WanaCry Ransomwear Attack

The discussion started in “tips”, but as the most important thing to do ‘right off the bat’ was to down any internet connected computers, I didn’t put up a new posting right away, so several important links and some discussion is to be found starting here: (h/t to Larry Ledwick) https://chiefio.wordpress.com/2017/05/02/tips-may-2017/#comment-83247

At this point, having confirmed it is a Microsoft OS centered attack exploiting an SMB fault (and not running Samba on anything), I’m bringing my systems back up. Since most of my stuff runs on Linux or Macintosh, I’m feeling OK about that. My old Windows XP boxes generally sit turned off in the corner, mostly being insurance for document recovery should I encounter something on an old backup that nothing current can read.

At this point, I’ve got the Android Tablet and a Mac Laptop in service. Later I’ll be booting up the Linux stuff that is my desktop.

A “tip” on how I handle this kind of thing:

I use a system that is “disposable” in that it can be erased at will. Should it get infected with crap, I just reset it. In this case I used the tablet. I remove the SD card that has everything personal on it (downloads too, I point everything to it most of the time) and the base tablet is largely just the OS and anything I don’t care about. At that point, doing a reset mostly just means I need to reenter any network passwords and logins.

Android has also been fairy impervious to exploits in my experience. So I’m comfortable with it as my ‘window on the world’ during an Aw Shit Event. This is also part of why I have a variety of systems. Any given “event” tends to hit one class of operating system. Once identified, I can continue operations on the one (or ones) not targeted.

Now, it is possible to corrupt the firmware on systems to gain “persistence” for an exploit. Even to the degree of planting things in the firmware of attached hard disks. For this reason I have a second level of Aw Shit System. I have a “disposable SD Chip” for the R.Pi system. Normally, all but one hard disks are not plugged in nor powered up. By air-gap definition, 99.99% of my data is secure from ransomware. I have an SD card in the Pi, but it has a recent backup in one of the offline hard disks. Things get hincky I can toss the $8 SD chip, flash another one, and since the Pi firmware is loaded at boot time from the SD card, even that is fairly safe.

The one “mostly used” hard disk is a $40 or so few years old 500 MB USB disk with swap and a home directory on it. The home directory also has an offline / powered off copy (several, actually). For a while I ran from a $20 USB Stick so it, too, was disposable, but as the old disks got ‘less interesting’ to save, have moved onto one of them. Essentially, my entire “Daily Driver” is disposable if needed.

Now, during any event, I don’t really want to toss those bits. So what I do is immediately down that system. Plus any others in the house. Scrapers, NFS servers, whatever. Essentially “go dark” other than the Telco supplied boundary router. (If it looks bad enough and network gear is being hit, I’m willing to down it as well, but since Telcos like to be able to push patches, that comes at the cost of perhaps missing that push in the first round.)

IFF I need that desktop system back up, I’ll take my ‘Disposo System Chip’ out of the chip jar, put it in, unplug the hard disk, and boot. At that point all that is at risk is an $8 SD card and MAYBE a $35 Pi, but it is highly unlikely even they have any real risk of “persistent” infection. Just not enough smarts in them, mostly, but also “uninteresting” to most hackers. (The IOT exploits would be interested in small ARM based systems, though…) Now I’ve got a fully functioning Linux box to work with, but one that is essentially immune from 90%+ of all exploits (as they are aimed at Microsoft) and trivially reset if it is infected; plus entirely disposable if, somehow, a persistence exploit gets into it.

Every other system in the house stays down until the event is shown to be over.

I have two levels of firewall. The Disposo System is plugged directly into the Telco router. More exposed to the world, but all the OTHER home systems are behind yet another NAT firewall, so to some degree protected from the Disposo System, should it fall to an attacker, and something wasn’t powered off. I watch the “blinky lights” on the Telco Router for any activity NOT synchronized with my usage of the Disposo System. (For this reason I have ALL automatic update and ‘phone home’ features turned off on the system. I don’t need an automatic update of FireFox to look like I’m being attacked with lots of unexplained blinky lights on the router and hard disk… as I would immediately pull the plug on it.)

