What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2017-05-15 10:05:00 | New WannaCrypt ransomware variant discovered in the wild (lien direct) | The global ransomware campaign may not be anywhere close to over yet. | Wannacry | ||
 |
2017-05-15 09:19:49 | Bitdefender bloque le ransomware le plus agressif du monde avec ses technologies de détection de dernière génération (lien direct) |  Les utilisateurs actuellement menacés par l'attaque mondiale de ransomware visant les ordinateurs Windows dans plus de 70 pays peuvent protéger leur système avec des solutions de sécurité telles que Bitdefender, ainsi qu'en appliquant les dernières mises à jour de sécurité de Microsoft, selon les experts. Le ransomware WannaCry chiffre les fichiers du PC infecté. Les hackers réclament une rançon pour récupérer les fichiers chiffrés. |
Wannacry | ||
 |
2017-05-15 09:01:20 | MPs and peers urged not to use personal email as WannaCry spreads (lien direct) | MPs and peers have been warned not to use personal emails on parliamentary Windows computers in the wake of WannaCry ransomware outbreak | Wannacry | ||
 |
2017-05-15 08:48:43 | WannaCry – Et bien pleurez maintenant (lien direct) | Comment ça, je n'ai pas parlé de WannaCry sur ce blog alors que même sur TF1 et BFM ils en ont causé ? Et bien désolé, mais j'étais de mariage et j'ai passé mon week-end sur la route et à faire la fiesta ;-) Mais je sais que certains d'entre vous ont passé un mauvais > Lire la suite Cet article merveilleux et sans aucun égal intitulé : WannaCry – Et bien pleurez maintenant ; a été publié sur Korben, le seul site qui t'aime plus fort que tes parents. | Wannacry | ||
 |
2017-05-15 08:01:01 | Campagne de ransomwares Wannacry: Détails de la menace et gestion des risques WannaCry Ransomware Campaign: Threat Details and Risk Management (lien direct) |
Mise à jour 3 (17 mai & # 8211; 19 h 00 HE)
Nous avons observé l'émergence d'une nouvelle variante de Wannacry avec l'URL de vérification Internet www.iffferfsodp9ifjaposdfjhgosurijfaewrwergwea [.] Test.Un bogue dans la logique de code fait que les logiciels malveillants interrogent réellement www.iffefsodp9ifjaposdfjhgosurijfaewrwergwea [.] Test.Le malware ne cryptera vos fichiers que s'il ne peut pas contacter ce domaine (en particulier, s'il ne peut pas faire une demande HTTP réussie à la résolution du domaine).Les chercheurs en sécurité ont pu enregistrer ces domaines «Killswitch» pour les variantes précédentes pour arrêter le chiffrement;Cependant, ce domaine particulier
UPDATE 3 (May 17 – 7:00 p.m. ET) We observed the emergence of a new WannaCry variant with the internet-check URL www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]testing. A bug in the code logic causes the malware to actually query www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test. The malware will encrypt your files only if it cannot contact this domain (specifically, if it cannot make a successful HTTP request to the resolution of the domain). Security researchers were able to register these “killswitch” domains for previous variants to stop encryption; however, this particular domain |
Ransomware Malware Threat | Wannacry | ★★★ |
 |
2017-05-15 07:47:37 | Don\'t tell people to turn off Windows Update, just don\'t (lien direct) | Sponsored by: Netsparker - Scan your websites & detect SQL Injection, XSS and other vulnerabilities with the dead accurate Netsparker web security scannerYou know what really surprised me about this whole WannaCry ransomware problem? No, not how quickly it spread. Not the breadth of organisations it took offline either and no, not even that so many of them hadn't applied a critical patch that landed a couple of months earlier. It was | Wannacry | ||
 |
2017-05-15 07:43:54 | Ransomware WannaCry : son impressionnant bilan en huit chiffres (lien direct) | Depuis vendredi, de nombreux PC sont les victimes d'un ransomware. 3 jours après, quel est le premier bilan du virus WannaCry ?  |
Wannacry | ★★★★ | |
 |
2017-05-15 06:55:40 | WannaCry Ransomware Version With Second Kill Switch Detected and Shut Down (lien direct) | On Sunday, security researchers have detected a second WannaCry version that featured a different kill switch domain, which they quickly moved to register and sinkhole it, preventing further damage. [...] | Wannacry | ||
