Ransomware

210

Solutions

509

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Share tech news, updates, or what's on your mind.

Sign up to Post

End-Users are the Weakest Link? Do you agree?

The slide below is taken from a webinar I attended today.

End-Users are the Weakest Link
2
LVL 28

Expert Comment

by:Andrew Leniart
Yes, I agree. That isn't necessarily the fault of the end user, in the sense that they may not have the skills required (or be able to comprehend / appreciate the dangers and consequences) .. this can only be solved with End User education, without of course, belittling the end user because of their skill level.
3
5
LVL 19

Expert Comment

by:Kyle Santos
ddaaannnngggg
1
LVL 7

Expert Comment

by:Brian Matis
Huh... this reminds me that I have an old desktop in the garage that's still running 7. Good thing I haven't turned it on in months...
0
The recent malware attack brings to light the need for more security and privacy online. The Experts Exchange community has prepared for this shift with the release of anonymous questions--a feature for Premium Members, Team Accounts, and Qualified Experts.
Benefits include:
Masked user identities. These questions are inaccessible to all search engines and questions will not visibly link back to profiles. Logged out users cannot see these questions at all.
Sensitive information removed from questions, by severing ties that could connect you back to your employer or a project.
Freedom to explore different tech topics you may be interested in but have before been afraid to look into.
To learn how to ask anonymous questions check out this video! https://www.youtube.com/watch?v=uFJF70wsd4c
8
I am looking to have a script run and create a shortcut on users pc across the corporation.

This would be similar to bg info, but would be a shorcut users can double click and info would pop up into the gui windows.


MAc address pc name wirelesss ip wired ip and vpn ip.

Any Help would be great
1
LVL 27

Expert Comment

by:Brian B
Hi Angelo.

I think it could be done in powershell or via policy. However, for the appropriate Experts to see this, I think you might want to submit it as a question with appropriate topics and not a post.

Thanks,
Brian
0
I was at a cyber review meeting a few months back and there was a whole session on the team and the constant updates they are putting into this site.

https://www.nomoreransom.org/

This should be you first port of call if you have anything other than Wannacry, just in case they have a decrypt process
5
LVL 70

Expert Comment

by:btan
Can also check out idransomware

https://id-ransomware.malwarehunterteam.com
4
6
LVL 112

Expert Comment

by:John
I don't think selling this kind of code is new. I think that is why we keep noting that the situation will get worse.
7
My Windows Update was stuck at 0% downloading for about a month.  I fixed it after the WannaCry virus news on Friday by doing the following:

1. Stop the Windows Update Service
2. Delete C:\Windows\SoftwareDistribution\DataStore\DataStore.edb
3. Start the Windows Update Service
4. Check for updates

After that it was working fine!

As for how it got stuck in the first place... I killed the service when it started downloading and taking all my bandwidth while I was playing a game online.  Then I held a grudge against the service for a month and left it broken to teach it a lesson.
8
LVL 19

Expert Comment

by:Kyle Santos
0
ransomwareEmail2.png Friday, May 12th, a new Ransomware threat named WannaCry came onto the scene, affecting organizations in over 150 countries. Damage includes more than 200,000 people infected with the malware and roughly $28,463 paid in bitcoin to decrypt files. That number may only rise unless companies act to mitigate the threat.
Though WannaCry wasn’t a targeted attack on any particular company, institutions using Microsoft operating systems no longer supported by Microsoft security updates found themselves affected by the fast-moving malware.
For a more in-depth look at this attack, check out the following resources:
1. Learn how to prevent this threat without paying a dime.
2. Explore ways to plan ahead and prevent against possible future ransomware attacks.
3. Mitigate damage with these tips if your organization has been affected, and more.
6
image.jpeg
I'm really just a beginner. Tell me, What are the capabilities /benefits for a big virtual bug in theory? How does it access private data concretely in the system? A mind game: Is it possible to switch off the lights of cities by hacking into the local electricity networks?
1
LVL 7

Expert Comment

by:Brian Matis
1
"Microsoft has done the right thing by making the patch available even for older, unsupported systems. But it shouldn't proactively push out the patches, as there are usually some business reasons why companies are still running old and unpatched systems," he said.

"By forcefully pushing a patch, it could do just as much harm, causing systems and applications to become unreliable."


http://www.techrepublic.com/article/why-patching-windows-xp-forever-wont-stop-the-next-wannacrypt/
5
While we're all running around getting things patched and making sure our clients know how to keep from getting ransomware, let's also take a minute to disable SMBv1 as well. Patching will help this time, but you *know* someone is going to try to find another huge hole in SMBv1 to exploit. No Windows OS after Windows XP uses SMBv1, but MS had to include it in their newer OSes for compatibility. All the OSes that only use SMBv1 have been EOL for years. Let's just get future SMBv1 exploits off the table now, shall we?