That generally gets you through almost anything short of a directed attack by a TLA Three Letter Agency.

In this case, I was watching Sky News and they had enough Tech Talk to say it was an SMB based attack on older Windows machines. That told me I was likely 100% safe as “Friends don’t let friends use Microsoft” directs my system choices. Since news can be wrong, I followed my “shutdown protocol” anyway. But I did allow myself the luxury of using the Tablet as my world monitor AND leaving the ROKU based TV running. Not a lot of exploits for the ROKU anyway.

This morning I’m getting the Macintosh gear back up, so this is being typed on the MacBook that I recovered from the discard pile after the Solid State Disk died. It runs off of a mico-SD card in an adapter, so it is very slow, but also in that 100% disposable system group. I can just flash the card with a backup copy from the powered down disk farm, if ever needed. Later in the day, the spousal Mac will be back up. One layer at a time, keeping a wary eye on the news.

Later this evening, I’ll bring up some of the more important Linux systems, including my desktop.

Way over the top cautious? You bet! These things often cause copycats to come out to play, attacking other systems. Sometimes they go for a ‘double tap’. It pays to exercise a full on defense profile anyway.

So, with that, anyone with a Macintosh, Android, or Linux system ought to be fine. Folks with a Windows box that has patches up to date ought to be OK, for now. The world will slowly recover as boxes are scrubbed and backups + patches applied. Some few folks will have cried and paid.

Hopefully everyone can learn a few more defensive behaviours and our government will have learned: It is a Very Bad Idea to build exploits into systems or develop a secret attack system. The simple fact is that nothing is secret forever, and that you can have a 100% security focus, or be insecure. There is no such thing as a small security hole. When the Government finds one, it ought to immediately and secretly inform the manufacturer so they can immediately push a patch, not “bank it” for use as an exploit. Any exploit YOU find, someone else has already found or will find tomorrow.

Subscribe to feed

Advertisements

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , , , , , , , . Bookmark the permalink.

35 Responses to WanaCry Ransomwear Attack

  1. ScottF says:

    Microsoft has released a hot fix for several unsupported OS, XP is one of them.
    http://www.catalog.update.microsoft.co m/Search.aspx?q=KB4012598

  2. LG says:

    @E.M. Smith,
    Would there be a sketch diagramming your home network with the DMZ available ?
    LG

  3. jim2 says:

    This is not strictly on topic, but it is bothering me and somewhat related, so I’ll float it here. The MSM keeps saying Russia hacked the DNC. The latest Wikileaks revealed with certainty the CIA can make hacks appear to originate in Russia. This no doubt is NOT limited to the CIA. How sure is anyone that Russia, not someone else, hacked the DNC?

  4. philjourdan says:

    It reminds me of Sean Connery’s line in “The Hunt for Red October”.

    “Vassily will not make the same mistake twice”. We dodged a bullet (although some got hit) in that the kill switch was easy and not hidden very well. The next time, it will not be so easy.

    What I found from this is Windows 10 systems were safe for the most part. Windows 8 and 7, only if auto updates were turned on. And anything earlier was dead meat. Which explains the UK NHS.

    But I also found that MS assumes everyone has very high speed internet now. The “patch” is over 500mb. Not a problem with a 50mb pipe. But my sister has Satellite, with a 6mb pipe! She was not caught (firewall), but she is vulnerable. I am going to pull her computer over to my place, get it patched and return it to her. I cannot do that all the time as she lives an hour from me. But in this case, it is well worth the time and gas (sorry Mickey Mann, Ransom worms trump mythical hysteria).

  5. tom0mason says:

    This incident reveals the soft underbelly of our modern society.
    Our dependence on infrastructure systems that rely on computers running 24/7 is an Achilles heel of our day. The fact that these systems are not that well protected say a lot about how our leaders have misunderstood their vulnerability, and the kinds of chaos that can ensue when they fail.
    Maybe we need to reappraise our wants and needs — do we really need Internet control of electricity grids and water supply, smart meters, smart cars, or even an ‘Internet of things’ (IoT), etc., and if we do what fail-safes must be installed to mitigate against these systems failing.

