Big Ransomware Outbreak Today - Be Vigilant

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
Just an email list and an email server from the sounds of how it works.

People open up things/click on links that they never should have and you end up with this kind of mess.

We have our people pretty well trained to immediately report any email that they weren't expecting or that looks suspicious.

I haven't had an issue with anybody opening up crap like this in the last 2 years.

They report it to me and I send it on to the security team to check out.

Better to have false alarms than what is going on with this crap.
Yup, we have continued phishing tests & if you click on a link that is part of the phish it is logged..
 

DrLobotomy

Supreme [H]ardness
Joined
May 19, 2016
Messages
6,736
I totally am brain farting on where I saw that! :arghh:

EDIT: I thought I read it over on a Kaspersky site/blog, but I think it's no longer int he article, so yeah it might have been a false report.
They say something about it at gameguru.box.sk.
 

zerogg

Limp Gawd
Joined
Jan 26, 2017
Messages
211
I am hoping that there will be a decryption tool for this shortly. Whoever is doing this doesn't deserve to make money from it.
 

geok1ng

2[H]4U
Joined
Oct 28, 2007
Messages
2,130
In Brazil it has targeted primarily corporate PCs running windows with windows update turned off. brazilian social security network was shutdown around noon. :cool: i am looking forward to an entire week of doing nothing.
 

MV75

[H]ard|Gawd
Joined
Nov 13, 2007
Messages
1,025
Thank goodness I've already got the patch as it was in the 4012216 roll up for win8.1. Now what would happen because I didn't install an update because I didn't want to be forced out of support early due to me having a 7700 like the following month did?
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
33,824
the patch does work, but it takes companies time to update all their systems since uptime/reliability is a much higher priority.


Well, I still think it shouldn't be, at least for critical security updates.

It's better to have no computer at all than to have a vulnerable computer. The costs associated with a breach are many many times higher than those associated with a short downtime because a patch broke something and needs to be worked around.

This mentality needs to change to one where IT departments patch their shit, and all their shit, the instant a new security patch hits.
 

gxp500

Gawd
Joined
Mar 4, 2015
Messages
865
I am hoping that there will be a decryption tool for this shortly. Whoever is doing this doesn't deserve to make money from it.
That's not how ransomeware works, unless the source gets leaked somehow you can't undo it, btw one of the local hospitals in Toronto seems to have gotten hit by this.
 

ChadD

Supreme [H]ardness
Joined
Feb 8, 2016
Messages
5,503
the patch does work, but it takes companies time to update all their systems since uptime/reliability is a much higher priority.

MS doesn't make it dead simple to apply security updates. This attack highlights the biggest issue with windows. It isn't that it is the OS with the highest install base and thus the prime target for these types of things. The issue is MS PITA update system... that makes companies ignore even major security updates, and end users skip updates to avoid the loss of use while updates complete and restart their machines.

MS needs to stop coming up with marketing names for Update packages... and instead update their update process. Their should be no reason that this afternoon I installed almost 1gb of updates on my Linux system in less then 10 min including 7 min of downloading... and MS can't manage to offer something at least close to that experience in their closed source paid for operating system.

If updates where easy and painless in windows as they are these days in the modern Linux distros... MS wouldn't have to implement forced updates and roll ups ect.
 

Jim Kim

2[H]4U
Joined
May 24, 2012
Messages
3,870
MS doesn't make it dead simple to apply security updates. This attack highlights the biggest issue with windows. It isn't that it is the OS with the highest install base and thus the prime target for these types of things. The issue is MS PITA update system... that makes companies ignore even major security updates, and end users skip updates to avoid the loss of use while updates complete and restart their machines.

MS needs to stop coming up with marketing names for Update packages... and instead update their update process. Their should be no reason that this afternoon I installed almost 1gb of updates on my Linux system in less then 10 min including 7 min of downloading... and MS can't manage to offer something at least close to that experience in their closed source paid for operating system.

