itman 1,740 Posted May 12, 2017 Share Posted May 12, 2017 Signature needed by Eset for this ASAP: https://www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/ Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 12, 2017 Administrators Share Posted May 12, 2017 Not really, already detected 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 - a variant of Win32/Filecoder.WannaCryptor.D trojan Detected as of update 15404 that was released about 2,5 hours ago. It appears that VirusTotal is still not using the most current detection engine module even after that quite long time. Allegedly it exploits a vulnerability in SMB for spreading in networks. Microsoft released a hotfix addressing the vulnerability on March 14th: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx Link to comment Share on other sites More sharing options...
itman 1,740 Posted May 12, 2017 Author Share Posted May 12, 2017 Thanks, Marcos. UK health system is presently also under major attack from this ransomware. I do find it a bit hard that this ransomware is spreading worldwide due to because all these concerns failed to apply the March SMB patch. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 12, 2017 Administrators Share Posted May 12, 2017 3 hours ago, itman said: I do find it a bit hard that this ransomware is spreading worldwide due to because all these concerns failed to apply the March SMB patch. Actually ESET Endpoint Security v6 and ESS v9+ (probably v8 too but I'm not 100% sure) have protected users from malware exploiting the SMB vulnerability to spread via LAN since April 25 with the network protection module. Since the vulnerability is in SMB, NOD32 Antivirus cannot protect against exploitation at the network level due to missing firewall. The detection of an exploit exploiting the SMB vulnerability CVE-2017-1044 looks as follows. Apologize for not posting English version: I would also add that a WannaCrypt memory detection was added in update 15403 which was released at ~10:30 CEST, about the time when the outbreak started. Link to comment Share on other sites More sharing options...
ESET Moderators foneil 342 Posted May 12, 2017 ESET Moderators Share Posted May 12, 2017 Published Alert with information about this: Do not open suspicious emails, large numbers of threats being distributed by "Jaff / WannaCryptor" ransomware Any relevant updates will be made to the Alert as we learn them. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 395 Posted May 12, 2017 Most Valued Members Share Posted May 12, 2017 7 hours ago, itman said: Thanks, Marcos. UK health system is presently also under major attack from this ransomware. I do find it a bit hard that this ransomware is spreading worldwide due to because all these concerns failed to apply the March SMB patch. I read somewhere that someone in the NHS got an email from an unknown sender telling them they had been infected with ransomware and to open an attachment for more info/to pay etc. Obviously this was the real virus. Thought the nhs would have a strong training course for social engineering Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 194 Posted May 12, 2017 Most Valued Members Share Posted May 12, 2017 2 minutes ago, peteyt said: I read somewhere that someone in the NHS got an email from an unknown sender telling them they had been infected with ransomware and to open an attachment for more info/to pay etc. Obviously this was the real virus. Thought the nhs would have a strong training course for social engineering Not just the NHS that's been hit with it but lots of government departments worldwide. But you would think in the modern world the basics of opening emails with attachments/links would be one of the first things employees would be taught NOT to do. The allure of "Russian wifes" , "Free Ipads" , "$2000 casino bonuses" are just too tempting for people Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 13, 2017 Administrators Share Posted May 13, 2017 Microsoft has released a patch for the MS17-010 vulnerability also for older otherwise unsupported systems. For Windows XP SP3, the patch can be downloaded from http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=9e189800-f354-4dc8-8170-7bd0ad7ca09a Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 395 Posted May 13, 2017 Most Valued Members Share Posted May 13, 2017 16 hours ago, cyberhash said: Not just the NHS that's been hit with it but lots of government departments worldwide. But you would think in the modern world the basics of opening emails with attachments/links would be one of the first things employees would be taught NOT to do. The allure of "Russian wifes" , "Free Ipads" , "$2000 casino bonuses" are just too tempting for people Can you block it so email attatchments can't be opened. Was just thinking of how to avoid this as sadly people are the weakest link in security. Blocking email attachments and if you need to open one having it opened on an isolated network so if it is infected it can't spread Link to comment Share on other sites More sharing options...
itman 1,740 Posted May 13, 2017 Author Share Posted May 13, 2017 54 minutes ago, peteyt said: Can you block it so email attatchments can't be opened. Was just thinking of how to avoid this as sadly people are the weakest link in security. Blocking email attachments and if you need to open one having it opened on an isolated network so if it is infected it can't spread It's not just e-mail attachments. Any active content in a Word document can be employed. Suggest you review in detail your Trust Center security settings in Word. Also pay close attention to trusted publisher and certificate settings since those are given special privileges due to the trust status. Link to comment Share on other sites More sharing options...
tommy456 12 Posted May 13, 2017 Share Posted May 13, 2017 Is there not yet a decrypter tool for users to recover their files? Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 395 Posted May 13, 2017 Most Valued Members Share Posted May 13, 2017 3 hours ago, itman said: It's not just e-mail attachments. Any active content in a Word document can be employed. Suggest you review in detail your Trust Center security settings in Word. Also pay close attention to trusted publisher and certificate settings since those are given special privileges due to the trust status. I read a lot of nhs computers also run xp which doesn't help Link to comment Share on other sites More sharing options...