  6. jim2 says:

    “Maybe we need to reappraise our wants and needs — do we really need Internet control of electricity grids and water supply, smart meters, smart cars, or even an ‘Internet of things’ (IoT), etc., and if we do what fail-safes must be installed to mitigate against these systems failing.”

    +1000! No, I don’t want those!

  7. Larry Ledwick says:

    Second version now appears to be side stepping the “kill switch” fix. Microsoft is offering fixes for non-supported systems “if you pay for extra support”.

    Get a grip Microsoft! You should push the fix free to any vulnerable system as a cost of doing business to establish herd immunity to this attack vulnerability. Trying to charge for this fix is like folks scalping prices for ice after a hurricane. If you didn’t over charge for a workable OS that had basic features and force massive code bloat these folks would not be using older systems to avoid buying all new hardware to run an OS that does not do anything their current system does that they need.

    https://apnews.com/d4539089e2584106a8426d6c463ccbd5

  8. llanfar says:

    @Larry Microsoft charging for a fix will shift more away.

  9. Alexander K says:

    Worked in UK high schools some years ago (post 2000) and found their IT systems to be mostly outdated cheap (rubbish) stuff and no schools I worked in could afford to update their systems after original purchase. One school’s IT department was headed by a very dodgy Nigerian and their tech staff were mostly shrewd East Europeans and Russians who did not have their employer’s best interests at heart!
    Most institutions in the UK are funded on a once-only basis and are forced to cut corners to keep all their balls in the air. Also, I discovered that in the English Civil Service, education, etc, solving problems was frowned upon as the existence of problems reflects badly on the management class. If a problem was encountered, the correct response was to write a report and hand it on to one’s superior then one could rest in the knowledge that one’s duty was done!

  10. beththeserf says:

    I have done my duty. Sir, I have reported on a shortage of life boats.

  11. [ Smiles ] Use Linux and save yourself all of the trouble.

  12. As I see it, the problem with Micro$oft is that the underlying design is intended to make it possible to modify the local disk and to bypass any local security to do so. Word-processor files contain executables, as does pretty-well everything else. Even .pdf files can now have executables built-in, and .rtf can pass a virus, with anything .html being automatically suspect. As such, you need to scan all files to see if there’s an executable code that is already known about, and only plain text is free of problems. So Far….

    On code bloat, back in the 80s my 4MHz Z80 box with a massive 64k of memory had about the same apparent speed for editing as the current 1.6GHZ 3-core 64-bit machine with 1Gb of memory. The 3D drawing performance was somewhat slower then, though… it took around a minute to draw a wire-frame kitchen on a 720×480 screen in monochrome. I expect that if I found that code and assembled it for today’s machines it could update the screen faster than the refresh-rate.

    With that code-bloat comes the difficulty of anyone understanding exactly what the code does, and it’s cheaper to add to the code than to fix the bugs. Testing is curtailed, since that costs a lot of money to do properly, and since it’s cheaper to buy a bigger machine than to cut the bloat that’s what’s done. There are bound to be bugs at the base level, like the bash exploit that took 20 years to get noticed on open-source code. That Windoze-like ability for remote files to affect the local machine and bypass security seems to be arriving in Linux, too, with big blobs of code (System D) and interconnectedness. Trying to compete with M$, and do what M$ does, which is the wrong way to proceed.

    The users have a choice – they can either stick with the OS and programs they know works but is no longer supported, or can upgrade to the new OS that needs a whole new set of programs and re-training and a much bigger and faster box to do it, but ends up working no faster than before but is supported. The old programs (for example 3D CAD) will no longer work on the new box and the replacement will have a different UI and shortcodes. No wonder there’s such a lot of old OS’s in use – they do the job required and there is a big cost in time and money to upgrade in order to be able to do the same job.

    M$ wants the whole world to be able to work together seamlessly. Unfortunately, that attitude leaves a very large attack-surface for hackers and they will take advantage of that. I want each program to work in a sandbox that stops any problems from propagating. If I want to export a file to another program, I can do that via a pipe that I set up for the process and shut off afterwards, or bring the needed extra programs into the sandbox to do the job. Having total interconnections all the time is just crazy.

