Marcus Hutchins works as a Cyber-Securty Researcher at Kryptos Logic. It was Marcus who had apparenlty stopped the spread of the WannaCry version 1 RansomWare. He found the Kill Switch after decompliing the WannaCry v1 code. Once he registered a Domain name found in the code, the spread of WannaCry V1 RansomWare slowed down dramatically. Soon after WannaCry version 2, which removed the kill switch, was spotted on the Internet.
Marcus was in Vegad for the Black Hat and Def Con conferences. He was apparenly arrested after the confernces.
Apparently the WannaCry Ransomware was also spread to over 50 Traffic cameras via a USB memory stick. That happened in Austalia. Since wannacry encrypts owner created files on a computer, I would assume it would encrypt any JPGS or video files created by the Traffic cameras. Interesting that it is being claimed that it was spread by the use of a USB Memory stick. A good question to ask, would be “Where has that USB stick been plugged into a computer which was connected to the main system network”. USB Memory sticks generally have to be plugged into a computer to acquire ransomware.
Traffice cameras must be a huge money maker. The wannaCry ransomware infection was started apparently on June 6. So by June 22 at least 8,000 Traffic Tickets may be withdrawn because of the infection of the Traffic camera. Those cameras must generate huge amounts of money for the city and for insurance companies and for the court system of lawyers, judges and clerks. Nice money making scheme with possibly little impact on traffic safety. 8,000 tickets in two weeks!!!
Adrien Guinet, a French security researcher Adrien Guinet has created a software tool called “WannaKey” that “may” decrypt the files which were encrypted by WannaCry Ransomware. So if you are lucky and have not rebooted the infected computer you “MAY” be able to unencrypt your files without having to pay the Ransom fee.
WannaKey works with older variants of Windows Server and Windows Workstation Operating Systems such as Windows Server 2003, Windows Server 2008, Windows XP, Windows 7, and Windows Vista.
When WannaCry encrypts your files, it creates a Private Key which is used to create the decrypt key. Then the Private key is erased. On older Windows systems the erase does not remove the data from memory. So if you are lucky and you have “not” rebooted the PC then there is a chance that WannaKey could recover the Private key, because it is still held in the system memory.
Once you have the Private Key then you can use a different program developed by Benjamin Delpycalled wanakiwi to decrypt the files on the WannaCry encrypted PC.
The key point to remember is that the above process “MAY’ work. The Computer which was encrypted by WannaCry Ransomware, must “NOT” have been rebooted. Any files to download would be done using a different computer and then run on the encrypted PC via a USB flash Drive. The WannaCry code did issue the command to erase the Private Key but the bug in older Windows Operating Systems is that Private Key has not been erased from the computer’s main memory. With a bit of luck, you may be able to decrypt your WannaCry encrypted PC. Note there is no guarantee that this will work. If you are unsure how to go about this, then get a computer professional to help you.
Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Best Practice is to also always create daily backups. If you try to decrypt a WannaCry encrypted personal computer or server, you do so at your own risk. There is no guarantee that the above info will be successful in decrypting the files.
New Adylkuzz Malware attack uses the same tools which were used by WannaCry Ransomware – (EternalBlue for instance) which were released by The Shadow Brokers back in April. Eternal Blue code scans a network to find computers running the Microsoft SMB v1.0 protocol service (open TCP ports 139 and 445 along with UDP ports 137 and 138). When found it can then install the malware. Adylkuzz is infecting thousands of computers around the Globe. Microsoft released a Security patch back in March which addressed the SMB vulnerability. Last week Microsoft also released further Windows Security Patches for Windows systems going back to Windows XP. Microsoft’s Windows Security Updates will stop the spread of WannaCry and Adulkuzz, once the Security Patches have been installed and the system rebooted. At the bottom of this post, you will find links to the official Microsoft Patches.
This new AdylKuzz Malware does not request any ransom from the owner of the infected computer. It does it’s processing in the background. One interesting aspect about the way that Adylkuzz works is that once it infects a computer it then disables the SMB v1.0 protocol. That move prevents any other Malware from infecting the computer. Adylkuzz may very well have protected thousands of computers around the globe from becoming infected by WannaCry Ransomware because Adylkuzz it is believed has been running in the wild on the internet for many weeks and before the WannaCry attack was launched.
