General Category > General Discussion

Global virus.

(1/2) > >>

Johyn:
Greets!

I was just wonderin if you had any coments or views about the global hackin atack governments are victims at the moment?

Curson:
Hi Johyn,

Adlice Software released the following declarations :

--- Quote from: RogueKiller#facebook.com 12/05/2017@21:55 ---This is happening right now! #WannaCry #Ransomware uses #CIA exploit to propagate inside corporate networks.
Spread by #Necurs spambot, it has infected more than 45000 machines worldwide in a few hours!
More than ever, don't open Office attachments from unknown senders, and don't activate macros.

Edit: the largest ransomware infection. Ever. In history.
--- End quote ---

--- Quote from: RogueKiller#facebook.com 13/05/2017@09:11 ---In case you missed it, the malware is stills massively spreading, has hit train stations in Russia, and many companies are paralyzed because of it. Has infected 100k machines in 12 hours.
--- End quote ---

The malware is worm-like and uses a vulnerability in Windows SMBv1 protocol implementation to spread.
Ransomware WannaCry make use of a slightly modified version of ETERNALBLUE, an alleged NSA exploit.

Microsoft patched this vulnerability on March 2017 (KB4013389) on Windows Vista operating system and later but Windows XP and Windows Server 2003 were left unpatched.
Due to the conviction that the malware uses these older systems as infection pools, Microsoft released emergency patches for these (KB4012598) :

--- Quote from: Microsoft ---"Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download."
"This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind."
--- End quote ---

It is strongly advised to install these patches as soon as possible and, if is not possible, to disable SMBv1 support on concerned systems.

Regards.

Johyn:
Thanks. No clues about the origin of that malware? Nation, organisation, individual?

Curson:
Hi Johyn,

There is no official claims yet, but there is a high probability it's operated by a group of inexperienced malware authors.
WannaCry is pretty amateurish since it doesn't generate Bitcoins addresses per infected machine and currently make use of a kill-switch feature that was succesfully used by security researcher MalwareTech to stop the malware spread for the time being.

Version 1.0 of the malware, which was spotted on the wild on April 25, were hosted on Dropbox Cloud architecture. This made the removal of the binaries very easy.

Regards.

Johyn:
Ok, thxs for you!

Navigation

[0] Message Index

[#] Next page

Go to full version