WanaCrypt: How Spread?

I've read a half-dozen articles on WannaCrypt, but none of them mention
how it is spread - beyond one noting that it can spread itself from
PC-to-PC on a LAN.

Can anybody shed some light?

Also, if WannaCrypt infects a PC that has shares into a NAS, will it
encrypt the contents of the NAS too?
--
Pete Cresswell

Pete,

none of them mention how it is spread

Its spread by human "nothing can happen to me, I got AV installed"
stupidity: by opening (and thereby executing) unknown/unexpected email
attachments (read: by way of the "trojan horse" method). :-)

Also, if WannaCrypt infects a PC that has shares into a NAS,
will it encrypt the contents of the NAS too?

When the NAS is accessible as a regular filesystem (by way of a drive letter
but likely also when a "\\ drive\folder\..." form is needed), it will most
likely attempt to do so (have not read it does, but it stands to reason).

Regards,
Rudy Wieser


-- Origional message:
(PeteCresswell) schreef in berichtnieuws
...
I've read a half-dozen articles on WannaCrypt, but none of them mention
how it is spread - beyond one noting that it can spread itself from
PC-to-PC on a LAN.

Can anybody shed some light?

Also, if WannaCrypt infects a PC that has shares into a NAS, will it
encrypt the contents of the NAS too?
--
Pete Cresswell

(PeteCresswell) wrote:
I've read a half-dozen articles on WannaCrypt, but none of them mention
how it is spread - beyond one noting that it can spread itself from
PC-to-PC on a LAN.

Can anybody shed some light?

Also, if WannaCrypt infects a PC that has shares into a NAS, will it
encrypt the contents of the NAS too?

We have to divide the observations, into what
older Ransomware did, versus this particular one.

Normal Ransomware, has to get in some how. It needs a dropper. It
needs a foothold. Someone in one of my other groups, clicked
on an email attachment, and that attacked the machine.

Some of the older ransomeware, if the machine "remembers"
file shares, like //somehost/somepartition, the ransomware
will try to mount the share, and encrypt the contents.
There is even ransomware, that encrypted the contents of
the Dropbox folder. And then the Dropbox software uploads
that to Dropbox.

*******

WannaCrypt shares some of these charactersitcs, but with one
new twist.

1) Still needs you to click that email attachment and run an EXE.
Or use some similar kind of mechanism. The media articles have
not been forthright with details on that aspect. Maybe some day,
an Adobe Flash exploit will be the path for this.

2) Once a machine inside your LAN perimeter is infected, it can use
a worm-like behavior on the SMBv1 port 445. This allows a copy
of the ransomware, to appear on the screen of all the other PCs in
the room.

With previous ransomware, you might lose all the partitions
on your email machine, plus all the shares that machine visits
on a regular basis. Maybe half your disk drives are ruined, and
some are not encrypted. I have partitions that are never shared
on the LAN (not ever, as the info is too old), that might survive.

With the new SMBv1 attack within the perimeter, if I just
switch on a second machine, the wannacrypt can crawl up
the snout of the OS and infect it. This is a kind of worm
behavior.

Obviously, in a large enterprise, the sheer amount of probe
traffic generated by the ransomware, as it attempts to find
other machines, may become an issue. Maybe the network slows
down. Some enterprises only have 10/100BT networking.

This article will walk you through the details of the first
release of this particular ransomware. A *future* version
of the ransomware, days away, may choose to attack WinXP,
so you cannot remain complacent, in terms of patching up
the exposed SMBv1 surfaces inside the perimeter.

https://www.askwoody.com/2017/how-to...crywannacrypt/

Your IPV4 NAT router, is helping to protect you. The client
isolation that the ISP uses, cannot interfere with "valid"
functions, so packets sent to incoming 445 are still going
to get there. And this is why, you still have to click that
bad email attachment (that "invoice" for the domain you bought),
to get caught up in this. The worm should not be able to
make its way through your NAT router, unless on purpose, you
Port Forwarded port 445 to a designated machine inside the
perimeter.

