Ransomware - Wannacry/wcry and everything else ...
Ransomware in general is something none of us wish to deal with. The latest Wannacry problem is worse. This is not because of what it is but rather of the extent to which it has affected our users. There have been a plethora of great suggestions all over this site. I would add to those with the following suggestions:
• Completely check your system for viruses with a reputable virus checker
• Check any suspected files and or links at virustotal.com
• Make sure you have a tested versioning backup system
• Do a complete scan of your system
• Updates
o Make sure all your programs and your operating system is up to date (even old Windows OS’s now
have updates, like windows XP – check the Microsoft website and do a windows update)
o If you are unable to do updates on your own machine due to company policy, make sure that your IT
department is doing the updates.
• Do not, click on an attachment in your email, even if it is from someone you know – call them up and check
that they sent it – they’ll understand.
Whenever I touch a system I do a “ransomware check” which involves the following:
• Create a blank text file called myapp.txt in the root drive (c:\) and rename it to myapp.exe
• Run FoolishIT’s Cryptoprevent
• Install an anti-ransomware tool such as BD Antiransomware, MBAM Antiransomware, Kaspersky
Antiransomware for business, etc.
• Run SpyBHORemover and SpyDLLRemover from securityxploded.com
• Run a full scan
• Disable Autorun and Autoplay
The rest of what I do involves anti virus procedures. It is important to do all of this at the very least to protect your systems. I highly recommend using tools/software such as Cylance, SentinelOne, MBAM, Kaspersky, etc.
Ransomware in general is something none of us wish to deal with. The latest Wannacry problem is worse. This is not because of what it is but rather of the extent to which it has affected our users. There have been a plethora of great suggestions all over this site. I would add to those with the following suggestions:
• Completely check your system for viruses with a reputable virus checker
• Check any suspected files and or links at virustotal.com
• Make sure you have a tested versioning backup system
• Do a complete scan of your system
• Updates
o Make sure all your programs and your operating system is up to date (even old Windows OS’s now
have updates, like windows XP – check the Microsoft website and do a windows update)
o If you are unable to do updates on your own machine due to company policy, make sure that your IT
department is doing the updates.
• Do not, click on an attachment in your email, even if it is from someone you know – call them up and check
that they sent it – they’ll understand.
Whenever I touch a system I do a “ransomware check” which involves the following:
• Create a blank text file called myapp.txt in the root drive (c:\) and rename it to myapp.exe
• Run FoolishIT’s Cryptoprevent
• Install an anti-ransomware tool such as BD Antiransomware, MBAM Antiransomware, Kaspersky
Antiransomware for business, etc.
• Run SpyBHORemover and SpyDLLRemover from securityxploded.com
• Run a full scan
• Disable Autorun and Autoplay
The rest of what I do involves anti virus procedures. It is important to do all of this at the very least to protect your systems. I highly recommend using tools/software such as Cylance, SentinelOne, MBAM, Kaspersky, etc.
8 Comments
Active today
Expert Comment
the issue now is the next coded attempt.... which will have no KILLSWITCH!
Active today
Expert Comment
In India, the following msg is being circulated over social media...
Please do not open any email which has attachments with tasksche.exe file
Active today
Expert Comment
Well most of these are re-hashes of something previously released. cut and pasted code, so the killswitch was probably left over code from before...
Active 1 day ago
Expert Comment
Personally I see ransomware issues as just another threat like other types of malware (Viruses /worms,etc), but the only way that differs in dealing with it is by being proactive, not reactive, through proper patching of all the company's Operating system and software ,as well as Antivirus products (Preferably managed Trusted ones),, raising user awareness about "fishy" mails or "suspicious websites " that could act as a dropper for malware , either through IS training or enforcing web browsing security policy using a proxy Preferably both ways together .
in case of mass exploits like this that cause outbreaks , keeping the DEP feature of windows does help against remote code execution exploits.,
also ensuring users are operating using the least privilege needed, someone who does data entry or type reports Does Not need Admin rights.
There is also a role for the system admin to keep researching such threats and apply best practices as they come out.
Also we keep advising clients of constant backups preferably stored off site or at the very least backup to a personal cloud or removable media all critical files ,because most ransomware infections are fatal, let us be realistic here , nobody is paying and nobody is getting a decryption key .in some cases security researchers either in AV companies or Experts of Cryptology provide a solution, but the chances of recovering Everything is practically Null , Data Loss and corruption is bound to happen ,This is where constant incremental backups come in.
this is is how I see it , hope it helps.
in case of mass exploits like this that cause outbreaks , keeping the DEP feature of windows does help against remote code execution exploits.,
also ensuring users are operating using the least privilege needed, someone who does data entry or type reports Does Not need Admin rights.
There is also a role for the system admin to keep researching such threats and apply best practices as they come out.