|
2017-05-15 05:45:40 | Businesses urged to apply Windows patch to avert WannaCry attacks (lien direct) | Security advisers are urging organisations to patch their Windows systems to avert a possible second wave of an unprecedented, indiscriminate ransomware attack | Wannacry | ||
 |
2017-05-15 05:21:19 | WannaCry/WannaCrypt Ransomware Summary, (Mon, May 15th) (lien direct) | The ransomware was first noticed on Fridayand spread very quickly through many large organizations worldwide [verge]. Unlike prior ransomware, this sample used the SMBv1 ETERNALBLUE exploit to spread. ETERNALBLUE became public about a month ago when it was published as part of the Shadowbroker archive of NSA hacking tools [shadow]. A month prior to the release of the hacking tool, Microsoft had patched the vulnerability as part of the March Patch Tuesday release. The patch was released for Windows Vista, Windows Server 2008 and later versions of Windows as part of MS17-010 in March [MS17-010]. In response to the rapid spread of WannaCry, on Friday Microsoft released a patch for older versions of Windows, going back to Windows XP and Windows Server 2003 [msft]. At the time of the initial WannaCry outbreak, we also noticed a significant increase in scanning for port 445 [port445]. The increase was likely caused by infected systems scanning for more victims. It is not clear how the infection started. There are some reports of e-mails that include the malware as attachment seeding infected networks. But at this point, no actual samples have been made public. It is possible that the worm entered acorporate network via vulnerable hosts that had port 445 exposed to the internet. The WannaCry malware itself does have no e-mail component. The malware will first check if it can reach a specific website at http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It will also check if a registry key is present. It will not run if either the registry key is present or the website is reachable. The domain has been registered and a web server has been set up by a security researcher. This significantly reduced the impact of WannaCry. A tool was released that will assist in setting the registry keys, which will also reduce the risk of infection. Over the weekends, reports indicated that new versions of the worm were spreading that used slightly different kill switches. But all current versions check a website and check for registry keys. The malware creates a 2048 bit RSA key pair. The private key is encrypted using a public key that is included with the malware. For each file, a new random AES key is generated. This random AES key is then encrypted using the public user key. To decrypt the files, the users private key needs to be decrypted, which requires the malware authors private key. Unlike some other ransomware, no network communication is needed to generate these keys [pastebin]. The password WNcry@2ol7 is not used to encrypt files. It is only used by the malware to decrypt some of its components. [endgame] Encrypted files use the extension. wncry. To decrypt the files, the user is asked to pay $300, which will increase to $600 after a few days. The ransomware threatens to delete all files after a week. In addition to encrypting files, the malware also installs a DOUBLEPULSAR back door. The backdoor could be used to compromise the system further. The malware will also install Tor to facilitate communication with the ransomware author. New variants have been reported over the weekend with slight changes to the kill switch domain and registry keys. We expect to reduce the Infocon back to green on Monday. What Can You do to prevent Infection? Apply MS17010 to Windows Vista and later (Windows Server 2008 and later) Apply Fridays patch to Windows XP or Window Server 2003. Verify correct patch application Make sure the kill switch domain is reachable from your network without proxy. If not, setup an internal DNS sinkhole Deploy the registry key inoculation [terstopper] Disable SMBv1 Make sure systems are running up to date anti-malware Indicators of Compromise: https://www.us-cert.gov/ncas/alerts/TA17-132A PowerPoint fo | Wannacry | ||
|
2017-05-15 04:52:55 | Ransomware WannaCry: les victimes les plus insolites (lien direct) | Parmi les victimes de WannaCry, on compte Renault, FedEx ou Telefonica... mais pas seulement. Des panneaux publicitaires, distributeurs et panneaux de gares ont aussi été piratés.  |