Because the LED is not constantly flashing on my router
here, I'd have to conclude somebody is filtering some of
this or something. But it's hard for an ISP to step in
and protect people, without others complaining about
a loss of functionality. The ISP cannot win by
"being helpful".

Paul

On Tue, 16 May 2017 11:08:19 -0400, Paul
wrote:

WannaCrypt shares some of these charactersitcs, but with one
new twist.

1) Still needs you to click that email attachment and run an EXE.
Or use some similar kind of mechanism. The media articles have
not been forthright with details on that aspect. Maybe some day,
an Adobe Flash exploit will be the path for this.

Dead right they haven't.

Most of the articles I've read have been singularly uninformative.

2) Once a machine inside your LAN perimeter is infected, it can use
a worm-like behavior on the SMBv1 port 445. This allows a copy
of the ransomware, to appear on the screen of all the other PCs in
the room.

With previous ransomware, you might lose all the partitions
on your email machine, plus all the shares that machine visits
on a regular basis. Maybe half your disk drives are ruined, and
some are not encrypted. I have partitions that are never shared
on the LAN (not ever, as the info is too old), that might survive.

Most of the articles I've read don't say what to do if you ARE
infected. One said you can't do anything.

Is it possible to

1. Find the worm and delete it?
2. Restore from a backup?


--
Steve Hayes
http://www.khanya.org.za/stevesig.htm
http://khanya.wordpress.com

Steve Hayes wrote:


Most of the articles I've read don't say what to do if you ARE
infected. One said you can't do anything.

Is it possible to

1. Find the worm and delete it?
2. Restore from a backup?

Restore from backup is the most likely course of action.

In the case of WannaCrypt, you need to unplug the LAN cable
on each machine, and not plug all the machines together again,
until you've restored them with your Macrium emergency boot CD
and your (normally disconnected) USB backup drive. If your backup
drive is online during the trouble, maybe it will decide that
..mrimg file of yours, needs encryption too. And I don't
have a very good answer for that. It's pretty hard to use
backup drives, without running a risk with them. Using two
backup drives and alternating their usage, still doesn't
guarantee anything.

What we're relying on, is that the Ransomware does a "fast attack"
and is in a rush. If it sits back and waits, plots a strategy,
looks at the hardware list of drives that have been connected
to the computer, a more worrying situation would be encryption
you don't notice until it is too late. You can boot a computer
with Macrium emergency CD, plug in the USB backup drive, and
run "Verify" on each .mrimg file, if you are concerned about
the disposition of a file. Once all files verify, shut down the
machine and disconnect the backup drive - before rebooting to
any potentially infected C: drive.

Handling will require skill and thought, to avoid making
mistakes once the red dialog does appear.

*******

Again, the media have been less than helpful, with regard to
the encryption type.

There are a couple encryption methods.

1) Slow and thorough. It takes time to process all
your disks. If caught in time, the damage may not be
"complete". In this case, encryption is file by file.

2) There is a second method which encrypts the $MFT, in
an attempt to just lose access to the files. This can be
done in seconds. A file scavenger may recover some of the
content. Which isn't a pleasant prospect in any case. This
is not a replacement for a backup, scavenging the files
and trying to restore a semblance of order.

So if you saw mad computer activity, and no red dialog,
it could be that it's encrypting everything before
presenting the dialog. Switching off the power might
kill it, before the job is complete. You'd need a maintenance
OS to then inspect each disk and see what kind of mess is
present.

Previous Ransomware goes after files in order of value.
Maybe it does .pptx first, then .ppt, in the theory that
the .pptx is more recent and of more value to you. While
a .txt is done later on. There can be an order of execution,
to increase the odds you'll want to pay. It should go after
user data files preferentially, as encrypting shell32.dll,
a user is only going to reinstall the OS to fix that.