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
7
Be aware there is a new strain out in the wild, which does not need the unregistered site, so this will be worse if they go all out again.
4
LVL 7

Expert Comment

by:Brian Matis
I've heard this as well, but am seeing that the news was retracted... Looks like no one is quite sure on this yet.

https://boingboing.net/2017/05/15/killswitches-for-everyone.html
0

Author Comment

by:Tony Bessent
The feed was from a reliable source, I cannot share the link due to contract reasons, and they are reporting that it has morphed and now does not require the unregistered URL asa trigger to encrypt. The report yesterday said there was lots of down load activity, to threat actors, but no sign of it being used in the wild.
0
For Lansweeper users:
Lansweeper released a report that can be used to find machines that do not have the hotfixes installed to mitigate the SMB vulnerability.

https://www.lansweeper.com/forum/yaf_postsm50430_Ransomware–MS17-010-Windows-computers-that-are-potentialy-vulnerable.aspx#post50430
4
Any one have a good suggestion for an endpoint protection with sandbox? I heard about Sophos but not sure.
0
LVL 22

Expert Comment

by:David Atkin
I believe that ESET Endpoint Security has this feature.
https://www.eset.com/int/business/endpoint-security/windows-security/#c3260
4
PAY NO MORE!
2017-05-16-10_40_55-How-Much-Wannacr.png
12
LVL 4

Expert Comment

by:Sina May
Keep fighting the good fight, Andy!
2
LVL 132

Author Comment

by:Andrew Hancock (VMware vExpert / EE Fellow)
It's all billable!
1
Bitdefender and kaspersky had WannaCry in the definitions before Friday!

https://securelist.com/blog/research/78411/wannacry-faq-what-you-need-to-know-today/
6
I received an email from FSecure saying the below
EE.PNGAny insights?
1
LVL 50

Expert Comment

by:dbrunton
Nothing really new there.  That's just an advertising blurb.  All the big anti-virus guys should be on top of it by now.

Try Woody at https://www.askwoody.com/

He's got three posts on the subject there that are very informative.
1
9

Expert Comment

by:Chad Crouch
This malware really hit the world by storm! Got a lot of people in panic.
1
LVL 7

Expert Comment

by:Brian Matis
@Chad - indeed! If there's a silver-lining to all this, it's that more people are starting to take security patching more seriously.
0
So with the recent WannaCry malware, there were 3 (afaik) bitcoin addresses circulated to receive ransom payments:

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

At the time of this writing, it looks like around 34 BTC ($60k USD) have been extorted to date. Really low take (imo), considering the widespread reports of this attack. I'm curious if there are any other BTC wallet addresses out there?
9
LVL 2

Expert Comment

by:Michael Arciniega
I wonder how effectively they'll be able to use those funds since they have such a large target on their heads and every transaction on the chain is public information. Can they use enough coin mixers to obfuscate their identity?
0
LVL 21

Author Comment

by:Lucas Bishop
Up to 40 BTC ($70k) now.

Considering it's only 40BTC, they could easily run it through multiple mixers in small batches and see good results on obfuscation. Nothing like the 5,500 BTC Tomas Jirikovsky tried to tumble and cash out.

However, I suspect WannaCry has negatively effected enough SysAdmins, that the interest in tracing transactions related to these addresses through the blockchain may be much more fruitful than traditional attempts. I wouldn't be surprised if the perpetrators don't even try to cash out, considering the risk vs reward doesn't make financial sense.
0
Ransomware - Wannacry/wcry and everything else ...

Ransomware in general is something none of us wish to deal with.  The latest Wannacry problem is worse.  This is not because of what it is but rather of the extent to which it has affected our users.  There have been a plethora of great suggestions all over this site.  I would add to those with the following suggestions:
•      Completely check your system for viruses with a reputable virus checker
•      Check any suspected files and or links at virustotal.com
•      Make sure you have a tested versioning backup system
•      Do a complete scan of your system
•      Updates
        o      Make sure all your programs and your operating system is up to date (even old Windows OS’s now
                have updates, like windows XP – check the Microsoft website and do a windows update)
        o      If you are unable to do updates on your own machine due to company policy, make sure that your IT
                department is doing the updates.
•      Do not, click on an attachment in your email, even if it is from someone you know – call them up and check
        that they sent it – they’ll understand.

Whenever I touch a system I do a “ransomware check” which involves the following:
•      Create a blank text file called myapp.txt in the root drive (c:\) and rename it to myapp.exe
•      Run FoolishIT’s Cryptoprevent
•      Install an anti-ransomware tool such as BD Antiransomware, MBAM Antiransomware, Kaspersky
        Antiransomware for business, etc.
•      …
20
LVL 112

Expert Comment

by:John
The overall advice to keep automatic updates on to keep updates current, keep Antivirus up to date and firewalls up to date is something we have said many times in here (sometimes to deaf ears).

Two really important points. Stop the excuses and dump all desktop operating system earlier than Windows 7 and all server operating systems earlier that Server 2008.

Second: get top notch spam filters. That is how this malware gets in.
3
LVL 14

Expert Comment

by:Natty Greg
I can not stress enough about proxy and spam filter, content filter along with gateway antivirus scanning, patching all systems and educating users.
2

Ransomware

210

Solutions

509

Contributors

Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.