FedEx Wannacry | ★★★★★ | |
|
2017-05-15 02:34:24 | Le ransomware WannaCry est indirectement l\'Å“uvre… de la NSA (lien direct) | La campagne de piratage mondial pose, de nouveau, le problème de la création d'outils de piratage par les agences gouvernementales.  |
Wannacry | ★★★★★ | |
|
2017-05-15 02:01:10 | With the Success of WannaCry, Imitations are Quickly In Development (lien direct) | With the successful launch of the WannaCry Ransomware last Friday, ransomware developers are being quick to release their own imitations. Â As of today, I found 4 different WannaCry knockoffs in various forms of development. Let's take a look at what they have to offer. [...] | Wannacry | ★★ | |
 |
2017-05-15 01:59:43 | WikiLeaks Reveals \'AfterMidnight\' & \'Assassin\' CIA Windows Malware Frameworks (lien direct) | When the world was dealing with the threat of the self-spreading WannaCry ransomware, WikiLeaks released a new batch of CIA Vault 7 leaks, detailing two apparent CIA malware frameworks for the Microsoft Windows platform.
Dubbed "AfterMidnight" and "Assassin," both malware programs are designed to monitor and report back actions on the infected remote host computer running the Windows
|
Wannacry | ||
 |
2017-05-15 01:00:52 | Don\'t WannaCry? Here Are Some Tips To Protect Yourself From Ransomware (lien direct) | The ISBuzz Post: This Post Don’t WannaCry? Here Are Some Tips To Protect Yourself From Ransomware | Wannacry | ||
 |
2017-05-14 21:12:15 | WannaCry benefits from unlearned lessons of Slammer, Conficker (lien direct) | We've been here before with malware - so why was WannaCry able to cause such havoc around the world? |
Wannacry | ||
|
2017-05-14 21:00:08 | Microsoft Exec Blames WannaCry Ransomware on NSA Vulnerability Hoarding Program (lien direct) | Microsoft's Chief Legal Officer Brad Smith has penned a blog post today, accusing the NSA of stockpiling exploits, failing to protect its hacking tools, and indirectly causing the WannaCry ransomware outbreak. [...] | Wannacry | ||
 |
2017-05-14 20:06:41 | Microsoft blames US stockpiled vulnerability for ransomware attack (lien direct) | Microsoft on Sunday said a software vulnerability stolen from the U.S. National Security Agency has affected customers around the world, and described the spread of the WannaCrypt ransomware on Friday in many countries as yet another example of the problems caused by the stockpiling of vulnerabilities by governments.Referring to the attack as a “wake-up call,†Microsoft's President and Chief Legal Officer, Brad Smith wrote in a blog post that governments have "to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."The ransomware, also called WannaCry or Wana Decryptor, works by exploiting a vulnerability in some older versions of Windows. It has been suspected for some time now that the malware came from a cache of hacking tools reportedly stolen by hacking group Shadow Brokers from the NSA and leaked on the internet. WannaCry is said to take advantage of a NSA hacking tool, called EternalBlue, that can make it easy to hijack unpatched older Windows machines.To read this article in full or to leave a comment, please click here | Wannacry | ||
 |
2017-05-14 18:29:09 | WannaCry – Paid Time Off? (lien direct) | Let us open with a TL;DR – DO NOT pay the ransom demanded by the WannaCry ransomware! Now, let us explain why: As of this writing , the 3 bitcoin accounts associated with the WannaCry ransomware have accumulated more than $33,000Â between them. Despite that, not a single case has been reported of anyone receiving their […] | Wannacry | ||
 |
2017-05-14 17:05:24 | WannaCry Ransomware Spreads Across the Globe, Makes Organizations Wanna Cry About Microsoft Vulnerability (lien direct) | The operators of malware known as WannaCry/WanaCrypt0r 2.0 are believed to have caused the biggest ransomware attack ever recorded. | Wannacry | ||
|
2017-05-14 11:32:50 | WannaCry Kill-Switch(ed)? It\'s Not Over! WannaCry 2.0 Ransomware Arrives (lien direct) | If you are following the news, by now you might be aware that a security researcher has activated a "Kill Switch" which apparently stopped the WannaCry ransomware from spreading further.
