Massive Ransomware Attack

[itman 1,659]

Signature needed by Eset for this ASAP: https://www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/

[Marcos 5,070]

Not really, already detected

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 - a variant of Win32/Filecoder.WannaCryptor.D trojan

Detected as of update 15404 that was released about 2,5 hours ago. It appears that VirusTotal is still not using the most current detection engine module even after that quite long time.

Allegedly it exploits a vulnerability in SMB for spreading in networks. Microsoft released a hotfix addressing the vulnerability on March 14th: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

[itman 1,659]

Thanks, Marcos. UK health system is presently also under major attack from this ransomware.

I do find it a bit hard that this ransomware is spreading worldwide due to because all these concerns failed to apply the March SMB patch. 

[Marcos 5,070]

3 hours ago, itman said:

I do find it a bit hard that this ransomware is spreading worldwide due to because all these concerns failed to apply the March SMB patch. 

Actually ESET Endpoint Security v6 and ESS v9+ (probably v8 too but I'm not 100% sure) have protected users from malware exploiting the SMB vulnerability to spread via LAN since April 25 with the network protection module.

Since the vulnerability is in SMB, NOD32 Antivirus cannot protect against exploitation at the network level due to missing firewall.

The detection of an exploit exploiting the SMB vulnerability CVE-2017-1044 looks as follows. Apologize for not posting English version:

I would also add that a WannaCrypt memory detection was added in update 15403 which was released at ~10:30 CEST, about the time when the outbreak started.

[foneil 342]

Published Alert with information about this: 

Do not open suspicious emails, large numbers of threats being distributed by "Jaff / WannaCryptor" ransomware

Any relevant updates will be made to the Alert as we learn them. 

[peteyt 393]

7 hours ago, itman said:

Thanks, Marcos. UK health system is presently also under major attack from this ransomware.

I do find it a bit hard that this ransomware is spreading worldwide due to because all these concerns failed to apply the March SMB patch. 

I read somewhere that someone in the NHS got an email from an unknown sender telling them they had been infected with ransomware and to open an attachment for more info/to pay etc. Obviously this was the real virus. Thought the nhs would have a strong training course for social engineering

[cyberhash 188]

2 minutes ago, peteyt said:

I read somewhere that someone in the NHS got an email from an unknown sender telling them they had been infected with ransomware and to open an attachment for more info/to pay etc. Obviously this was the real virus. Thought the nhs would have a strong training course for social engineering

Not just the NHS that's been hit with it but lots of government departments worldwide. But you would think in the modern world the basics of opening emails with attachments/links would be one of the first things employees would be taught NOT to do.

The allure of "Russian wifes" , "Free Ipads" , "$2000 casino bonuses" are just too tempting for people 

[Marcos 5,070]

Microsoft has released a patch for the MS17-010 vulnerability also for older otherwise unsupported systems.

For Windows XP SP3, the patch can be downloaded from

http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=9e189800-f354-4dc8-8170-7bd0ad7ca09a

[peteyt 393]

16 hours ago, cyberhash said:

Not just the NHS that's been hit with it but lots of government departments worldwide. But you would think in the modern world the basics of opening emails with attachments/links would be one of the first things employees would be taught NOT to do.

The allure of "Russian wifes" , "Free Ipads" , "$2000 casino bonuses" are just too tempting for people 

Can you block it so email attatchments can't be opened. Was just thinking of how to avoid this as sadly people are the weakest link in security. Blocking email attachments and if you need to open one having it opened on an isolated network so if it is infected it can't spread

[itman 1,659]

54 minutes ago, peteyt said:

Can you block it so email attatchments can't be opened. Was just thinking of how to avoid this as sadly people are the weakest link in security. Blocking email attachments and if you need to open one having it opened on an isolated network so if it is infected it can't spread

It's not just e-mail attachments. Any active content in a Word document can be employed.

Suggest you review in detail your Trust Center security settings in Word. Also pay close attention to trusted publisher and certificate settings since those are given special privileges due to the trust status. 

[tommy456 12]

Is there not yet a decrypter tool for users to recover their files?

[peteyt 393]

3 hours ago, itman said:

It's not just e-mail attachments. Any active content in a Word document can be employed.

Suggest you review in detail your Trust Center security settings in Word. Also pay close attention to trusted publisher and certificate settings since those are given special privileges due to the trust status. 

