Ransomware and Recent Variants

Discussion in 'malware problems & news' started by ronjor, Mar 31, 2016.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,043
    Location:
    Texas
    Indicators Associated With WannaCry Ransomware
    Original release date: May 12, 2017 | Last revised: May 16, 2017
    Analysis

    Three files were submitted to US-CERT for analysis. All files are confirmed as components of a ransomware campaign identified as "WannaCry", a.k.a "WannaCrypt" or ".wnCry". The first file is a dropper, which contains and runs the ransomware, propagating via the MS17-010/EternalBlue SMBv1.0 exploit. The remaining two files are ransomware components containing encrypted plug-ins responsible for encrypting the victim users files. For a list of IOCs found during analysis, see the STIX file.
     
  2. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,413
    Location:
    U.S.A.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Nice analytical approach to the issue.

    However, I don't agree with it. The fact that to date no one has been able to establish the delivery method for WannaCry supports the premise the author was privy to a system entry point nor yet publically known. As a couple of Wilders members have stated, the obvious errors and sloppiness of "money generating" portion of this ransomware could very well be a "smoke screen" to hide the real author's intent of creating chaos and disruption. These two factors will result in millions of dollars being lost to this attack.

    The initial NSA DoublePulsar exploit installed a temporary backdoor that was removed at next boot. WannaCry could have very well "tweaked" the exploit to create a permanent backdoor in each infected device.:cautious:
     
    Last edited: May 19, 2017
  4. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
  5. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499

    Attached Files:

  6. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "...Six out of 10 small businesses hit by cyberattacks will go out of business within six months, according to the US Securities and Exchange Commission....

    It's that outdated software part that makes small businesses the most prevalent victims. Your local pizzeria or hair salon doesn't have its own IT department and probably isn't aware of the latest patches for Windows -- or even the latest version of Windows...

    'For a small business, these costs of remediation are simply too high, and the possibility of continuing operations disappears," said Brian Berger, the executive vice president of commercial cyber security at Cytellix'...

    Ransomware hits every small business differently. With the hair salon in Scotland, the stylists were locked out of their appointment data and had to confirm with all their customers on Facebook to see who was scheduled when...

    'There's thousands and thousands of small businesses that are eating downtime or are paying ransoms,' Gibbons said. 'It's an underreported, giant tax on small businesses'..."

    https://www.cnet.com/news/wannacry-ransomware-real-victim-small-business-local-corner-store/
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Something that business owners don't grasp. They know they have to understand their product. They know they have to understand their employees. And they know they have to understand their customers. Although they don't always do a good just. What they don't understand is their computers are equally important, but they don't want to take the time to learn. It can be fatal.
     
  8. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    Some people can't just learn, on the other hand they can consult with a friend who knows about computer security or pay some money (certainly less than $300 per computer) to some technician who can advise them about backing up their data or securing their computers. Honestly, when I ask people what AV they use and if they keep it updated, I often experience an expression of disbelief and a wry grin, as if I was one of those crazy guys who is paranoid about something that doesn't really exist...
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Anyone can learn, they just don't want to take the time or make the effort. Sometime they pay a high price
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    https://www.welivesecurity.com/2017...ryption-efforts-wannacryptor-files-continues/
     
  11. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,413
    Location:
    U.S.A.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Being an ex-Fed myself, I will add this.

    Many U.S. government agencies now use the concept of "hardware isolation." Simply put, they have separate networks using separate hardware for both their internal and Internet facing systems. There is literally no way data from one system can enter the other system than by manual transfer methods. And the devices and methods for those manual transfers are highly restrictive.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    https://www.schneier.com/blog/archives/2017/05/the_future_of_r.html
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    https://www.bleepingcomputer.com/ne...s-to-the-wlu-extension-and-gets-a-new-design/
     
  15. guest

    guest Guest

    Last edited by a moderator: May 30, 2017
  16. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    That is very nice of Avast to help people out in a time of need.
     
  17. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Last edited: May 29, 2017
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  19. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Gee- Kaspersky being the first to release a decryption protocol for malware specifically targeting Ukraine. Why, Comrade, am I not surprised?
     
  20. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Did you read the article?

    So you are implicitly saying that Kaspersky Lab has connections with the group that made XData or that Kaspersky Lab has done a good job again?

    Considering that Kaspersky is a founder member of "No More Ransom" you should not be surprised, after all it is very easy for them to update "RakhniDecryptor" with a new master key.
     
    Last edited: May 30, 2017
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Decoy Files Found in PDFs Dropping Jaff Ransomware
    http://www.securityweek.com/decoy-files-found-pdfs-dropping-jaff-ransomware
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The most important piece of information from this article is the last sentence. That is stopping ransomware after the fact by just detecting encryption activities is not enough.
    https://heimdalsecurity.com/blog/jaff-ransomware-operation-cyber-crime-marketplace/#
     
  23. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    https://www.infosecurity-magazine.com/news/jaff-ransomware-tied-to-data/
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    You probably failed the ICMP echo reply test.

    Also note that when you run the GRC Shields Up test, the test is being performed against your router's WAN side ports if you use a router. So it is the router's firewall that is performing port access control; not your PC based firewall.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.