If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
WanaCrypt: How Spread?
I've read a half-dozen articles on WannaCrypt, but none of them mention
how it is spread - beyond one noting that it can spread itself from PC-to-PC on a LAN. Can anybody shed some light? Also, if WannaCrypt infects a PC that has shares into a NAS, will it encrypt the contents of the NAS too? -- Pete Cresswell |
Ads |
#2
|
|||
|
|||
WanaCrypt: How Spread?
Pete,
none of them mention how it is spread Its spread by human "nothing can happen to me, I got AV installed" stupidity: by opening (and thereby executing) unknown/unexpected email attachments (read: by way of the "trojan horse" method). :-) Also, if WannaCrypt infects a PC that has shares into a NAS, will it encrypt the contents of the NAS too? When the NAS is accessible as a regular filesystem (by way of a drive letter but likely also when a "\\ drive\folder\..." form is needed), it will most likely attempt to do so (have not read it does, but it stands to reason). Regards, Rudy Wieser -- Origional message: (PeteCresswell) schreef in berichtnieuws ... I've read a half-dozen articles on WannaCrypt, but none of them mention how it is spread - beyond one noting that it can spread itself from PC-to-PC on a LAN. Can anybody shed some light? Also, if WannaCrypt infects a PC that has shares into a NAS, will it encrypt the contents of the NAS too? -- Pete Cresswell |
#3
|
|||
|
|||
WanaCrypt: How Spread?
(PeteCresswell) wrote:
I've read a half-dozen articles on WannaCrypt, but none of them mention how it is spread - beyond one noting that it can spread itself from PC-to-PC on a LAN. Can anybody shed some light? Also, if WannaCrypt infects a PC that has shares into a NAS, will it encrypt the contents of the NAS too? We have to divide the observations, into what older Ransomware did, versus this particular one. Normal Ransomware, has to get in some how. It needs a dropper. It needs a foothold. Someone in one of my other groups, clicked on an email attachment, and that attacked the machine. Some of the older ransomeware, if the machine "remembers" file shares, like //somehost/somepartition, the ransomware will try to mount the share, and encrypt the contents. There is even ransomware, that encrypted the contents of the Dropbox folder. And then the Dropbox software uploads that to Dropbox. ******* WannaCrypt shares some of these charactersitcs, but with one new twist. 1) Still needs you to click that email attachment and run an EXE. Or use some similar kind of mechanism. The media articles have not been forthright with details on that aspect. Maybe some day, an Adobe Flash exploit will be the path for this. 2) Once a machine inside your LAN perimeter is infected, it can use a worm-like behavior on the SMBv1 port 445. This allows a copy of the ransomware, to appear on the screen of all the other PCs in the room. With previous ransomware, you might lose all the partitions on your email machine, plus all the shares that machine visits on a regular basis. Maybe half your disk drives are ruined, and some are not encrypted. I have partitions that are never shared on the LAN (not ever, as the info is too old), that might survive. With the new SMBv1 attack within the perimeter, if I just switch on a second machine, the wannacrypt can crawl up the snout of the OS and infect it. This is a kind of worm behavior. Obviously, in a large enterprise, the sheer amount of probe traffic generated by the ransomware, as it attempts to find other machines, may become an issue. Maybe the network slows down. Some enterprises only have 10/100BT networking. This article will walk you through the details of the first release of this particular ransomware. A *future* version of the ransomware, days away, may choose to attack WinXP, so you cannot remain complacent, in terms of patching up the exposed SMBv1 surfaces inside the perimeter. https://www.askwoody.com/2017/how-to...crywannacrypt/ Your IPV4 NAT router, is helping to protect you. The client isolation that the ISP uses, cannot interfere with "valid" functions, so packets sent to incoming 445 are still going to get there. And this is why, you still have to click that bad email attachment (that "invoice" for the domain you bought), to get caught up in this. The worm should not be able to make its way through your NAT router, unless on purpose, you Port Forwarded port 445 to a designated machine inside the perimeter. Because the LED is not constantly flashing on my router here, I'd have to conclude somebody is filtering some of this or something. But it's hard for an ISP to step in and protect people, without others complaining about a loss of functionality. The ISP cannot win by "being helpful". Paul |
#4
|
|||
|
|||
WanaCrypt: How Spread?
