Tagged: WannaCrypt

Global spread of WannaCry Ransomware – Mon May 15 2017

Video is courtesy of the NIC Webcast YouTube channel

WannaCry Ransomware is continuing the spread around the globe. Some have even called it the start of a CyberWar. Russian President Putin is apparently blaming the U.S. for creating the tool set. Microsoft is apparently pointing that it is the stolen software tools from the N.S.A (National Security Agency).

Click on this link to visit the Kaspersky Lab SecureList blog site to read their detailed coverage titled “WannaCry ransomware used in widespread attacks all over the world”

I’m going to try something new, by featuring links to current news and major website posts related to the Global spread of WannaCry Ransomware:

Click on this link to visit the Microsoft Blog to read their post titled: “The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack” by Brad Smith – President and Chief Legal Officer.

The following is a paragraph from Brad Smith’s post:
All of this provides the broadest example yet of so-called “ransomware,” which is only one type of cyberattack. Unfortunately, consumers and business leaders have become familiar with terms like “zero day” and “phishing” that are part of the broad array of tools used to attack individuals and infrastructure. We take every single cyberattack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported. Clearly, responding to this attack and helping those affected needs to be our most immediate priority.

Kudos go out to Microsoft for providing the Security Update for Windows XP:

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Click on this Link to visit the Wall Street Journal website to read their post “Cyberattack Is Likely to Keep Spreading. In the post they state that WannaCry Ransomware has spread to over 150 countries. Yesterday I had checked a tracking site which stated that over 230,000 computers had been hit with WannaCry. The Tracker only keeps track of those PCs which were still connected to the internet.

Click on this Link to visit The Telegraph news site to read their post “Cyber attack latest: Vladimir Putin blames US for hack as thousands more computers hit by ransomware“.

Click on this Link to visit the CyberSecurity Firm Malwaretech to view their live tracker for WannaCry / WannaCrypt.

Click on this Link to visit the Yahoo Tech site to read the Associated Press article “The Latest: 29,000 Chinese institutions hit by cyberattack“.

Click on this link to visit the Associated Press news site to read their article “Log in, look out: Cyber chaos may grow at workweek’s start.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Running demo of WannaCry v2 Ransomware Binary

WnnaCry Version 2 Ransomware is out. I had mentioned it in a prior post. The main difference is that the Kill SwitchCode has been removed. It is still a Worm which can spread across a Windows Server-based network, using the SMB v1.0 protocol.

In the video below the actual Binary Code of the WannaCry V2 Ransomware is run in a virtual environment.

Video is courtesy of the Colin Hardy YouTube channel.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by Vincent Banial

How to find the presence of WannaCry Ransomware and SMB v1.0 Servers running on your Windows Network.

First and foremost make sure that you are running backups. The traditional backup system is called Grandfather, Father, and Son. The Son backup set is created Daily. The Father backup set is created Weekly. The Grandfather backup set is created Monthly. If the Daily backup set has problems, then you have fallback options. At most you should only lose one day’s worth of data input, which normally can be reentered or recreated.

Click on this link to visit the SANS Institute InfoSec Reading Room, to D/L their helpful PDF about backup sets, titled “Backup Rotations – A Final Defense”.

Next, please make sure that you have installed Microsoft’s patches (see the bottom of this post for links) on your Windows Servers. and all Windows based Workstations. Do not forget about patching Portable Notebook Computers running Windows, as they may not always be connected to your network. This includes Apple Mac Equipment, which may be virtually running Windows.

Click on this link to view a map of the spread of the WannaCry Ransomware attack – so far over 230,000 computers have been hit.

As a further precaution, I would check your Windows Servers and Windows based Workstations to ensure that SMB v1.0 has been disabled.

For Windows based Workstations and Notebooks: Open Control Panel. Scroll down to and click Programs. Next click Turn Windows features on or off. In the Windows Features window, Scroll to find the SMB 1.0/CFIS File Sharing Support line. Make sure to clear the checkbox on the SMB1.0/CIFS File Sharing Support line. Click OK. Now restart the Windows based computer or notebook.

For Windows Server Operating Systems: Open Server Manager. Find and click on the and then click the Manage menu. Next select Remove Roles and Features. In the Features window, scroll down and find and clear the SMB1.0/CIFS File Sharing Support check box. Click OK to close the window. Restart the Windows  Server.

Once your Windows Server-based Network is back up and running, start your Network Monitoring tool(s) and Packet Sniffing tool(s). Wireshark is well known. Microsoft Message Analyzer is the replacement for Microsoft’s Network Monitor. SmartSniff is another one. NAST (Network Analyzer Sniffer Tool)  is popular. Capsa Free Network Analyzer allows you to monitor over 300 different protocols.

Click on this link to visit Microsoft’s Technet website to view their post titled: “Microsoft Message Analyzer Operating Guide”.

You should be looking out for the some of the followingUse of file sharing protocol versions, especially SMB v1.0. Activity spikes, like File Renames or New File Creation. Multiple Workstations connecting to the same external IP address.

Keep an eye out for instances of the file@Please_Read_Me@.txton your file shares. Also check for any instances of files with these extensions:.wnry,.wcry,.wncryand.wncryt“.

Video is courtesy of the DAHBOO77 YouTube channel

The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates at the following links:

Windows Server 2003 SP2 x64,

Windows Server 2003 SP2 x86,

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Windows 8 x86,

Windows 8 x64

Click on this link to download localized versions of the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

Link to the important Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Click on this link to visit Microsoft’s site to read their post titled: “Customer Guidance for WannaCrypt attacks”.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by Vincent Banial

Disclaimer: The above post is subject to change without notice. There may be unintentional errors in the above post.