  13. pearce m. schaudies says:

    Hi Chief. Global hacker may never be traced to the real perpetrator. About a month or two for the DNC hack there was an article about China’s Elite hacker team sponsored by their government. A week or so later Obama announces the United States also has a cyber threat hacker team. Everybody has a hacker team. They all know how to use proxies to hack into another system. They go from their home country to some other open system and then use that to LeapFrog to say a Russian server or a Chinese server and from there go to the Target system. So they can show to the mainstream media nuts ‘look the last system they came from was in Russia or China or North Korea’ and they believe it. I have a bridge in Brooklyn for sale cheap numbnut.Hmm, seems they left gullible out of their dictionary.

    Regards,
    Pearce M. Schaudies.
    Minister of Future
    Falling Skys &
    Wolves at Door

  14. E.M.Smith says:

    @L.G.:

    It is generally a Bad Idea to publish your network diagram to the internet.

    In my case, it is also too simple to need a diagram.

    Telco – Telco Router -(DMZ like systems and those ‘exposed’) – Private Router – Private systems.

    Pretty much it. WiFi off the routers. Some added security systems to watch things. A BUNCH of stuff that is turned off 99% of the time.

    @Jim2:

    The only people who know for sure are the folks who did it. The TLA folks may THINK they know (and have asserted they were ‘shoulder surfing’ watching while it happened so know where it came from) and that MAY be true, MAY be a lie for effect, or MAY be mistaken hubris.

    Anyone can put down the fingerprints of a given exploit. You must capture ALL the routers back to the source to know for sure, otherwise you get the fingerprints of, say Russia, trace it to a router in, say, Bulgaria, then can’t see that the 2nd router in Bulgaria is spoofing a Russian IP address with a hard route stealing it from the expected destination and routing it back to D.C…. Hard to do, but not for a TLA with $Millions on a bad day and badges and guns and things…

    @Philjourdan:

    There are reports of a new mutant of the worm that bypasses the kids Web Site Check patch…

    @Tom0Mason:

    I spent years saying that to folks, often in management at higher levels. Mostly you get blank stares ( the “How come YOU are doing paranoid talk?” look). Sometimes you get an active look of derision ( “how dare you rain on my bonus / parade / showing off?”) Occasionally you get “Maybe you are right, but for now just get us to the IPO inside your budget and with FOO implemented” where FOO is a dumb thing… like Microsoft Email servers…

    Security is like Janitorial Service and Facilities. Nobody wants to hear about it, pay for it, or help it work better if in any way it is not convenient. They just want it to work 100% of the time and will crucify you if the toilets back up.

    @Alexander K:

    Those behaviours are ubiquitous. Managers care about New and Showy that gets a BONUS and a better resume. Saying “I did my job and kept problem away” is NOT rewarded, so not desired. Microsoft won the I.T. Desktop wars simply BECAUSE it craps a lot. Lots of opportunities to be the I.T. Hero and visibly. Reporting “Our Mac and Unix shop ran fine this year. I’d like 10% more budget and a bonus.” gets you laughed out of the budget meetings. ( I’ve been there… )

  15. jim2 says:

    Linux might be a good alternative for those European countries that (apparently) don’t jump on the latest Windows bloatware.

  16. Power Grab says:

    @ EM… Without naming names of the tools I use, I want to comment about a couple of oddities I saw while finishing up today’s duties. My main development environment died unexpectedly. Because it did, then one of my native data files was broken when I tried to use it again. It has been YEARS since that happened last. It didn’t amount to a hill of beans, though, because I had a ready source for a replacement. No biggie. Copy it over and carry on. Got the task done.

    Before that, though, one of my other programs that exports to a shared drive was unable to write to the normal file name because, apparently, some other entity/process supposedly had the file tied up. That NEVER happens at this time of day. After maybe 10 minutes of waiting and retrying, it finally worked. I have never seen that behavior with this program/drive before.

    This was on my Win10 machine which, BTW, had an unexpected, mongo-huge update last week. I reported it to our main deskside guru, because I always tell them to do my machine LAST. I don’t want to be on the bleeding edge. After checking it out, said guru was appalled that the Creators Update had been pushed to it. He didn’t have that in the plan. We don’t need it for our jobs.