On Tue, 16 May 2017 11:08:19 -0400, Paul
wrote: WannaCrypt shares some of these charactersitcs, but with one new twist. 1) Still needs you to click that email attachment and run an EXE. Or use some similar kind of mechanism. The media articles have not been forthright with details on that aspect. Maybe some day, an Adobe Flash exploit will be the path for this. Dead right they haven't. Most of the articles I've read have been singularly uninformative. 2) Once a machine inside your LAN perimeter is infected, it can use a worm-like behavior on the SMBv1 port 445. This allows a copy of the ransomware, to appear on the screen of all the other PCs in the room. With previous ransomware, you might lose all the partitions on your email machine, plus all the shares that machine visits on a regular basis. Maybe half your disk drives are ruined, and some are not encrypted. I have partitions that are never shared on the LAN (not ever, as the info is too old), that might survive. Most of the articles I've read don't say what to do if you ARE infected. One said you can't do anything. Is it possible to 1. Find the worm and delete it? 2. Restore from a backup? -- Steve Hayes http://www.khanya.org.za/stevesig.htm http://khanya.wordpress.com |
#5
|
|||
|
|||
WanaCrypt: How Spread?
Steve Hayes wrote:
Most of the articles I've read don't say what to do if you ARE infected. One said you can't do anything. Is it possible to 1. Find the worm and delete it? 2. Restore from a backup? Restore from backup is the most likely course of action. In the case of WannaCrypt, you need to unplug the LAN cable on each machine, and not plug all the machines together again, until you've restored them with your Macrium emergency boot CD and your (normally disconnected) USB backup drive. If your backup drive is online during the trouble, maybe it will decide that ..mrimg file of yours, needs encryption too. And I don't have a very good answer for that. It's pretty hard to use backup drives, without running a risk with them. Using two backup drives and alternating their usage, still doesn't guarantee anything. What we're relying on, is that the Ransomware does a "fast attack" and is in a rush. If it sits back and waits, plots a strategy, looks at the hardware list of drives that have been connected to the computer, a more worrying situation would be encryption you don't notice until it is too late. You can boot a computer with Macrium emergency CD, plug in the USB backup drive, and run "Verify" on each .mrimg file, if you are concerned about the disposition of a file. Once all files verify, shut down the machine and disconnect the backup drive - before rebooting to any potentially infected C: drive. Handling will require skill and thought, to avoid making mistakes once the red dialog does appear. ******* Again, the media have been less than helpful, with regard to the encryption type. There are a couple encryption methods. 1) Slow and thorough. It takes time to process all your disks. If caught in time, the damage may not be "complete". In this case, encryption is file by file. 2) There is a second method which encrypts the $MFT, in an attempt to just lose access to the files. This can be done in seconds. A file scavenger may recover some of the content. Which isn't a pleasant prospect in any case. This is not a replacement for a backup, scavenging the files and trying to restore a semblance of order. So if you saw mad computer activity, and no red dialog, it could be that it's encrypting everything before presenting the dialog. Switching off the power might kill it, before the job is complete. You'd need a maintenance OS to then inspect each disk and see what kind of mess is present. Previous Ransomware goes after files in order of value. Maybe it does .pptx first, then .ppt, in the theory that the .pptx is more recent and of more value to you. While a .txt is done later on. There can be an order of execution, to increase the odds you'll want to pay. It should go after user data files preferentially, as encrypting shell32.dll, a user is only going to reinstall the OS to fix that. If you're working some day, have file explorer on the screen and see newproject.pptx change to newproject.pptx.osirus or newproject.pptx.thor, the appearance of an unusual file extension can be one of your first hints of trouble (before the red dialog). A poster in another group, *that's* the question he asked me. "Why do my files end in osirus?" I had a suspicion, did a quick online search, and that was a symptom of a particular ransomware (Locky flavor). He is still not fully restored. Paul |
#6
|
|||
|
|||
WanaCrypt: How Spread?
