• Announcements

    • Marcos

      Filecoder.Crysis updated to decode .dharma files   03/01/2017

      We are happy to announce you that we have updated the Filecoder.Crysis decoder to support decryption of files with the .wallet and .onion extensions. The decoder is downloadable from https://download.eset.com/com/eset/tools/decryptors/crysis/latest/esetcrysisdecryptor.exe.

Recommended Posts

Not really, already detected :)

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 - a variant of Win32/Filecoder.WannaCryptor.D trojan

Detected as of update 15404 that was released about 2,5 hours ago. It appears that VirusTotal is still not using the most current detection engine module even after that quite long time.

Allegedly it exploits a vulnerability in SMB for spreading in networks. Microsoft released a hotfix addressing the vulnerability on March 14th: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Share this post


Link to post
Share on other sites

Thanks, Marcos. UK health system is presently also under major attack from this ransomware.

I do find it a bit hard that this ransomware is spreading worldwide due to because all these concerns failed to apply the March SMB patch. 

Share this post


Link to post
Share on other sites
3 hours ago, itman said:

I do find it a bit hard that this ransomware is spreading worldwide due to because all these concerns failed to apply the March SMB patch. 

Actually ESET Endpoint Security v6 and ESS v9+ (probably v8 too but I'm not 100% sure) have protected users from malware exploiting the SMB vulnerability to spread via LAN since April 25 with the network protection module.

Since the vulnerability is in SMB, NOD32 Antivirus cannot protect against exploitation at the network level due to missing firewall.

The detection of an exploit exploiting the SMB vulnerability CVE-2017-1044 looks as follows. Apologize for not posting English version:

netscan_cve-2017-0144.jpg

I would also add that a WannaCrypt memory detection was added in update 15403 which was released at ~10:30 CEST, about the time when the outbreak started.

Share this post


Link to post
Share on other sites
7 hours ago, itman said:

Thanks, Marcos. UK health system is presently also under major attack from this ransomware.

I do find it a bit hard that this ransomware is spreading worldwide due to because all these concerns failed to apply the March SMB patch. 

I read somewhere that someone in the NHS got an email from an unknown sender telling them they had been infected with ransomware and to open an attachment for more info/to pay etc. Obviously this was the real virus. Thought the nhs would have a strong training course for social engineering

Share this post


Link to post
Share on other sites
2 minutes ago, peteyt said:

I read somewhere that someone in the NHS got an email from an unknown sender telling them they had been infected with ransomware and to open an attachment for more info/to pay etc. Obviously this was the real virus. Thought the nhs would have a strong training course for social engineering

Not just the NHS that's been hit with it but lots of government departments worldwide. But you would think in the modern world the basics of opening emails with attachments/links would be one of the first things employees would be taught NOT to do.

The allure of "Russian wifes" , "Free Ipads" , "$2000 casino bonuses" are just too tempting for people :lol:

Share this post


Link to post
Share on other sites
16 hours ago, cyberhash said:

Not just the NHS that's been hit with it but lots of government departments worldwide. But you would think in the modern world the basics of opening emails with attachments/links would be one of the first things employees would be taught NOT to do.

The allure of "Russian wifes" , "Free Ipads" , "$2000 casino bonuses" are just too tempting for people :lol:

Can you block it so email attatchments can't be opened. Was just thinking of how to avoid this as sadly people are the weakest link in security. Blocking email attachments and if you need to open one having it opened on an isolated network so if it is infected it can't spread

Share this post


Link to post
Share on other sites
54 minutes ago, peteyt said:

Can you block it so email attatchments can't be opened. Was just thinking of how to avoid this as sadly people are the weakest link in security. Blocking email attachments and if you need to open one having it opened on an isolated network so if it is infected it can't spread

It's not just e-mail attachments. Any active content in a Word document can be employed.

Suggest you review in detail your Trust Center security settings in Word. Also pay close attention to trusted publisher and certificate settings since those are given special privileges due to the trust status. 

Share this post


Link to post
Share on other sites

Is there not yet a decrypter tool for users to recover their files?

Share this post


Link to post
Share on other sites
3 hours ago, itman said:

It's not just e-mail attachments. Any active content in a Word document can be employed.

Suggest you review in detail your Trust Center security settings in Word. Also pay close attention to trusted publisher and certificate settings since those are given special privileges due to the trust status. 