But it's not true, neither the threat is over yet.
However, the kill switch has just slowed down the infection rate.
Updated:Â Multiple security researchers have claimed that there are more samples of
|
Wannacry | ||
|
2017-05-14 09:17:00 | New WannaCry ransomware variants: Patch old PCs now to avoid becoming a victim (lien direct) | Monday is going to suck for some folks, those who run old, unsupported Windows systems which are vulnerable to WannaCry ransomware, if they didn't put in some weekend time applying security updates.In response to the massive global ransomware attack on Friday, Microsoft took the “highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.†Europol chief Rob Wainwright told the BBC, “Companies need to make sure they have updated their systems and 'patched where they should' before staff arrived for work on Monday morning.â€To read this article in full or to leave a comment, please click here | Wannacry | ||
|
2017-05-14 08:00:18 | Honeypot Server Gets Infected with WannaCry Ransomware 6 Times in 90 Minutes (lien direct) | The WannaCry ransomware — also known as WCry, Wana Decrypt0r, WannaCrypt, and WanaCrypt0r — infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow. [...] | Wannacry | ||
|
2017-05-13 23:51:27 | Microsoft Released Guidance for WannaCrypt , (Sat, May 13th) (lien direct) | Microsoft released information what can be done to protect against WannaCry[1] which includes deploying MS17-010 if not already done (March patch release)[2], update Windows Defender (updated 12 May)[3] and if not using SMBv1 to disable it available here. Microsoft has provided a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Note: If you are running Windows 10, you are not targeted by this attack. A live map of the infection is available here. Update 1: There is additional information including hashed, CC sites as well as the file type it will encrypt and samples located here. US-CERT released the following information of Indicators Associated With WannaCry Ransomware here. Update 2: There are reports that indicate that WannaCry VERSION 2 has been released and the kill switch that had been activated by a security researcher has been removed. If you havent already applied MS17-010 and blocked inbound SMB traffic, you can still fall victim of this Ransomware. [1] https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks [2] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx [3] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt [4] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012 [5] https://intel.malwaretech.com/WannaCrypt.html [6] https://gist.github.com/pcostesi/87a04a3bbbdbc4aeb8b787f45eb21197 [7] https://www.us-cert.gov/ncas/alerts/TA17-132A [8] http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html ----------- Guy Bruneau IPSS Inc. Twitter: GuyBruneau gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. | Wannacry | ||
 |
2017-05-13 22:53:20 | Microsoft Issues Emergency Patch in Response to Massive Ransomware Outbreak (lien direct) | WannaCry Ransomware Exploits Windows SMB Vulnerability, Microsoft Issues Fix to Protect Outdated Systems | Wannacry | ★★ | |
|
2017-05-13 22:10:15 | WannaCry Ransomware That\'s Hitting World Right Now Uses NSA Windows Exploit (lien direct) | Update - We have published another article with more detailed information on the WannaCry ransomware attack that has become the largest ransomware attack in the history within just a few hours. Moreover, If you are using an unsupported version of Windows Operating system, you are advised to either upgrade to Windows 10 or install the latest emergency patch issued by Microsoft for Windows XP,
|
Wannacry | ||
 |
2017-05-13 17:17:00 | Making Sense of WannaCry (lien direct) |
Whenever a calamity befalls, it's only natural for people to try and rationalise and identify the problem.
As is now happening with the WannaCry ransomware outbreak that affected the UK's NHS service, and other services in over 100 countries. People are discussing what should have been done to prevent it.