    I did see an article last week that said that M$ had pushed that update to a certain circle of users…of which I am not supposed to be a part. I don’t do beta testing. Not on purpose, anyway!

  17. WD says:

    https://kb.syncplify.me/how-to-protect-your-backups-from-cryptolocker-ransomware/

    Write once FTP Worm. Free. I’d love to find a good Linux equivalent but have given up.

    Mostly don’t backup OS disks beyond the initial build, but Winrar 5 set for Blake hashing and Reed Solomon recovery is our incremental backup format of choice – and it’s only stored write once to that WORM FTP server attached to a 14TB autoduplicating array (DrivePool). Never hafta mess with any of it and the backups always work. (shrug) Single Thinkpad 41 does it all.

    We’ve used 2ea NATs for years without any problems (everyone seems to complain about them), and most of our disks have hardware write protect (no longer available anywhere I’m afraid) which are kept mostly read only. A powered down Snapraid system with 3 parity disks provides additional protection.

    All sensitive Windows machines are equipped with rollback software. We use RollbackRX, but I kinda like their DriveVaccine more. Their most simple WORM.

    Would really like to find a practical rollback system (WORM) for Linux :( Not buying all this hype that Linux is immune.

    Awaiting your tips on how to migrate more work over to ARM processors. Intel has lost my trust.

  18. WD says:

    I like these guys: http://www.ipfire.org/

    Wish they had more resources cuz they’re too damn slow with releases.

    Probably the best damn TOR relay out there.

  19. Steve C says:

    Well, my aging XP laptop was online throughout the panic and (touch wood) seems to have escaped this time. I suspect the main factors were (1) it’s behind the telco’s router (that was last year’s panic, and my telco router was an affected type), (2) the only times it even looks at the net are for timechecks and updating the Kepler textfile for satellite reception, neither of which seems particularly dangerous (yet) and (3) everything “automatic” is turned off.

    The last XP I actually surfed on was bricked by Avast AV deciding to override my “Ask me every time” on program updates and go ahead anyway. There are always a LOT of non-standard details in my XPs (like, Explorer isn’t running at all!), hence my choice. When I got home from the shops, I saw their update window in the middle of the screen and felt that cold feeling down the spine. Copied my stuff off the machine, allowed it to reboot and haven’t been able to use it since as it never gets out of a boot loop. Thanks, Avast.

    Happily, the now ~3-year old Mint which replaced it on everyday net duty just plays on, despite its systemDness. That’s probably because I haven’t run the EM Smith One-line SystemD Trasher on it … ;-)

  20. LG says:

    @E.M. Smith
    The description was good enough .
    Thanks.

  21. LG says:

    @EM>Smith.
    Presuming that the local DNS server is hanging out in the DMZ, is that how you filter out the ads ?

  22. E.M.Smith says:

    @L.G.

    The DNS Server can be anywhere. I generally prefer a real DMZ off of the boundary router (and that feeds an inside DNS with private machine addresses on it, so no inside config leakage or exposure). Putting it directly on the transition net to the inner router is OK too. I am moving to a WiFi DMZ on the boundary router so the machine can be physically obscured… That will involve a second interior router with wifi, off the telco router since I don’t control the telco router.

    I’d like to have it on read only media, but it isn’t worth wasting a CD Player on it when I can just reflash the chip randomly…

    It is part of the ad blocking. Simply not routing some address blocks can block things like attacks from China. (How many of us REALLY need to connect to Chinese or Russian location? Just ground them and no attack can originate from there…) Static routing blocks are your friend…

  23. E.M.Smith says:

    @Jim2:

    Lots of us in North America use Linux too. Frankly, almost all infrastructure is built on *Nix of some sort. Especially that which works well ;-)

    Mexico & South America use A Lot (Free U. Of Mexico was tasked to set up Secondary Schools and found they simply could not cough up the $ demanded by Gates for NT and the all new servers it required, so all secondary setup went Linux. Similar stories in much of the 3rd world).

    China developed a BSD Unix derivative, Kylin, due to the Prism Program and pervasive TLA requested holes in Windoz… it is THE approved OS in China for govt and related.