Also we keep advising clients of constant backups preferably stored off site or at the very least backup to a personal cloud or removable media all critical files ,because most ransomware infections are fatal, let us be realistic here , nobody is paying and nobody is getting a decryption key .in some cases security researchers either in AV companies or Experts of Cryptology provide a solution, but the chances of recovering Everything is practically Null , Data Loss and corruption is bound to happen ,This is where constant incremental backups come in.
this is is how I see it , hope it helps.
Expert Comment
The overall advice to keep automatic updates on to keep updates current, keep Antivirus up to date and firewalls up to date is something we have said many times in here (sometimes to deaf ears).
Two really important points. Stop the excuses and dump all desktop operating system earlier than Windows 7 and all server operating systems earlier that Server 2008.
Second: get top notch spam filters. That is how this malware gets in.
Two really important points. Stop the excuses and dump all desktop operating system earlier than Windows 7 and all server operating systems earlier that Server 2008.
Second: get top notch spam filters. That is how this malware gets in.
Recommended Posts
This could affect YOU if you have ESXi installed on SD cards !!!!!
e.g. DELL EMC have just issued a statement stating the use of SD Mirrored cards (IDSM) is NOT recommended for ESXi 7.x and later, despite that they sold the technology !!! and some DELL EMC R740 shipped with OEM pre-installed ESXi 7.x. using IDSM - Mirrored SD cards!
and now they do not recommend it!
see here
NOTE: If you had ordered VMware ESXi with your Dell EMC PowerEdge server, it is preinstalled on your server. The ESXi installer media is required for reinstallation. The Boot Optimized Storage Solution (BOSS) card is the preferred non-HDD or SSD device for VMware ESXi 7.0 installation. The Dell Internal Dual SD Module (IDSDM) install is no longer recommended due to write endurance issues with the SD flash media. For more information, see the Storage Requirements for ESXi 7.0 Installation or Upgrade section on the VMware ESXi Installation and Setup Guide or see VMware Knowledge Base article 2145210.
https://www.dell.com/support/manuals/en-uk/vmware-esxi-7.x/vmware_esxi_7.0_gsg/getting-started-with-vmware-vsphere?guid=guid-c18ba369-c295-40ea-b289-f82b4cd5270a
e.g. DELL EMC have just issued a statement stating the use of SD Mirrored cards (IDSM) is NOT recommended for ESXi 7.x and later, despite that they sold the technology !!! and some DELL EMC R740 shipped with OEM pre-installed ESXi 7.x. using IDSM - Mirrored SD cards!
and now they do not recommend it!
see here
NOTE: If you had ordered VMware ESXi with your Dell EMC PowerEdge server, it is preinstalled on your server. The ESXi installer media is required for reinstallation. The Boot Optimized Storage Solution (BOSS) card is the preferred non-HDD or SSD device for VMware ESXi 7.0 installation. The Dell Internal Dual SD Module (IDSDM) install is no longer recommended due to write endurance issues with the SD flash media. For more information, see the Storage Requirements for ESXi 7.0 Installation or Upgrade section on the VMware ESXi Installation and Setup Guide or see VMware Knowledge Base article 2145210.
https://www.dell.com/support/manuals/en-uk/vmware-esxi-7.x/vmware_esxi_7.0_gsg/getting-started-with-vmware-vsphere?guid=guid-c18ba369-c295-40ea-b289-f82b4cd5270a
Active 1 day ago
Expert Comment
Hi Andrew
VMware hinted at this last year
https://blogs.vmware.com/vsphere/2020/05/vsphere-7-esxi-system-storage-changes.html
https://blogs.vmware.com/vsphere/2020/07/vsphere-7-system-storage-when-upgrading.html
Since Nov 2020 HPE have actively discouraged quoting for ESX on SD card - citing the VMware warning
</P>
VMware hinted at this last year
https://blogs.vmware.com/vsphere/2020/05/vsphere-7-esxi-system-storage-changes.html
https://blogs.vmware.com/vsphere/2020/07/vsphere-7-system-storage-when-upgrading.html
Since Nov 2020 HPE have actively discouraged quoting for ESX on SD card - citing the VMware warning
</P>
Active today
So the vendors (OEM) SHOULD NOT supply pre-installed systems with ESXi !!!!!
because the SD cards which DELL EMC/ HPE are supply are worse than what you can purchase from Walmart!
Not disrespect to Walmart!
But you would really think that the SD cards from Dell/EMC and HPE were quality, not a load of shite!
We've all been taken for a ride on this one! especially since from 2004 VMware have convinced us to install ESXi on USB and SD cards, because it was small footprint and embedded! (maybe that was now just a marketing gimmick to beat Hyper-V!"
because the SD cards which DELL EMC/ HPE are supply are worse than what you can purchase from Walmart!
Not disrespect to Walmart!
But you would really think that the SD cards from Dell/EMC and HPE were quality, not a load of shite!
We've all been taken for a ride on this one! especially since from 2004 VMware have convinced us to install ESXi on USB and SD cards, because it was small footprint and embedded! (maybe that was now just a marketing gimmick to beat Hyper-V!"