuff any more.
RisingFury
OBSP developer
Can you please post it? (As opposed to us searching for it, because not all of us are well-versed in the inner guts of Windows and thus can't tell if what we're being fed is good or malicious.)
Artlav
Aperiodic traveller
- Joined
- Jan 7, 2008
- Messages
- 5,814
- Reaction score
- 869
- Points
- 203
- Location
- Earth
- Website
- orbides.org
- Preferred Pronouns
- she/her
Here it is:
https://support.microsoft.com/en-us...r-2008-r2,-windows-8,-and-windows-server-2012
Only SMBv1 needs to be disabled.
https://support.microsoft.com/en-us...r-2008-r2,-windows-8,-and-windows-server-2012
Only SMBv1 needs to be disabled.
jedidia
shoemaker without legs
Huh? I thought they patched that two days ago.
jangofett287
Heat shield 'tester'
- Joined
- Oct 14, 2010
- Messages
- 1,150
- Reaction score
- 13
- Points
- 53
The patch for the SMBv1 RCE vuln was released in March.
RisingFury
OBSP developer
Just for kicks, I googled "Remove WannaCry". No links that I'd even dare click on, let alone actually install programs from. I imagine a few victims might get a double punch: First the virus, then a removal scam.
If anyone gets hit, probably best to just lay low for a few days.
If NSA really is behind the exploit, then they might have caused people to die because of hospitals getting hit... A spy agency, hacking everyone to keep people safe, now indirectly responsible for a worldwide attack.
If anyone gets hit, probably best to just lay low for a few days.
If NSA really is behind the exploit, then they might have caused people to die because of hospitals getting hit... A spy agency, hacking everyone to keep people safe, now indirectly responsible for a worldwide attack.
Last edited:
jangofett287
Heat shield 'tester'
- Joined
- Oct 14, 2010
- Messages
- 1,150
- Reaction score
- 13
- Points
- 53
It uses an exploit the NSA discovered (codename EternalBlue) the details of which were leaked in the Shadow Broker dumps. It also looks for an NSA persistence tool called DoublePulsar and uses that if it can.
It's important to note that the bug in SMBv1 existed and was exploitable whether or not the NSA discovered it. While most people agree sitting on vulns is a bad idea because of the risk of parallel discovery, there is debate as to whether telling Microsoft earlier would have prevented these attacks, or if we'd have just seen it earlier.
Also, if you want an idea of how bad this is, Microsoft have released a patch for Windows XP.: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
---------- Post added at 11:00 ---------- Previous post was at 10:48 ----------
Oh, almost forgot.
When WannaCry first arrives on a system it tries to connect to a specific URL. If it gets any response it exits. This appears to be some kind of kill switch. The URL is hard coded in the binary, so has now been sinkholed to a server which responds, effectively ending this variant, although it wouldn't take much work to change that so patching still very important as always.
It's important to note that the bug in SMBv1 existed and was exploitable whether or not the NSA discovered it. While most people agree sitting on vulns is a bad idea because of the risk of parallel discovery, there is debate as to whether telling Microsoft earlier would have prevented these attacks, or if we'd have just seen it earlier.
Also, if you want an idea of how bad this is, Microsoft have released a patch for Windows XP.: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
---------- Post added at 11:00 ---------- Previous post was at 10:48 ----------
Oh, almost forgot.
When WannaCry first arrives on a system it tries to connect to a specific URL. If it gets any response it exits. This appears to be some kind of kill switch. The URL is hard coded in the binary, so has now been sinkholed to a server which responds, effectively ending this variant, although it wouldn't take much work to change that so patching still very important as always.
Urwumpe
Not funny anymore
- Joined
- Feb 6, 2008
- Messages
- 38,965
- Reaction score
- 3,937
- Points
- 203
- Location
- Wolfsburg
- Preferred Pronouns
- Sire
Just went to my local O2 store for doing some business ... out of order, the telefonica hacks also disabled the local stores here. German train stations have been photographed showing the ramsonware message on the departing/arriving train displays.
Good news - any Windows 10 Desktop system should be patched since January. It mostly targets older installations and unpatched enterprise systems, especially Windows Server.
Good news - any Windows 10 Desktop system should be patched since January. It mostly targets older installations and unpatched enterprise systems, especially Windows Server.
jedidia
shoemaker without legs
I sure hope so, most ATMs still run on it.
NukeET
Gen 1:1
- Joined
- Oct 16, 2007
- Messages
- 1,035
- Reaction score
- 93
- Points
- 63
- Location
- UT_SLC
- Website
- sites.google.com
Not true here in the U.S.
NukeET
Gen 1:1
- Joined
- Oct 16, 2007
- Messages
- 1,035
- Reaction score
- 93
- Points
- 63
- Location
- UT_SLC
- Website
- sites.google.com
I get that...thanks.
RisingFury
OBSP developer
Are regular users getting hit at all or is it just business / institutions?