    For home use, unless there is a work requirement or specific software required, Linux and Open Office with Gimp is all free and work well. It is about all I use other than a browser batch.

    It is largely only the corporate stupidity of VP Finance and exec suite guys that keeps MS on the desktop, IMHO. Likely nudged by some TLA influences…

    @Power Grab:

    Part of why I avoid Windows. Constantly fighting to keep ME in control of my machine state gets tedious. It is as bad as fighting viruses, IMHO.

    @WD:

    You can easily get RW DVD players and write once media for Linux.

    Per ARM:

    Not a lot of tips needed. Generic move to Linux with more slowness… so get the fastest quadcore or better you can afford. Start with Debian or Ububtu (systemD and all) and move in, get familiar. Later you can join the quest for a non-systemD world with Devuan… Or play with Puppy for more speed.

    @SteveC:

    Auto update just bugs the hell out of me. Good practice is to assure all backups are current, no critical schedule looms, and it is done off hours. AutoUpdate blows through most of that for most folks. Being able to roll back a bad update via backups is critical, as you has experienced…

    SystemD mostly works, so is OK for non-critical things, and fightling to root it out is, at present still a bit challenging. I have it running on a couple of “whatever” systems at home. Just not my Daily Driver… Like my scraper card. Boot, scrape, shutdown. I’m OK with that…

  24. E.M.Smith says:

    @Simon:

    You got it!

    Very good description of the core rot.

    BTW, it isn’t “just crazy” if your goal is to assure your TLAs can get into all computer anytime anywhere…. I suspect Red Hat got big enough to care about government “requests” , then we started getting crap like uefi and systemd. It will take a revolt from the smaller developers to stop it. Maybe I can get a copy of kaylin to run ;-)

    BTW2, one of the joys of yhe Burroughs B6700 class of machines was that one of the bits of their odd word length was set aside for flagging executable and privileged, and could only be set by other privileged code compiled via a different privileged compiler… I managed to find a way to harvest passwords, but not break that privs lock. Back when security was something designers cared about… Lots of them sold to government…

  25. Larry Ledwick says:

    Although I originally posted these in tips because they refer to bigger issues thought to help make them easier to find I’ll post both links here for their direct connections to the current wannacry ransom wear attack.

    http://www.reuters.com/article/us-cyber-attack-cryptocurrency-idUSKCN18D00W

    http://www.dw.com/en/a-bitcoin-how-to-for-hapless-hackers/a-38861405

  26. Off-topic, but “ransomwear” reminded me of a notice in the school toilets where a friend works: “Please put sanitaryware in the bin provided”. Oh well….

  27. Power Grab says:

    After reading the hapless hackers article, it occurs to me that the hackers might be the Obamacare programmers. Heh. Remember that fiasco? Now, I wonder what would be their motivation to attack and cripple the NHS…just because it’s there? …just because they can? …just because that’s the future of so-called health care?

    Well, it had to happen eventually, right?

  28. E.M.Smith says:

    Well, looks like ADYLKUZZ has hit the news.
    Larry mentions it in his first link above:

    Hackers mint crypto-currency with technique in global ‘ransomware’ attack
    By Joseph Menn | SAN FRANCISCO

    A computer virus that exploits the same vulnerability as the global “ransomware” attack has latched on to more than 200,000 computers and begun manufacturing digital currency, experts said Tuesday.

    The development adds to the dangers exposed by the WannaCry ransomware and provides another piece of evidence that a North Korea-linked hacking group may be behind the attacks.

    WannaCry, developed in part with hacking techniques that were either stolen or leaked from the U.S. National Security Agency, has infected more than 300,000 computers since Friday, locking up their data and demanding a ransom payment to release it.

    Researchers at security firm Proofpoint said the related attack, which installs a currency “miner” that generates digital cash, began infecting machines in late April or early May but had not been previously discovered because it allows computers to operate while creating the digital cash in the background.

    Proofpoint executive Ryan Kalember said the authors may have earned more than $1 million, far more than has been generated by the WannaCry attack.