I read a lot of nhs computers also run xp which doesn't help

[Morisato 8]

"As an example, ESET’s network protection module was already blocking attempts to exploit the leaked vulnerability at the network level before this particular malware was even created. ESET increased the protection level for this specific threat as Win32/Filecoder.WannaCryptor.D in the detection engine update 15404 (May-12-2017, 13:20 UTC/GMT +02:00). Prior to that, ESET LiveGrid protected against this particular attack starting around 11:26AM (UTC/GMT +02:00)."

Way to go ESET team

 

https://intel.malwaretech.com/botnet/wcrypt

Infection map for those interested.

Edited May 13, 2017 by Morisato

[cyberhash 188]

5 hours ago, peteyt said:

Can you block it so email attatchments can't be opened. Was just thinking of how to avoid this as sadly people are the weakest link in security. Blocking email attachments and if you need to open one having it opened on an isolated network so if it is infected it can't spread

@peteyt Outlook has the option to disable auto opening of attachments while blocking hyperlinks and html within emails. That's what i use personally but I'm sure there will be other apps out there that have the same features and could save a lot of trouble.

[itman 1,659]

1 hour ago, cyberhash said:

@peteyt Outlook has the option to disable auto opening of attachments while blocking hyperlinks and html within emails. That's what i use personally but I'm sure there will be other apps out there that have the same features and could save a lot of trouble.

Ditto for Thunderbird; blocking of auto opening of e-mail attachments plus all active content is disabled by selecting the "text only" viewing option.

However for web e-mail users, your options are limited to whatever protections your e-mail provider offers; those are usually next to nil. 

[mantra 1]

On 12/5/2017 at 8:54 PM, Marcos said:

Actually ESET Endpoint Security v6 and ESS v9+ (probably v8 too but I'm not 100% sure) have protected users from malware exploiting the SMB vulnerability to spread via LAN since April 25 with the network protection module.

Since the vulnerability is in SMB, NOD32 Antivirus cannot protect against exploitation at the network level due to missing firewall.

The detection of an exploit exploiting the SMB vulnerability CVE-2017-1044 looks as follows. Apologize for not posting English version:

 

I would also add that a WannaCrypt memory detection was added in update 15403 which was released at ~10:30 CEST, about the time when the outbreak started.

Hi Marcos

i run eset smart security 10.1.204.0  under w10 and w7 , my operation system are not update

my question is enough to keep my home desktop or laptop online to be infected ?

thanks

[Thanasis 0]

Does Eset EndPoint Antivirus version 6.1.2222.1 protects from this ransomware?

[Marcos 5,070]

3 minutes ago, Thanasis said:

Does Eset EndPoint Antivirus version 6.1.2222.1 protects from this ransomware?

In terms of file detection, it protects you. However, on unpatched systems only ESET Endpoint Security v6 and home products ESET Smart Security v9+ and ESSP/EIS v10 can intercept exploitation attempts on the network level with the network protection module. To get protected against exploitation of CVE-2017-0144, please install the appropriate security hotfix.

[Rob1980 0]

Does ESET ENDPOINT V5.0 2237.0 Protect from wannacry?

[Marcos 5,070]

3 minutes ago, Rob1980 said:

Does ESET ENDPOINT V5.0 2237.0 Protect from wannacry?

See my answer above. ESET products detect all known variants of WannaCrypt. However, on unpatched systems only ESET Endpoint Security v6 and latest home products with firewall can block SMB exploits at the network level.

[mantra 1]

hi

but did the attacts come from emails?

because the newspaper haven't writen about it

thanks

[Barder 1]

17 hours ago, mantra said:

hi

but did the attacts come from emails?

because the newspaper haven't writen about it

thanks

It comes from SMBv1 vulnerability in all Windows versions which allows to remotely execute malicious code. 

Guys, if you still have not patched your Windows, you should do this now. The WannaCry ransomware is still active. New variant of WannaCry ransomware is able to infect 3,600 computers per hour - https://malwareless.com/new-variant-wannacry-ransomware-able-infect-3600-computers-per-hour/. If your computer is infected with this virus, don't pay the ransom - many people who have paid Bitcoins don't receive the decryptor. All top security companies are currently working to develop a decryption solution

 

[tommy456 12]

Looks like someone has developed a tool to decrypt wannacry WannaCry has been decrypted if you follow the rules

[Marcos 5,070]

1 hour ago, tommy456 said:

Looks like someone has developed a tool to decrypt wannacry WannaCry has been decrypted if you follow the rules

More on it here: https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d

The point is: DO NOT REBOOT your infected machines and TRY wanakiwi ASAP*

[alina 0]

There's massive in Ukraine, what I should do?