I read a lot of nhs computers also run xp which doesn't help

Share this post


Link to post
Share on other sites

"As an example, ESET’s network protection module was already blocking attempts to exploit the leaked vulnerability at the network level before this particular malware was even created. ESET increased the protection level for this specific threat as Win32/Filecoder.WannaCryptor.D in the detection engine update 15404 (May-12-2017, 13:20 UTC/GMT +02:00). Prior to that, ESET LiveGrid protected against this particular attack starting around 11:26AM (UTC/GMT +02:00)."

Way to go ESET team :D

 

https://intel.malwaretech.com/botnet/wcrypt

Infection map for those interested.

Edited by Morisato

Share this post


Link to post
Share on other sites
5 hours ago, peteyt said:

Can you block it so email attatchments can't be opened. Was just thinking of how to avoid this as sadly people are the weakest link in security. Blocking email attachments and if you need to open one having it opened on an isolated network so if it is infected it can't spread

@peteyt Outlook has the option to disable auto opening of attachments while blocking hyperlinks and html within emails. That's what i use personally but I'm sure there will be other apps out there that have the same features and could save a lot of trouble.

Share this post


Link to post
Share on other sites
1 hour ago, cyberhash said:

@peteyt Outlook has the option to disable auto opening of attachments while blocking hyperlinks and html within emails. That's what i use personally but I'm sure there will be other apps out there that have the same features and could save a lot of trouble.

Ditto for Thunderbird; blocking of auto opening of e-mail attachments plus all active content is disabled by selecting the "text only" viewing option.

However for web e-mail users, your options are limited to whatever protections your e-mail provider offers; those are usually next to nil. 

Share this post


Link to post
Share on other sites
On 12/5/2017 at 8:54 PM, Marcos said:

Actually ESET Endpoint Security v6 and ESS v9+ (probably v8 too but I'm not 100% sure) have protected users from malware exploiting the SMB vulnerability to spread via LAN since April 25 with the network protection module.

Since the vulnerability is in SMB, NOD32 Antivirus cannot protect against exploitation at the network level due to missing firewall.

The detection of an exploit exploiting the SMB vulnerability CVE-2017-1044 looks as follows. Apologize for not posting English version:

 

I would also add that a WannaCrypt memory detection was added in update 15403 which was released at ~10:30 CEST, about the time when the outbreak started.

Hi Marcos

i run eset smart security 10.1.204.0  under w10 and w7 , my operation system are not update

my question is enough to keep my home desktop or laptop online to be infected ?

thanks

Share this post


Link to post
Share on other sites

Does Eset EndPoint Antivirus version 6.1.2222.1 protects from this ransomware?

Share this post


Link to post
Share on other sites
3 minutes ago, Thanasis said:

Does Eset EndPoint Antivirus version 6.1.2222.1 protects from this ransomware?

In terms of file detection, it protects you. However, on unpatched systems only ESET Endpoint Security v6 and home products ESET Smart Security v9+ and ESSP/EIS v10 can intercept exploitation attempts on the network level with the network protection module. To get protected against exploitation of CVE-2017-0144, please install the appropriate security hotfix.

Share this post


Link to post
Share on other sites
3 minutes ago, Rob1980 said:

Does ESET ENDPOINT V5.0 2237.0 Protect from wannacry?

See my answer above. ESET products detect all known variants of WannaCrypt. However, on unpatched systems only ESET Endpoint Security v6 and latest home products with firewall can block SMB exploits at the network level.

Share this post


Link to post
Share on other sites

hi

but did the attacts come from emails?

because the newspaper haven't writen about it

thanks

Share this post


Link to post
Share on other sites
17 hours ago, mantra said:

hi

but did the attacts come from emails?

because the newspaper haven't writen about it

thanks

It comes from SMBv1 vulnerability in all Windows versions which allows to remotely execute malicious code. 

Guys, if you still have not patched your Windows, you should do this now. The WannaCry ransomware is still active. New variant of WannaCry ransomware is able to infect 3,600 computers per hour - https://malwareless.com/new-variant-wannacry-ransomware-able-infect-3600-computers-per-hour/. If your computer is infected with this virus, don't pay the ransom - many people who have paid Bitcoins don't receive the decryptor. All top security companies are currently working to develop a decryption solution

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.