Category: Ransomware

Marcus Hutchins, who had stopped the spread of WannaCry RansomWare, has apparently been arrested.

Marcus Hutchins works as a Cyber-Securty Researcher at Kryptos Logic. It was Marcus who had apparenlty stopped the spread of the WannaCry version 1 RansomWare. He found the Kill Switch after decompliing the WannaCry v1 code. Once he registered a Domain name found in the code, the spread of WannaCry V1 RansomWare slowed down dramatically. Soon after  WannaCry version 2, which removed the kill switch, was spotted on the Internet.

Marcus was in Vegad for the Black Hat and Def Con conferences. He was apparenly arrested after the confernces.

Clik on this line to visit the Motherboard Vice.com website to read more details about the apparent arrest of Marcus Hutchins.

Click on this link to visit The Telegraph newspaper website to read their post titled: “FBI arrests WannaCry hero Marcus Hutchins in Las Vegas”.

Click on this link to visit the BBC website and read to post titled: “NHS cyber-defender Marcus Hutchins arrested in US”.

Click on this link to view our prior coverage of the WannaCry Ransomware outbreak.

Advertisements

Ways to protect your computers from Petya Ransomware

Some CERT recommendations to better protect your computers from becoming infected by Petya Ransomware:

    • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
    • Applocker policies to block execution of files having name perfc.dat as well as psexec.exe utility from sysinternals.
    • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
    • Restrict execution of powershell /WSCRIPT/ PSEXEC / WMIC in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
    • Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
    • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations.
    • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
    • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
    • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
    • Disable remote Desktop Connections, employ least-privileged accounts.

Click on this link to view the prior coverage about WannaCry Ransomware found on Uniquely Toronto.

Posted by Vincent Banial

Find the Key needed to unencrypt a Hard Drive encrypted by Petya Ransomware

Click on this link to visit the GitHub site where Leo Stone has posted some code which might just figure out the key required to unencrypt a Hard Drive encrypted by Petya Ransomeware. He suggests to try finding the key using an image copy of the Petya encrypted Hard Disk,. That way the original may not be harmed.  

Disclaimer: if you use Leo Stone’s code and method, you do so at your own risk. Loe also suggested to make and use an image copy of the encrypted hard Drive so as not to potentially damage the original. Leo’s code may find the key, or it may not. Playing around with the encrypted Hard Drive may damage it to the point that even if you pay the Ransom, you may not be able to reteive your data from said hard drive. I again state that following Loe Stone’s method as posted on GitHub is done at your own risk. Do your own Due Diligence. You could lose all the data on the hard drive.

Posted by Vincent Banial

Petya Ransomware Major Global Attack

WannaCry Ransomware paved the way by showing how to quickly spread across the Global Internet. It focused on on a vulnerability with Windows SMB which had been there for years and only exploited by Nation State employed Hackers.

Petya Ransonware, as has been named by the Security Staff at Kaspersky Lab, learned much from the WannaCry outbreak. Petya Ransomware has spread to thousands of computers at major institutions across the Globe. Petya ransomware is just starting. This is a major Ransomware attack.

It is basically a Worm which was first spread by malicious XL spreadsheets. Once on a network it stays in memory and as such is no so easy to detect and protect against. It looks like it is also focusing on the Windows SMB protocol and the Ports which support SMB.No wonder the focus on SMB as Petya use EternalBlue code as did WannaCry

My big fear is that Banks and Financial Institution had been targeted by Petya Ransomware. If it infects a large number of Banks then we could possibly see a Major Banking Crisis. It might be an idea to keep some cash on hand, in a safe place. Because it operates as Worm Code it is hard to detect and eliminate.

I will prepare a full review later this week. In the meantime the following are links which will shed light on what is happening. Some of the protective measures which stopped WannaCry Ransomware in it’s tracks, like disabling SMB ports, could also work to stop or slow the spread of Petya Ransomware.

Click on this link to visit Krebs On Security to read their initial post about Petya.

Click on this link to visit the Kaspersky Lab post titled “Petya Ransomware eats your hard drives

Click on this link to visit the Securelist site to read their very detailed post about how Petya Ransomware functions.

Click on this link to visit the Check Point site to read their discussion of the Petya Ransomware worldwide outbreak.

Video is courtesy of the F-Secure YouTube channel

 Click on this link to view the prior coverage about WannaCry Ransomware found on Uniquely Toronto.

Posted by Vincent Banial

Analysis of PETYA Ransomware running live on a computer

Petya Ransomware could be called WannaCry V3 as it is using the same EternalBlue / DoublePulsar code. It starts running via a Windows DLL. In the video below Colin runs Petya on a computer to be able to study it.

Video is courtesy of the Colin Hardy YouTube channel

WannaCry Ransomware infected Traffic Cameras in Australia and Honda’s Sayama factory

Posted by Vincent Banial

WannaCry Ransomware is far from dead. It is still out there on the internet, searching for more victims.

Uniquely Toronto recently had extensive coverage about WannaCry Ransomware and Security Patches and had links to Security Patches and steps to better Secure computers against WannaCry.

When Wannacry was first discovered, Automobile manufacturing plants had been affected after WannaCry infected the Auto Plant’s computers. Seems that the IT folks at a Hond Auto Plant in Japan have not been folllowing the Cyber Security news. WannaCry Ransomware infected Honda’s Sayama car production plant this week.