If you're working some day, have file explorer on the screen
and see newproject.pptx change to newproject.pptx.osirus
or newproject.pptx.thor, the appearance of an unusual
file extension can be one of your first hints of trouble
(before the red dialog). A poster in another group, *that's*
the question he asked me. "Why do my files end in osirus?"
I had a suspicion, did a quick online search, and that was
a symptom of a particular ransomware (Locky flavor). He is
still not fully restored.

Paul

On Tue, 16 May 2017 17:30:01 -0400, Paul
wrote:

If you're working some day, have file explorer on the screen
and see newproject.pptx change to newproject.pptx.osirus
or newproject.pptx.thor, the appearance of an unusual
file extension can be one of your first hints of trouble
(before the red dialog). A poster in another group, *that's*
the question he asked me. "Why do my files end in osirus?"
I had a suspicion, did a quick online search, and that was
a symptom of a particular ransomware (Locky flavor). He is
still not fully restored.

I had to look up pptx to see what it was -- it's not something I ever
use.

I'll do a search or osirus files.

I get JSLocky e-mails 3-4 times a week (I used to get 5-10 a day back
in February), and have no intention of opening them, or any
unexplained attachments from anyone at all, friend or foe.

Many of them have a subuject line like Invoice xxxxx and if there's
anything in the message at all it is something to the effect that the
recipient should open the attachment to see the invoice.

As I'm a private person, I would not be expecting an invoice from
anyone I don't do business with (usually only my dentist sends me
invoices), but I can see how an invoice or creditors clerk in a firm
or organisation like the NHS, who deals with such things every day,
and has no idea who in a large organisation has bought what from whom,
might inadvertently open such an e-mail with malware attached, and
thus let a worm in to the LAN.

But none of the articles I've read tell people this. They are just
vague scare stories saying that it's baaad and there's nothing you can
do about it.

When people post links to such articles on Facebook, I usually advise
them not to open or send HTML e-mails, or e-mails with unexplained
attachments, and even when the attachments are explained, the
explanation needs to be pretty good, specific and not clickbaitey.




--
Steve Hayes
http://www.khanya.org.za/stevesig.htm
http://khanya.wordpress.com

Per Paul:
1) Still needs you to click that email attachment and run an EXE.
Or use some similar kind of mechanism. The media articles have
not been forthright with details on that aspect. Maybe some day,
an Adobe Flash exploit will be the path for this.

Sounds to me like the XP machine that I use as my media server is fairly
safe then - since it does not have an email client installed and the
browser never gets used.

But if one of my Widow 7 or Windows 8 machines on the same LAN gets
infected, I'm hosed...

One more argument for air-gapping the NAS backup....
--
Pete Cresswell

Steve Hayes on Wed, 17 May 2017 06:29:30 +0200
typed in microsoft.public.windowsxp.general the following:

I had to look up pptx to see what it was -- it's not something I ever
use.

I'll do a search or osirus files.

I get JSLocky e-mails 3-4 times a week (I used to get 5-10 a day back
in February), and have no intention of opening them, or any
unexplained attachments from anyone at all, friend or foe.

Many of them have a subuject line like Invoice xxxxx and if there's
anything in the message at all it is something to the effect that the
recipient should open the attachment to see the invoice.

As I'm a private person, I would not be expecting an invoice from
anyone I don't do business with (usually only my dentist sends me
invoices), but I can see how an invoice or creditors clerk in a firm
or organisation like the NHS, who deals with such things every day,
and has no idea who in a large organisation has bought what from whom,
might inadvertently open such an e-mail with malware attached, and
thus let a worm in to the LAN.

I use Mailwasher which lets me see headers of email before I
download it. It also displays the full "From" field: Name and
email@drress. If those do not map to anything I recognize - or to
each other, then I treat it very carefully. (as in delete unread)

But I can see that _not_ working for a commercial firm. Especially
for email downloaded from an external server to the company server.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?