On one hand, there’s a debate ongoing about responsible disclosure practices. Should the NSA have "sat on" vulnerabilities for so long? Because when Shadowbrokers released the details it left a small window for enterprises to upgrade their systems.
On the other hand, there are several so-called “simple” steps the NHS or other similar organisations could have taken to protect themselves, these would include:
Upgrading systems
Patching systems
Maintaining support contracts for out of date operating systems
Architecting infrastructure to be more secure
Acquiring and implementing additional security tools.
The reality is that while any of these defensive measures could have prevented or minimised the attack, none of these are easy for many enterprises to implement.
Also, none of these are new discussions or challenges. Most security professionals have witnessed these same occurrences, albeit not as wide scale, for many years.
Sometimes the infrastructure or endpoint devices aren’t all controlled by IT. Also, patching or updating a system can sometimes lead to other dependent applications breaking or having other issues. For example, the operating system can’t be updated until another vendor updates their software, which in turn can’t be updated until an in-house custom application is updated.
There are many other technical nuances; but it boils down to risk management. And often times if systems are working as desired with no issues, then they will be kept running as such, especially where the costs of upgrading is a taxpayer expense.
That’s not to say security measures shouldn’t be implemented. In an ideal world it would be good to see no legacy systems, regular patching, and securely architected infrastructure. Unfortunately, that is the exception for most companies; not the rule. So while its easy to simply say that the government should have put more money into systems; it’s more a case of the senior decision-makers and purse string holders weighing risks - understanding the exposure they have, the pros and cons, and the potential impact.
Only then can decisions be made that can result in meaningful change. This should include addressing the root causes for the Wannacry outbreak and other threats. It’s inevitable there will be copy-cats soon, with it being trivial to replace the transport mechanism (the SMB worm) with a new payload (variant of ransomware).
But more could be done. Australia is notable for their success in enforcing higher than average security across government. Departments are mandated to enforce four technical controls. The first attacks would have been limited by the first two controls - application whitelisting and regular patching. Enforcing these controls on legacy systems requires a significant investment in personnel.
That’s not to say stricter legislation is the answer. However, blaming companies for not patching, or running legacy systems, or asking that intelligence agencies cease cyber activities is not going to fix the issues.
Here's the video!
|
Guideline | Wannacry | |
 |
2017-05-13 15:30:30 | Microsoft Releases XP Patch for WannaCry Ransomware (lien direct) | Microsoft has taken the extraordinary step of providing an emergency update for unsupported Windows XP and Windows 8 machines in the wake of Friday's WannaCry ransomware outbreak. | Wannacry | ||
|
2017-05-13 14:44:39 | Protect Against WannaCry: Microsoft Issues Patch for Unsupported Windows (XP, Vista, 8,...) (lien direct) | Update -Â If you are thinking that activating the kill-switch has completely stopped the WannaCry Ransomware, then you are mistaken. WannaCry 2.0 version has just arrived without any 'kill-switch' function. Get prepared for the next massive wave of ransomware attacks.