    A slightly more technical link:
    https://www.scmagazine.com/cryptocurrency-miner-adylkuzz-attack-could-be-bigger-than-wannacry/article/662128/

    Makes the interesting point that infected machines have SMB shutdown, which is then protective against a WannaCry attack, and since ADYLKUZZ miner doesn’t damage your files, just consumes cycles and since it started infecting earlier, it may well have protected a lot of folks form actual damage. Gee, whata guy… /sarc;

    Bolding by me:

    by Doug Olenick, Online Editor
    May 16, 2017
    Cryptocurrency miner Adylkuzz attack could be bigger than WannaCry

    The attackers behind WanaCrypt0r/WannaCry were not the only cybercriminals putting DoublePulsar and EternalBlue to use this weekend, as Proofpoint spotted the stolen NSA tools being used with the cryptocurrency miner Adylkuzz.

    The Adylkuzz attack may not only have been larger than WannaCry, but could have been one of the mitigating factors that helped shut down that ransomware attack,
    wrote a Proofpoint security researcher who goes by the alias Kafeine. The mining campaign was after the cryptocurrency Monero.

    “Initial statistics suggest that this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection,” he said.

    The Adylkuzz campaign began sometime between April 24 and May 2. Because it started before WanaCryptor hit on May 12, Kafeine thinks some companies mistakenly believed they were being victimized by the ransomware when in fact it was Adylkuzz.

    Some of the clues that a system is under attack by this malware include loss of access to shared Windows resources and slower PC and server performance. Like WannaCry, Adylkuzz takes advantage of Windows vulnerability MS17-010 on TCP port 445, Kafeine reported. The attack itself originates from several private servers that are scanning on port 445 for victims.

    Once EternalBlue finds a target computer it installs the DoublePulsar backdoor which then injects Adylkuzz.

    Proofpoint came across this attack when it was searching for WannaCry by setting up a computer vulnerable to EternalBlue.

    “While we expected to see WannaCry, the lab machine was actually infected with an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz. We repeated the operation several times with the same result: within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet,” he wrote.

    Proofpoint was able to find several web addresses that received Monero deposits starting on April 24. About $43,000 in Monero was tracked being deposited.

    Firewalls, NATing routers, patches up to date, don’t click on strange emails or web pages, keep your backups OFF LINE, have an IDS / IPS running, watch those “blinky lights” and if YOU are not doing something, what is?, spread your life between several different systems (rarely does an attack take out all of Microsoft, Apple Macintosh, Android, Linux, ChromeOS), and have a disposable system for use when “it is time to be among them”…

    Far more than the casual users reading email and fan web sites will ever do, but do it or eventually get whacked and hacked.

  29. Larry Ledwick says:

    Hmmmm possible decrypt technique for those caught by WannaCry ransom wear?

    https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d

  30. p.g.sharrow says:

    I’ve been notified this morning by Avast that new variants of wannacry are hitting the last couple of days and the drop dead call has been removed…pg

  31. E.M.Smith says:

    @P.G.:

    Yeah, I’d not run an unpatched windows box for a few months… or ever…

  32. gallopingcamel says:

    Stupidity is everywhere. How is it that any organization fails to back up all its vital records? How can hospitals and other large organizations allow themselves to be vulnerable to ransomware?

    My tiny business is invulnerable to Wanacry for two good reasons:
    1. All my computers use Linux operating systems.
    2. All my records are backed up in the “Cloud” (Sp[derOak)

    For $12 per month SpiderOak provides 1,000 Giga-Bytes of backup. Thus far my business uses only 70 Giga-Bytes.

    Many times I have suffered total data loss on a computer and would have been seriously inconvenienced but for my Cloud backup

  33. philjourdan says:

    How is it that any organization fails to back up all its vital records?

    It is NOT that they are not backing up their records, it is they have no DR plan and have not tested a restore. That is what happened to one of my clients (my wife’s law firm”. They had a backup plan (cloud), but never tested it. And when it was needed, found out nothing had been backed up in 2 years.

  34. jim2 says:

    Qubes looks pretty interesting. Separate VMs for different activities. I haven’t determined if a virus like wannaCry could encrypt the entire disk or only a portion of it from an instance.

Anything to say?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s