Morisato 8 Posted May 13, 2017 Share Posted May 13, 2017 (edited) "As an example, ESET’s network protection module was already blocking attempts to exploit the leaked vulnerability at the network level before this particular malware was even created. ESET increased the protection level for this specific threat as Win32/Filecoder.WannaCryptor.D in the detection engine update 15404 (May-12-2017, 13:20 UTC/GMT +02:00). Prior to that, ESET LiveGrid protected against this particular attack starting around 11:26AM (UTC/GMT +02:00)." Way to go ESET team https://intel.malwaretech.com/botnet/wcrypt Infection map for those interested. Edited May 13, 2017 by Morisato Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 194 Posted May 13, 2017 Most Valued Members Share Posted May 13, 2017 5 hours ago, peteyt said: Can you block it so email attatchments can't be opened. Was just thinking of how to avoid this as sadly people are the weakest link in security. Blocking email attachments and if you need to open one having it opened on an isolated network so if it is infected it can't spread @peteyt Outlook has the option to disable auto opening of attachments while blocking hyperlinks and html within emails. That's what i use personally but I'm sure there will be other apps out there that have the same features and could save a lot of trouble. Link to comment Share on other sites More sharing options...
itman 1,740 Posted May 13, 2017 Author Share Posted May 13, 2017 1 hour ago, cyberhash said: @peteyt Outlook has the option to disable auto opening of attachments while blocking hyperlinks and html within emails. That's what i use personally but I'm sure there will be other apps out there that have the same features and could save a lot of trouble. Ditto for Thunderbird; blocking of auto opening of e-mail attachments plus all active content is disabled by selecting the "text only" viewing option. However for web e-mail users, your options are limited to whatever protections your e-mail provider offers; those are usually next to nil. Link to comment Share on other sites More sharing options...
mantra 1 Posted May 14, 2017 Share Posted May 14, 2017 On 12/5/2017 at 8:54 PM, Marcos said: Actually ESET Endpoint Security v6 and ESS v9+ (probably v8 too but I'm not 100% sure) have protected users from malware exploiting the SMB vulnerability to spread via LAN since April 25 with the network protection module. Since the vulnerability is in SMB, NOD32 Antivirus cannot protect against exploitation at the network level due to missing firewall. The detection of an exploit exploiting the SMB vulnerability CVE-2017-1044 looks as follows. Apologize for not posting English version: I would also add that a WannaCrypt memory detection was added in update 15403 which was released at ~10:30 CEST, about the time when the outbreak started. Hi Marcos i run eset smart security 10.1.204.0 under w10 and w7 , my operation system are not update my question is enough to keep my home desktop or laptop online to be infected ? thanks Link to comment Share on other sites More sharing options...
Thanasis 0 Posted May 15, 2017 Share Posted May 15, 2017 Does Eset EndPoint Antivirus version 6.1.2222.1 protects from this ransomware? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 15, 2017 Administrators Share Posted May 15, 2017 3 minutes ago, Thanasis said: Does Eset EndPoint Antivirus version 6.1.2222.1 protects from this ransomware? In terms of file detection, it protects you. However, on unpatched systems only ESET Endpoint Security v6 and home products ESET Smart Security v9+ and ESSP/EIS v10 can intercept exploitation attempts on the network level with the network protection module. To get protected against exploitation of CVE-2017-0144, please install the appropriate security hotfix. Link to comment Share on other sites More sharing options...
Rob1980 0 Posted May 15, 2017 Share Posted May 15, 2017 Does ESET ENDPOINT V5.0 2237.0 Protect from wannacry? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 15, 2017 Administrators Share Posted May 15, 2017 3 minutes ago, Rob1980 said: Does ESET ENDPOINT V5.0 2237.0 Protect from wannacry? See my answer above. ESET products detect all known variants of WannaCrypt. However, on unpatched systems only ESET Endpoint Security v6 and latest home products with firewall can block SMB exploits at the network level. Link to comment Share on other sites More sharing options...
mantra 1 Posted May 15, 2017 Share Posted May 15, 2017 hi but did the attacts come from emails? because the newspaper haven't writen about it thanks Link to comment Share on other sites More sharing options...
Barder 1 Posted May 16, 2017 Share Posted May 16, 2017 17 hours ago, mantra said: hi but did the attacts come from emails? because the newspaper haven't writen about it thanks It comes from SMBv1 vulnerability in all Windows versions which allows to remotely execute malicious code. Guys, if you still have not patched your Windows, you should do this now. The WannaCry ransomware is still active. New variant of WannaCry ransomware is able to infect 3,600 computers per hour - https://malwareless.com/new-variant-wannacry-ransomware-able-infect-3600-computers-per-hour/. If your computer is infected with this virus, don't pay the ransom - many people who have paid Bitcoins don't receive the decryptor. All top security companies are currently working to develop a decryption solution Link to comment Share on other sites More sharing options...
tommy456 12 Posted May 19, 2017 Share Posted May 19, 2017 Looks like someone has developed a tool to decrypt wannacry WannaCry has been decrypted if you follow the rules Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 19, 2017 Administrators Share Posted May 19, 2017 1 hour ago, tommy456 said: Looks like someone has developed a tool to decrypt wannacry WannaCry has been decrypted if you follow the rules More on it here: https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d The point is: DO NOT REBOOT your infected machines and TRY wanakiwi ASAP* Link to comment Share on other sites More sharing options...
alina 0 Posted September 1, 2017 Share Posted September 1, 2017 There's massive in Ukraine, what I should do? Link to comment Share on other sites More sharing options...
Recommended Posts