If updates where easy and painless in windows as they are these days in the modern Linux distros... MS wouldn't have to implement forced updates and roll ups ect.
Because linux updates are easy peasy and never break anything.
Did i get that right.
 

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
52,958
Update 7: Microsoft Statement - "Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt. In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance."
 

ChadD

Supreme [H]ardness
Joined
Feb 8, 2016
Messages
5,503
Because linux updates are easy peasy and never break anything.
Did i get that right.

Yes you did get that right. When is the last time you heard of hackers holding Google or any of the real huge juicy Linux server running targets ransom ?

The issue with this one... is dumb windows terminals mostly at companies like Fed Ex and hospital terminals that don't get major security patches that MS released 3 months back. It seems a few also didn't install this security patch on their servers... which is just plain stupid. They are partly to blame... but MS is also to blame for their mess of an update system.
 

sirmonkey1985

[H]ard|DCer of the Month - July 2010
Joined
Sep 13, 2008
Messages
22,230
MS doesn't make it dead simple to apply security updates. This attack highlights the biggest issue with windows. It isn't that it is the OS with the highest install base and thus the prime target for these types of things. The issue is MS PITA update system... that makes companies ignore even major security updates, and end users skip updates to avoid the loss of use while updates complete and restart their machines.

MS needs to stop coming up with marketing names for Update packages... and instead update their update process. Their should be no reason that this afternoon I installed almost 1gb of updates on my Linux system in less then 10 min including 7 min of downloading... and MS can't manage to offer something at least close to that experience in their closed source paid for operating system.

If updates where easy and painless in windows as they are these days in the modern Linux distros... MS wouldn't have to implement forced updates and roll ups ect.

110% agree with this.. i can't stand windows updating process.. i usually just do a mass update every 2-3 months because i can't afford to have my systems randomly restarting from updates.
 

The Cobra

2[H]4U
Joined
Jun 19, 2003
Messages
2,972
Since we got hit with a .WALLET variant last month and installed Cylance after words, we are good to go. I left an exposed Windows machine on our backup Comcast internet account with Cylance installed. I want to see if Cylance or Sophos with Intercept-X will get hit with the virus or not. Of course the machine is not joined to our network and is isolated.
 

scojer

[H]F Junkie
Joined
Jun 13, 2009
Messages
8,362
Daaaaaaamn. So many people that just click links in their emails.
 

Quartz-1

Supreme [H]ardness
Joined
May 20, 2011
Messages
4,257
I'm just running Windows Update right now, despite having run it overnight, and there are security patches for Silverlight, SQL, and a definition update for Defender.
 

Quartz-1

Supreme [H]ardness
Joined
May 20, 2011
Messages
4,257
Hmmm... Windows Update has also decided to download 'Feature Update to Windows 10, version 1703'.
 

chaos4u

Limp Gawd
Joined
Dec 1, 2004
Messages
349
So much stuff runs on smb1 most people dont even realize how many things they have that are using it.

they try and patch their systems and find out half the printers no longer work properly or files access is crippled on some machines. or other tools no longer work as expected.

this is such a mess.

Makes life difficult for a lot of people, and will inevitably increase cost in the long run for goods and services.
 

Vermillion

Supreme [H]ardness
Joined
Apr 5, 2007
Messages
4,333
MS doesn't make it dead simple to apply security updates. This attack highlights the biggest issue with windows. It isn't that it is the OS with the highest install base and thus the prime target for these types of things. The issue is MS PITA update system... that makes companies ignore even major security updates, and end users skip updates to avoid the loss of use while updates complete and restart their machines.

MS needs to stop coming up with marketing names for Update packages... and instead update their update process. Their should be no reason that this afternoon I installed almost 1gb of updates on my Linux system in less then 10 min including 7 min of downloading... and MS can't manage to offer something at least close to that experience in their closed source paid for operating system.

If updates where easy and painless in windows as they are these days in the modern Linux distros... MS wouldn't have to implement forced updates and roll ups ect.