In the wake of the largest ransomware attack in the history that had already infected over 114,000 Windows systems
|
Wannacry | ||
|
2017-05-13 12:50:53 | Has anyone Tested WannaCry Killswitch? - https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/, (Sat, May 13th) (lien direct) | ----------- Guy Bruneau IPSS Inc. Twitter: GuyBruneau gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. | Wannacry | ||
|
2017-05-13 12:14:00 | Old Windows PCs can stop WannaCry ransomware with new Microsoft patch (lien direct) | Users of old Windows systems can now download a patch to protect them from this week's massive ransomware attack.In a rare step, Microsoft published a patch for Windows XP, Windows Server 2003 and Windows 8 -- all of them operating systems for which it no longer provides mainstream support.Users can download and find more information about the patches in Microsoft's blog post about Friday's attack from the WannaCry ransomware.The ransomware, which has spread globally, has been infecting computers by exploiting a Windows vulnerability involving the Server Message Block protocol, a file-sharing feature.To read this article in full or to leave a comment, please click here | Wannacry | ||
 |
2017-05-13 10:09:08 | WCry: Knowns And Unknowns (lien direct) | WCry, WannaCry, Wana Decrypt0r. I’m sure at this point you’ve heard something about what the industry has dubbed the largest crypto ransomware outbreak in history. Following its debut yesterday afternoon, a lot of facts have been flying around. Here’s what we know, and don’t know. WCry has currently made a measly $25,000 They now made […] |
Wannacry | ||
 |
2017-05-13 09:22:35 | WannaCryptor: XP, Win8, WinServer 2003 patches (lien direct) | Even XP, Windows 8, and Windows Server 2003 systems can now be patched against the vulnerability exploited by WannaCrypt. Patching is highly recommended! | Wannacry | ||
|
2017-05-13 08:56:42 | Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware (lien direct) | Sponsored by: Netsparker - Scan your websites & detect SQL Injection, XSS and other vulnerabilities with the dead accurate Netsparker web security scannerI woke up to a flood of news about ransomware today. By virtue of being down here in Australia, a lot happens in business hours around the world while we're sleeping but conversely, that's given me some time to collate information whilst everyone else is taking a break. The WannaCry | Wannacry | ||
|
2017-05-13 08:53:45 | Le National Health Service britannique attaqué par le ransomware WannaCry (lien direct) |  Alerte presse FireEye sur la campagne de ransomware Wanna Decryptor qui vient d'affecter plusieurs organisations dont le National Health Service britannique. |
Wannacry | ||
|
2017-05-13 04:18:31 | Wana Decrypt0r Ransomware Outbreak Temporarily Stopped By "Accidental Hero" (lien direct) | A security researcher that goes online by the nickname of MalwareTech is the hero of the day, albeit an accidental one, after having saved countless of computers worldwide from a virulent form of ransomware called Wana Decrypt0r (also referenced as WCry, WannaCry, WannaCrypt, and WanaCrypt0r). [...] | Wannacry | ||
 |
2017-05-12 23:49:32 | Huge ransomware outbreak disrupts IT systems worldwide, WannaCryptor to blame (lien direct) | Ransomware called WannaCryptor spread rapidly around the world today, encrypting files in as many as 100 countries by using the leaked NSA eternalblue SMB exploit. | Wannacry | ||
 |
2017-05-12 22:02:24 | The worm that spreads WanaCrypt0r (lien direct) |
WanaCrypt0r is a ransomware infection that has spread through many corporate networks. Read a technical analysis of the worm that allowed it to do this.
Categories:
Malware
Threat analysis
Tags: microsoftNHSNHS WanaCryptornhs wannacryptorransomwareWana DecrptorWanaCrypt0rWcrywindows
(Read more...)
|
Wannacry | ||
 |
2017-05-12 22:01:37 | Ransomware Attack – Am I Safe Against “Wana Decrypt0râ€? (lien direct) | On Friday May 12th, the headlines were all about the NHS UK trusts have been impacted by a severe cyber-attack. The nature of the attack is related to a strain of ransomware called “Wana Decrypt0r 2.0â€, also known as Wannacryptor,  WannaCry or wncry. As the news unfolded, reports revealed the NHS was not the only […]… Read More | Wannacry | ||
 |
2017-05-12 20:50:09 | What you need to know about the WannaCry Ransomware (lien direct) | WannaCry ransomware spreads aggressively across networks, holds files to ransom. | Wannacry | ||
 |