Adylkuzz essentially is a Cryptocurrency Miner. Apparently, it is being reported that Adylkuzz does not damage any files. A lot of people use their powerful computers to do Cryptocurrency Mining. Cryptocurrency like Monero and Bitcoin is essentially untraceable Internet money which can be converted to a National Currency or used directly on the Internet. Adylkuzz mines the Monero Cryptocurrency. Once installed on the infected computer it will start to use computer resources. On an older slow PC, the end user will notice a dramatic slowdown. On a Top End fast PC there will be a far less noticeable slowdown. What will be dramatically affected, will be one’s useable internet bandwidth. Downloads and even web page loading will take longer. Watching internet videos will be affected with slowdowns.
To prevent being infected by either WannaCry or Adylkuzz one needs to make sure that any Microsoft Windows Security Updates have been installed. Yes, one can manually disable the SMB v1.0 protocol on a PC, but the Microsoft Security Patches also patch other holes and vulnerabilities in the Windows Operating Systems. Install the Windows Security Patches. Also make sure to Update any and all of your Computer Security software like your Firewall, Anti-Virus, and Anti-Malware software. Then consider buying an external hard drive (if you do not already have one) and start backing up your data. Having a daily Backup of your data files costs far less than having to pay Ransomware, should your PC become infected.
The following was posted by Anonymous on their YouTube channel TORnado – Anonymous France. Permission to share was posted on their YouTube channel along with the video linked to below,: “Published on May 17, 2017
Greetings citizens of the world,
We are Anonymous.
This is a new warning about a massive hack.
Following the attack “WannaCry Ransomware”, a much larger hack was discovered.
Much more vicious, better hidden and bringing much more money to black-hats hackers, this massive virus is called “Adylkuzz” and simply uses the same flaw as WannaCry.
This is once again a computer tool stolen from the NSA.
But this time it is not your data that is affected but your entire computer that through the rat, will become a minor zombie of crypto-currency.
For the moment of what we, Anonymous know, here is the process:
The virus enters the computer with DoublePulsar and EternalBlue, via the MS17-010 fault on the TCP port 445 as the previous “WannaCryptor” but there will be nothing on the screen. You will not even know that you are infected.
Then the hack will begin to mining the cryptomony with your machine, ie you will produce virtual currency of type “Monero”, similar to the famous bitcoin without
You know it and free for hackers you do not know.
Knowing that the mining uses the abilities of the PC, the victim then undergoes slowdowns which causes a malfunction of the computer.
Several hundred thousand people would already be in this case, that’s why we’re alerting you once again. It seems that “WannaCry” was only the part of the iceberg, stay alert, update your Windows and keep your antivirus.
On our side we follow different tracks to find these hackers. Already about 40,000 dollars in Monero have recently been discovered probably the money gained through the hack.
The cryptomontee is thus once again likely to have a bad image in the media whereas this currency remains a practical and anonymous means to buy or give money.
Now calls to the Anonymous, it’s time to stop these criminals and help those affected or not knowing how to protect themselves.
The NSA can not even protect its own data, so we can only count on ourselves.
In any event,
We’re Anonymous,
We are Legion,
We do not forget,
We do not forgive,
Rogues, thieves, whoever you are,
Expect us.
The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates:
Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Best Practice is to always create daily backups
WannaCry Ransomware is continuing the spread around the globe. Some have even called it the start of a CyberWar. Russian President Putin is apparently blaming the U.S. for creating the tool set. Microsoft is apparently pointing that it is the stolen software tools from the N.S.A (National Security Agency).
The following is a paragraph from Brad Smith’s post:
“All of this provides the broadest example yet of so-called “ransomware,” which is only one type of cyberattack. Unfortunately, consumers and business leaders have become familiar with terms like “zero day” and “phishing” that are part of the broad array of tools used to attack individuals and infrastructure. We take every single cyberattack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported. Clearly, responding to this attack and helping those affected needs to be our most immediate priority.“
Kudos go out to Microsoft for providing the Security Update for Windows XP:
Click on this Link to visit the Wall Street Journal website to read their post “Cyberattack Is Likely to Keep Spreading“. In the post they state that WannaCry Ransomware has spread to over 150 countries. Yesterday I had checked a tracking site which stated that over 230,000 computers had been hit with WannaCry. The Tracker only keeps track of those PCs which were still connected to the internet.