This is the major problem. When I worked with USPS I worked on the POS software that they run nationwide. We couldn't just patch everything at once. We had to patch everything manually with scripts. We couldn't afford to deal with the bullshit with Windows Update and the possible multiple reboots at a time especially during working hours. We also had to roll out the patches very slowly after lots of testing. If the schedule for patching hasn't changed, they're still running the same POS system today so I see no reason for them to have changed, they would have only finished patching March updates 2-3 weeks ago and that's if they didn't run into any issues. So technically USPS could still have systems out there that aren't patched for this.

We ran into issues far more often than you'd think because every site is different and there were roughly 63,000 systems out there that had to be patched. One bad system in a pilot group would delay the patch for days at a time.

Because linux updates are easy peasy and never break anything.
Did i get that right.

Easy? yes.
Break? sure. very uncommon though.
Easily corrected? Absolutely. The previous version is still in your app cache. So when you stage a rollout and you see something break you quickly rollback to that file. Simple. Easy. Quick. Typically no reboot required. Unlike Windows. Even a bad kernel update is easily corrected. Even more so when using clr-boot-manager. That makes swapping back to a good kernel, in the very rare event of a bad kernel update, only a reboot away.
 

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
One of the major issue I have with windows updates is NTFS...
NTFS will not overwrite a file that is "open" so if you are using your machine & the updates are pushed (via corp or microsoft), they are silently installed in the background OR staged.. To actually complete the install the applications holding the file open must be quit which takes you all the way back to a reboot... part of the install is then done at powerdown & then completed at powerup.

When corp/ms wants you to reboot is almost never when you are able to... what if you are running a 3day test that cannot be interupted?

inode-based filesystem/OS's can de-reference the raw data on-disk so already running applications can continue to operate while the updated file is fully exposed. New applications launched will reference this new file.

Code:
deadlib() { lsof | grep 'DEL.*lib' | cut -f 1 -d ' ' | sort -u; }
$ deadlib 
at-spi-bu
dconf\x20
gdbus
gmain


The affected applications can then be restarted in a more controlled fashion LEAVING a reboot for kernel updates.


But no... NTFS
 
  • Like
Reactions: ChadD
like this

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
52,958
https://twitter.com/breakingnlive?lang=en

C_qFVAyXYAEbBIB.jpg

Details? Or fake twitter?
Yeah, I got that through another channel earlier, was told it was the airport, made me question the authenticity, then they said train station.
 

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
new vault7 releases...
https://wikileaks.org/vault7/#AfterMidnight
"AfterMidnight" allows operators to dynamically load and execute malware payloads on a target machine. The main controller disguises as a self-persisting Windows Service DLL and provides secure execution of "Gremlins" via a HTTPS based Listening Post (LP) system called "Octopus". Once installed on a target machine AM will call back to a configured LP on a configurable schedule, checking to see if there is a new plan for it to execute. If there is, it downloads and stores all needed components before loading all new gremlins in memory. "Gremlins" are small AM payloads that are meant to run hidden on the target and either subvert the functionality of targeted software, survey the target (including data exfiltration) or provide internal services for other gremlins. The special payload "AlphaGremlin" even has a custom script language which allows operators to schedule custom tasks to be executed on the target machine.

"Assassin" is a similar kind of malware; it is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system. Once the tool is installed on the target, the implant is run within a Windows service process. "Assassin" (just like "AfterMidnight") will then periodically beacon to its configured listening post(s) to request tasking and deliver results. Communication occurs over one or more transport protocols as configured before or during deployment. The "Assassin" C2 (Command and Control) and LP (Listening Post) subsystems are referred to collectively as" The Gibson" and allow operators to perform specific tasks on an infected target..
 

jamesrb

[H]ard|Gawd
Joined
Jul 29, 2004
Messages
1,051
Microsoft had some major bugs in the March and April patches for servers. I spent 7 weeks dealing with Microsoft trying to get the issues fixed. I wouldn't be surprised if other sys admins delayed patching for similar bugs.
 

jamesrb

[H]ard|Gawd
Joined
Jul 29, 2004
Messages
1,051
Microsoft's new combined patches makes it worse. If you find a bug in the patches, you cant just skip a vulnerability or two. It is getting close to an all or none choice.
 

