Indicators Associated With WannaCry Ransomware Original release date: May 12, 2017 | Last revised: May 16, 2017 Analysis Three files were submitted to US-CERT for analysis. All files are confirmed as components of a ransomware campaign identified as "WannaCry", a.k.a "WannaCrypt" or ".wnCry". The first file is a dropper, which contains and runs the ransomware, propagating via the MS17-010/EternalBlue SMBv1.0 exploit. The remaining two files are ransomware components containing encrypted plug-ins responsible for encrypting the victim users files. For a list of IOCs found during analysis, see the STIX file.
Nice analytical approach to the issue. However, I don't agree with it. The fact that to date no one has been able to establish the delivery method for WannaCry supports the premise the author was privy to a system entry point nor yet publically known. As a couple of Wilders members have stated, the obvious errors and sloppiness of "money generating" portion of this ransomware could very well be a "smoke screen" to hide the real author's intent of creating chaos and disruption. These two factors will result in millions of dollars being lost to this attack. The initial NSA DoublePulsar exploit installed a temporary backdoor that was removed at next boot. WannaCry could have very well "tweaked" the exploit to create a permanent backdoor in each infected device.
"...Six out of 10 small businesses hit by cyberattacks will go out of business within six months, according to the US Securities and Exchange Commission.... It's that outdated software part that makes small businesses the most prevalent victims. Your local pizzeria or hair salon doesn't have its own IT department and probably isn't aware of the latest patches for Windows -- or even the latest version of Windows... 'For a small business, these costs of remediation are simply too high, and the possibility of continuing operations disappears," said Brian Berger, the executive vice president of commercial cyber security at Cytellix'... Ransomware hits every small business differently. With the hair salon in Scotland, the stylists were locked out of their appointment data and had to confirm with all their customers on Facebook to see who was scheduled when... 'There's thousands and thousands of small businesses that are eating downtime or are paying ransoms,' Gibbons said. 'It's an underreported, giant tax on small businesses'..." https://www.cnet.com/news/wannacry-ransomware-real-victim-small-business-local-corner-store/
Something that business owners don't grasp. They know they have to understand their product. They know they have to understand their employees. And they know they have to understand their customers. Although they don't always do a good just. What they don't understand is their computers are equally important, but they don't want to take the time to learn. It can be fatal.
Some people can't just learn, on the other hand they can consult with a friend who knows about computer security or pay some money (certainly less than $300 per computer) to some technician who can advise them about backing up their data or securing their computers. Honestly, when I ask people what AV they use and if they keep it updated, I often experience an expression of disbelief and a wry grin, as if I was one of those crazy guys who is paranoid about something that doesn't really exist...
Anyone can learn, they just don't want to take the time or make the effort. Sometime they pay a high price
Being an ex-Fed myself, I will add this. Many U.S. government agencies now use the concept of "hardware isolation." Simply put, they have separate networks using separate hardware for both their internal and Internet facing systems. There is literally no way data from one system can enter the other system than by manual transfer methods. And the devices and methods for those manual transfers are highly restrictive.
Collection of Avast Ransomware Decryption Tools http://www.majorgeeks.com/files/details/avast_ransomware_decryption_tools.html
https://blog.malwarebytes.com/cybercrime/malware/2017/05/stolen-version-dma-locker-making-rounds/ Attention to active Remote Desktop and port 3389.
XData Ransomware Master Decryption Keys Released. Kaspersky Releases Decryptor. https://www.bleepingcomputer.com/ne...-keys-released-kaspersky-releases-decryptor-/
Gee- Kaspersky being the first to release a decryption protocol for malware specifically targeting Ukraine. Why, Comrade, am I not surprised?
Did you read the article? So you are implicitly saying that Kaspersky Lab has connections with the group that made XData or that Kaspersky Lab has done a good job again? Considering that Kaspersky is a founder member of "No More Ransom" you should not be surprised, after all it is very easy for them to update "RakhniDecryptor" with a new master key.
Decoy Files Found in PDFs Dropping Jaff Ransomware http://www.securityweek.com/decoy-files-found-pdfs-dropping-jaff-ransomware
The most important piece of information from this article is the last sentence. That is stopping ransomware after the fact by just detecting encryption activities is not enough. https://heimdalsecurity.com/blog/jaff-ransomware-operation-cyber-crime-marketplace/#
You know what is weird? I got Stealth on that test as well. However the page says FAILED in big red letters. Strange.
You probably failed the ICMP echo reply test. Also note that when you run the GRC Shields Up test, the test is being performed against your router's WAN side ports if you use a router. So it is the router's firewall that is performing port access control; not your PC based firewall.