WnnaCry Version 2Ransomware is out. I had mentioned it in a prior post. The main difference is that the Kill SwitchCode has been removed. It is still a Worm which can spread across a Windows Server-based network, using the SMB v1.0 protocol.
In the video below the actual Binary Code of the WannaCry V2Ransomware is run in a virtual environment.
First and foremost make sure that you are running backups. The traditional backup system is called Grandfather, Father, and Son. The Son backup set is created Daily. The Father backup set is created Weekly. The Grandfather backup set is created Monthly. If the Daily backup set has problems, then you have fallback options. At most you should only lose one day’s worth of data input, which normally can be reentered or recreated.
Next, please make sure that you have installed Microsoft’s patches (see the bottom of this post for links) on your Windows Servers. and all Windows based Workstations. Do not forget about patching Portable Notebook Computers running Windows, as they may not always be connected to your network. This includes Apple Mac Equipment, which may be virtually running Windows.
As a further precaution, I would check your Windows Servers and Windows based Workstations to ensure that SMB v1.0 has been disabled.
For Windows based Workstations and Notebooks: Open Control Panel. Scroll down to and click Programs. Next click Turn Windows features on or off. In the Windows Features window, Scroll to find the SMB 1.0/CFIS File Sharing Support line. Make sure to clear the checkbox on the SMB1.0/CIFS File Sharing Support line. Click OK. Now restart the Windows based computer or notebook.
For Windows Server Operating Systems:Open Server Manager. Find and click on the and then click the Manage menu. Next select Remove Roles and Features. In the Features window, scroll down and find and clear the SMB1.0/CIFS File Sharing Support check box. Click OK to close the window. Restart the Windows Server.
You should be looking out for the some of the following: Use of file sharing protocol versions, especially SMB v1.0. Activity spikes, like File Renames or New File Creation. Multiple Workstations connecting to the same external IP address.
Keep an eye out for instances of the file “@Please_Read_Me@.txt” on your file shares. Also check for any instances of files with these extensions: “.wnry“, “.wcry“, “.wncry” and “.wncryt“.
The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates at the following links:
On May 12 2017, a new Ransomware was released on the Internet. It utilized some of the code found in the Cyber Weapons and also a Malware called WannaCry. Hundreds of thousands of computers around the globe got hit. Then a kill switch was set off which dramatically slowed and possibly will stop the Ransomware from spreading further.
Stop the presses. A new version 2 of the WannaCry Malware is now out, which no longer has the Kill Switch code. That will make it difficult to stop.
In Windows go to Control Panel. In Control Panel go to the icon labeled “Programs”. Click on it. Then under Programs and Features click on Turn Windows Features on and off. Once there, just scroll down till you find SMB 1.0/CIFS File Sharing Support. Make sure the checkbox to the left of SMB 1.0 is “NOT” checked off. Then click OK and then close control Panel. Reboot the computer.
Another way to do it is to key in a Powershell command. That is like a super DOS Prompt. Open a Powershell Window and key in the following (but not the Quotes):
Press Enter and you should be good to go after you reboot the computer. I would double check in ControlPanel. Better safe than sorry.
Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.
To obtain the current state of the SMB server protocol configuration, run the following cmdlet:
You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet. But I would restart the computer.
To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor. Windows PowerShell 2.0 or a later version of PowerShell
To disable SMBv1 on the SMB server, run the following cmdlet:
Note you must restart the computer after you make these changes.
REGISTRY. To enable or disable SMBv1 on the SMB server, configure the following registry key: Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Restart the computer after making the changes to the Registry.
How to enable or disable SMB protocols on the SMB client Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 To disable SMBv1 on the SMB client, run the following commands: sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates:
One final note which is bugging me. People are saying that this Ransomware is a “VIRUS“. WannaCry Ransomware is “NOT” a Virus. The WannaCry Ransomware is a vastly more complex computer “WORM“, hence it’s ability to find Windows computers connected to a network.
Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. The WannaCry Malware has already been changed (minus the Kill Switch). Disabling SMB may not prevent future versions from affecting your computer. Best Practice is to always create daily backups
River Beach is a small town in Florida, of less than 40,000 people. The City Council in Riviera Beach agreed to pay a $600,000 ransom to hackers who encrypted files on their computers. In hindsight it would have been cost effective to hire a couple of IT guys to go around and apply the Microsoft Security patches to all the computers used by River Beach.
When the Security Patches were being applied, the IT guys could also discuss Phishing emails as most people are not even aware what a Phishing email is. It is not just small cities that fall for Phishing emails. The accounting departments of huge Tech firms have sent out cheques worth Millions of dollars because of fake Phishing emails.
There was also an even earlier US-CERT Advisory posted on Jan 16 2017 titled: “SMB Security Best Practices”, which suggested “blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN. “. Port blocking can be done using your Firewall Software (or Hardware).
A number of attacked city systems had “not” updated “all” their computers with suggested Security Updates. Some of their Operating Systems and Server System software go back to days of Windows 7. The often quoted statement is that they did not have the IT resources to get Security Updates installed on all the computers.
One area which IMHO require more training is Phishing Attacks. That is the use of fake emails sent to emails which are part of a city’s system. The fake email will ask the receiver to click on a link. If the receiver clicks on the link they will link to one of the Hacker’s Command and Control Servers, which will then upload the Ransomware to the receiver’s computer. The Ransomware will be started and spread to the System Servers and to all the other computers. Once running on a computer, the Ransomware will start to Encrypt data files using a secret key. Next messages will pop up on infected computers telling them that their files have been encrypted and that they have so many days to pay a Ransom to get the key to be able to un-encrypt their files.
If the main Servers have Security Updates installed then the Ransomware will not spread. Also, if the System Admins have been doing daily backups, they may be able to recover the Servers using their backup files. They would still have to deal with individual end user computers which were infected.
The “key” is training End Users to not open emails from unfamiliar people. If opened, then the end user should not click on any links and they should immediately contact their IT Support Team. Unfortunately in real life, that is easer said than done.
Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
Restrict execution of powershell /WSCRIPT/ PSEXEC / WMIC in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations.
Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
WannaCry Ransomware paved the way by showing how to quickly spread across the Global Internet. It focused on on a vulnerability with Windows SMB which had been there for years and only exploited by Nation State employed Hackers.
It is basically a Worm which was first spread by malicious XL spreadsheets. Once on a network it stays in memory and as such is no so easy to detect and protect against. It looks like it is also focusing on the Windows SMB protocol and the Ports which support SMB.No wonder the focus on SMB as Petya use EternalBlue code as did WannaCry
My big fear is that Banks and Financial Institution had been targeted by Petya Ransomware. If it infects a large number of Banks then we could possibly see a Major Banking Crisis. It might be an idea to keep some cash on hand, in a safe place. Because it operates as Worm Code it is hard to detect and eliminate.
I will prepare a full review later this week. In the meantime the following are links which will shed light on what is happening. Some of the protective measures which stopped WannaCry Ransomware in it’s tracks, like disabling SMB ports, could also work to stop or slow the spread of Petya Ransomware.
Petya Ransomware could be called WannaCry V3 as it is using the same EternalBlue/ DoublePulsar code. It starts running via a Windows DLL. In the video below Colin runs Petya on a computer to be able to study it.
WannaCry Ransomware seems to have appeared out of the blue. Because of it thousands of people have searched the internet to find out how to disable SMB on their Microsoft Windows based Servers and Workstations and Personal Computers. Thousands had dropped by Uniquely Toronto to read out posts which provided details on ways to disable SMB v1.0.
Now Adylkuzz is running another major attack which is underway and uses the SMB vulnerability in Windows.
There was also an even earlier US-CERT Advisory posted on Jan 16 2017 titled: “SMB Security Best Practices”, which suggested “blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN. “. Port blocking can be done using your Firewall Software (or Hardware)
“US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users. For more information on SMB, please review Microsoft Security Advisories 2696547 (link is external) and 204279 (link is external).”
Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Please install the Microsoft Windows MS17-010 Security Update (see link above). Best Practice is to also always create daily backups