Click on this link to visit the Reuters News post about Wannacry being found on the computer newtwork at Honda’s Sayama car production plant this week.

Apparently the WannaCry Ransomware was also spread to over 50 Traffic cameras via a USB memory stick. That happened in Austalia. Since wannacry encrypts owner created files on a computer, I would assume it would encrypt any JPGS or video files created by the Traffic cameras. Interesting that it is being claimed that it was spread by the use of a USB Memory stick. A good question to ask, would be “Where has that USB stick been plugged into a computer which was connected to the main system network”. USB Memory sticks generally have to be plugged into a computer to acquire ransomware.

Video courtesy of the Rebas Rebas YouTube channel

Click on this link to visit the 3Aw News Radio Station’s post about wannacry infecting Traffice camera in Austalia.

Traffice cameras must be a huge money maker. The wannaCry ransomware infection was started apparently on June 6. So by June 22 at least 8,000 Traffic Tickets may be withdrawn because of the infection of the Traffic camera. Those cameras must generate huge amounts of money for the city and for insurance companies and for the court system of lawyers, judges and clerks. Nice money making scheme with possibly little impact on traffic safety. 8,000 tickets in two weeks!!!

Click on this link to visit the Canadian Global News page to read their post titled: “8,000 red-light camera traffic tickets withdrawn in Australia due to WannaCry virus”.

Altaro is offering a free ebook “Ransomware: A Survival Guide”

Click on this link to visit the Altraro website to Download their free ebook titled “Ransomware: A Survival Guide”. They ask for your name and email to be able to D/L. Just do a Google search on “Temp Email” to find a site which will give you a free temp email address, if you do not wish to give out your email address.

The Altaro eBook is a short, yet interesting read about Ransomware.

Altaro also have a much more detailed video about Ransomware on their YouTube channel (see below).

Video is courtesy of the Altaro Software YouTube channel

Posted by Vincent Banial

Running demo of WannaCry v2 Ransomware Binary

WnnaCry Version 2 Ransomware is out. I had mentioned it in a prior post. The main difference is that the Kill SwitchCode has been removed. It is still a Worm which can spread across a Windows Server-based network, using the SMB v1.0 protocol.

In the video below the actual Binary Code of the WannaCry V2 Ransomware is run in a virtual environment.

Video is courtesy of the Colin Hardy YouTube channel.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by Vincent Banial

How to find the presence of WannaCry Ransomware and SMB v1.0 Servers running on your Windows Network.

First and foremost make sure that you are running backups. The traditional backup system is called Grandfather, Father, and Son. The Son backup set is created Daily. The Father backup set is created Weekly. The Grandfather backup set is created Monthly. If the Daily backup set has problems, then you have fallback options. At most you should only lose one day’s worth of data input, which normally can be reentered or recreated.

Click on this link to visit the SANS Institute InfoSec Reading Room, to D/L their helpful PDF about backup sets, titled “Backup Rotations – A Final Defense”.

Next, please make sure that you have installed Microsoft’s patches (see the bottom of this post for links) on your Windows Servers. and all Windows based Workstations. Do not forget about patching Portable Notebook Computers running Windows, as they may not always be connected to your network. This includes Apple Mac Equipment, which may be virtually running Windows.

Click on this link to view a map of the spread of the WannaCry Ransomware attack – so far over 230,000 computers have been hit.

As a further precaution, I would check your Windows Servers and Windows based Workstations to ensure that SMB v1.0 has been disabled.

For Windows based Workstations and Notebooks: Open Control Panel. Scroll down to and click Programs. Next click Turn Windows features on or off. In the Windows Features window, Scroll to find the SMB 1.0/CFIS File Sharing Support line. Make sure to clear the checkbox on the SMB1.0/CIFS File Sharing Support line. Click OK. Now restart the Windows based computer or notebook.

For Windows Server Operating Systems: Open Server Manager. Find and click on the and then click the Manage menu. Next select Remove Roles and Features. In the Features window, scroll down and find and clear the SMB1.0/CIFS File Sharing Support check box. Click OK to close the window. Restart the Windows  Server.

Once your Windows Server-based Network is back up and running, start your Network Monitoring tool(s) and Packet Sniffing tool(s). Wireshark is well known. Microsoft Message Analyzer is the replacement for Microsoft’s Network Monitor. SmartSniff is another one. NAST (Network Analyzer Sniffer Tool)  is popular. Capsa Free Network Analyzer allows you to monitor over 300 different protocols.

Click on this link to visit Microsoft’s Technet website to view their post titled: “Microsoft Message Analyzer Operating Guide”.

You should be looking out for the some of the followingUse of file sharing protocol versions, especially SMB v1.0. Activity spikes, like File Renames or New File Creation. Multiple Workstations connecting to the same external IP address.

Keep an eye out for instances of the file@Please_Read_Me@.txton your file shares. Also check for any instances of files with these extensions:.wnry,.wcry,.wncryand.wncryt“.

Video is courtesy of the DAHBOO77 YouTube channel

The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates at the following links:

Windows Server 2003 SP2 x64,

Windows Server 2003 SP2 x86,

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Windows 8 x86,

Windows 8 x64

Click on this link to download localized versions of the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

Link to the important Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Click on this link to visit Microsoft’s site to read their post titled: “Customer Guidance for WannaCrypt attacks”.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by Vincent Banial

Disclaimer: The above post is subject to change without notice. There may be unintentional errors in the above post.