Also, scroll down in the Heimdal Security link for instructions on how to disable SMB v1 in Windows. Only SMB v1 is installed on Win client versions. -EDIT- That is accessible via Control Panel -> Uninstall Programs -> Windows Features.
Interestingly, appears no one paid attention to the U.S. CERT advisory issued 1/16/2017; way prior to the MS patch being issued https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices
The question is why did MS leave SMBv1 enabled on Home versions if they thought it was that vulnerable? Also for Pro+ vers. which are used on corp. networks, appears they didn't issued any kind of serious threat warning?
That's important info, yet read the warnings though! How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
Do note that there have been issues with SMB 2 and 3 such as this 0-day exploit: https://www.bleepingcomputer.com/ne...everal-windows-versions-including-windows-10/ , so best to lock down ports used by SMB as noted in the article.
"...Later edit [May 16, 2017, 12 AM EST]: For the moment, we will not be adding further technical details to this article. Our researchers (as well as others) have spotted the Uiwix sample in the wild and, as a consequence, we felt the responsible thing to do is to alert users that this strain is in circulation, so they can take preemptive measures, like we advised in this guide. Our efforts to obtain and fully analyze a sample after an attack have not been successful. Should anything change, we will properly update this alert to correspond the context. The title was also edited (originally called “Security Alert: Uiwix Ransomware Is Here and It Can Be Worse Than Wannacry”). What’s more, researchers have already uncovered a WannaCry strain that also doesn’t include the kill switch domain. Also, Europol has also confirmed that the threat is escalating and the number of infections is growing. It has now affected “more than 200,000 victims in 150 countries...” https://heimdalsecurity.com/blog/security-alert-uiwix-ransomware/ Now included in OP, but posted here for those who read OP before the Update.
Lastest on this SMB exploit ransomware: https://www.bleepingcomputer.com/ne...ng-eternalblue-smb-exploit-to-infect-victims/
Windows 10 Ransomware Escalation Prevention Script v1.0 Windows 10 Ransomware Escalation Prevention Script v1.0 This script will prevent further escalation for those who'm do not have Endpoint Protection enabled in their organization. Off course Windows Defender in Windows 10 can protect some, but certainly not all threats. # Before everything - TEST, TEST, TEST and if you alter something, TEST, TEST, TEST!!! https://gallery.technet.microsoft.com/Windows-10-Ransomware-ccceeb71
Some times you have to read carefully. It is fileless, BUT to work in memory, it does drop a dll file. Hello MZwritescanner which would alert to a dll drop.
According to the Trend Micro analysis here: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom_UIWIX.A , it arrives via exploit and thereafter download a .zip containing the rest of the files it needs. Appears .dll used is SQLite which most security setups would allow.
MZWritescanner, makes no judgement about good or bad. It alerts that something new was dropped and blocks it until the log is cleared
Because some use it. Because admins are supposed to do their job aka securing their networks via applocker and GP. problem is most admins are total noobs in term of security...