On Tue, 16 May 2017 17:30:01 -0400, Paul
wrote: If you're working some day, have file explorer on the screen and see newproject.pptx change to newproject.pptx.osirus or newproject.pptx.thor, the appearance of an unusual file extension can be one of your first hints of trouble (before the red dialog). A poster in another group, *that's* the question he asked me. "Why do my files end in osirus?" I had a suspicion, did a quick online search, and that was a symptom of a particular ransomware (Locky flavor). He is still not fully restored. I had to look up pptx to see what it was -- it's not something I ever use. I'll do a search or osirus files. I get JSLocky e-mails 3-4 times a week (I used to get 5-10 a day back in February), and have no intention of opening them, or any unexplained attachments from anyone at all, friend or foe. Many of them have a subuject line like Invoice xxxxx and if there's anything in the message at all it is something to the effect that the recipient should open the attachment to see the invoice. As I'm a private person, I would not be expecting an invoice from anyone I don't do business with (usually only my dentist sends me invoices), but I can see how an invoice or creditors clerk in a firm or organisation like the NHS, who deals with such things every day, and has no idea who in a large organisation has bought what from whom, might inadvertently open such an e-mail with malware attached, and thus let a worm in to the LAN. But none of the articles I've read tell people this. They are just vague scare stories saying that it's baaad and there's nothing you can do about it. When people post links to such articles on Facebook, I usually advise them not to open or send HTML e-mails, or e-mails with unexplained attachments, and even when the attachments are explained, the explanation needs to be pretty good, specific and not clickbaitey. -- Steve Hayes http://www.khanya.org.za/stevesig.htm http://khanya.wordpress.com |
#7
|
|||
|
|||
WanaCrypt: How Spread?
Per Paul:
1) Still needs you to click that email attachment and run an EXE. Or use some similar kind of mechanism. The media articles have not been forthright with details on that aspect. Maybe some day, an Adobe Flash exploit will be the path for this. Sounds to me like the XP machine that I use as my media server is fairly safe then - since it does not have an email client installed and the browser never gets used. But if one of my Widow 7 or Windows 8 machines on the same LAN gets infected, I'm hosed... One more argument for air-gapping the NAS backup.... -- Pete Cresswell |
#8
|
|||
|
|||
WanaCrypt: How Spread?
Steve Hayes on Wed, 17 May 2017 06:29:30 +0200
typed in microsoft.public.windowsxp.general the following: I had to look up pptx to see what it was -- it's not something I ever use. I'll do a search or osirus files. I get JSLocky e-mails 3-4 times a week (I used to get 5-10 a day back in February), and have no intention of opening them, or any unexplained attachments from anyone at all, friend or foe. Many of them have a subuject line like Invoice xxxxx and if there's anything in the message at all it is something to the effect that the recipient should open the attachment to see the invoice. As I'm a private person, I would not be expecting an invoice from anyone I don't do business with (usually only my dentist sends me invoices), but I can see how an invoice or creditors clerk in a firm or organisation like the NHS, who deals with such things every day, and has no idea who in a large organisation has bought what from whom, might inadvertently open such an e-mail with malware attached, and thus let a worm in to the LAN. I use Mailwasher which lets me see headers of email before I download it. It also displays the full "From" field: Name and email@drress. If those do not map to anything I recognize - or to each other, then I treat it very carefully. (as in delete unread) But I can see that _not_ working for a commercial firm. Especially for email downloaded from an external server to the company server. -- pyotr filipivich Next month's Panel: Graft - Boon or blessing? |
Thread Tools | |
Display Modes | |
|
|