Schtask

Limp Gawd
Joined
Nov 29, 2011
Messages
436
If you are running snort or have an IDS that can take snort rules, this will aid in detection...Though if it occurs in your environment you will know pretty quickly anyway.

<pre style="background:#eeeeee; border:1px solid #cccccc; padding:5px 10px">

alert tcp $HOME_NET 445 -&gt; any any (msg:&quot;ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response&quot;; flow:from_server,established; content:&quot;|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|&quot;; depth:16; fast_pattern; content:&quot;|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|&quot;; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)</pre>
 

klank

Killer of Killer NIC Threadz
Joined
Aug 22, 2011
Messages
2,177
If you are running snort or have an IDS that can take snort rules, this will aid in detection...Though if it occurs in your environment you will know pretty quickly anyway.

Please use code brackets as the forum chunks it.
 
D

Deleted member 245375

Guest
Well, that would be the government that created it so what are you really going to do?

Kill 'em all, of course. As for some higher power of some belief structure sorting 'em out, who the fuck cares. :D
 

cyclone3d

[H]F Junkie
Joined
Aug 16, 2004
Messages
14,860
110% agree with this.. i can't stand windows updating process.. i usually just do a mass update every 2-3 months because i can't afford to have my systems randomly restarting from updates.

You do know that you can set the time for when the systems reboot.. right?

You can even set up a GPO to not reboot after updates are installed and then send a mass reboot command whenever you want.

Not that hard and not complicated either.
 

cyclone3d

[H]F Junkie
Joined
Aug 16, 2004
Messages
14,860
Attack Vector = Remote Command Execution via SMB. In other words. Eternal Blue and Double Pulsar exploits. Not delivered via phishing for most of these instances. Proliferation occurs peer to peer. Network enumeration. Worm like behavior. In fact I would say that a new class of malware has been unleashed.

Behold World. The RansomWorm.

Yeah, but it has to infect one of the systems first before it can propagate across the network.

There has been viruses that propagated across the network in the past. They just aren't super common is all.

Hasn't been used for ransomware before that I am aware of, but I still wouldn't call it a new class of malware. They just combined a couple things that already existed.
 

night_2004

2[H]4U
Joined
May 31, 2007
Messages
2,223
So ... the US Government is now an accessory to unauthorized access of a protected computer, unauthorized access with intent to defraud, damaging a computer or computer information, and threatening to damage a computer under the Computer Fraud and Abuse Act right? Who's gonna take the fall for this one? Not to mention any laws or civil penalties involving lack of responsible disclosure.

If Microsoft didn't have as shitty a reputation and a major trust problem, maybe folks would update their PCs.
 

Krenum

Fully [H]
Joined
Apr 29, 2005
Messages
18,758
So ... the US Government is now an accessory to unauthorized access of a protected computer, unauthorized access with intent to defraud, damaging a computer or computer information, and threatening to damage a computer under the Computer Fraud and Abuse Act right? Who's gonna take the fall for this one? Not to mention any laws or civil penalties involving lack of responsible disclosure.

If Microsoft didn't have as shitty a reputation and a major trust problem, maybe folks would update their PCs.

Also, because of the damage to the Health System in the UK, have any patients died because of this? Was reading a lot of reports of doctors not being able to access their patients files & having to turn away patients, all from other news websites of course, so I don't know what's true and what isn't.
 

Schtask

Limp Gawd
Joined
Nov 29, 2011
Messages
436
Yeah, but it has to infect one of the systems first before it can propagate across the network.

There has been viruses that propagated across the network in the past. They just aren't super common is all.

Hasn't been used for ransomware before that I am aware of, but I still wouldn't call it a new class of malware. They just combined a couple things that already existed.

Yeah. It's ransomware with worm functionality. Not been done before. New class of malware. Proliferation occurred on it's own... Not via a phishing campaign or waterhole.
 
Top