2017-05-12 20:39:36 | Massive WannaCry/Wcry Ransomware Attack Hits Various Countries (lien direct) | Earlier this year, two separate security risks were brought to light: CVE-2017-0144, a vulnerability in the SMB Server that could allow remote code execution that was fixed in March, and WannaCry/Wcry, a relatively new ransomware family that spread via Dropbox URLs in late April. These two threats have now been combined, resulting in one of the most serious ransomware attacks to hit users across the globe. Post from: Trendlabs Security Intelligence Blog - by Trend Micro Massive WannaCry/Wcry Ransomware Attack Hits Various Countries | Wannacry | ||
|
2017-05-12 19:08:39 | Global Outbreak of WannaCry (lien direct) | [Updated May 15, 2017] On May 12, 2017 the Check Point Incident Response Team started tracking a wide spread outbreak of the WannaCryp ransomware. We have reports that multiple global organizations are experiencing a large scale ransomware attack which is utilizing SMB to propagate within their networks. To complicate matters there are a number of […] | Wannacry | ||
|
2017-05-12 18:24:53 | A \'kill switch\' is slowing the spread of WannaCry ransomware (lien direct) | Friday's unprecedented ransomware attack may have stopped spreading to new machines -- at least briefly -- thanks to a "kill switch" that a security researcher has activated.The ransomware, called Wana Decryptor or WannaCry, has been found infecting machines across the globe. It works by exploiting a Windows vulnerability that the U.S. National Security Agency may have used for spying.The malware encrypts data on a PC and shows users a note demanding $300 in bitcoin to have their data decrypted. Images of the ransom note have been circulating on Twitter. Security experts have detected tens of thousands of attacks, apparently spreading over LANs and the internet like a computer worm.To read this article in full or to leave a comment, please click here | Wannacry | ||
|
2017-05-12 18:07:55 | WanaCrypt0r ransomware hits it big just before the weekend (lien direct) |
Reports of two massive ransomware attacks by a ransomware that Malwarebytes detects as Ransom.WanaCrypt0r. attacks in Europe are dominating the news.
Categories:
Cybercrime
Malware
Tags: NHS WanaCryptornhs wannacryptorransomwaretelefonicaWanaCrypt0rWannaCryWcry
(Read more...)
|
Wannacry | ||
|
2017-05-12 17:58:00 | Ongoing WannaCry Ransomware Spreading Through SMB Vulnerability (lien direct) |
As of early this morning (May 12th, 2017), the AlienVault Labs team is seeing reports of a wave of infections using a ransomware variant called “WannaCry” that is being spread by a worm component that leverages a Windows-based vulnerability.
There have been reports of large telecommunication companies, banks and hospitals being affected. Tens of thousands of networks worldwide have been hit and the attacks do not appear to be targeted to any specific region or industry. Once infected, victims are asked to pay approximately $300 by Bitcoin, and it appears the attackers have found people willing to pay.
The AlienVault Labs team has created a Pulse in the Open Threat Exchange to share the indicators of compromise we have been able to obtain. These indicators can be used to help identify potential attacks in progress.
One method of command and control and secondary installation has been sinkholed by security researchers, however the attackers can still leverage a second communication mechanism via Tor.
The WannaCry ransomware is using the file extension .wncry, and it also deletes the Shadow Copies, which is a technology introduced into the Microsoft platforms as far back as Windows XP and Windows Vista as the Volume Shadow Copy service. This means that even backup copies produced by this service, such as Windows Backup and System Restore, would be affected as well.
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet (PID: 2292)
The following file is also created in the affected systems: @Please_Read_Me@.txt
Once it gets on a network, WannaCry exploits a known Microsoft Windows vulnerability (MS17-010) to spread. This vulnerability was released as part of the Shadow Brokers leaks back in April. Microsoft released a patch for MS17-010 on March 14th. Administrators are advised to immediately upgrade any systems that do not have this patch to avoid potential compromise by WannaCry. So far the only confirmed vector of the attacks is through an SMB exploit, which provides a worm-like mechanism of spreading WannaCrypt.
AlienVault USM Anywhere and USM Appliance are able to detect attempts to exploit this vulnerability via the following IDS signature released by AlienVault on April 18th:
ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response
Yesterday we noted a sharp increase in external scans against our customers for the exploit, and we are investigating if it is related to today's attacks:
We will update this blog post as we discover more information about the ongoing situation.
 |
Wannacry | ||
 |
2017-05-12 17:54:08 | WannaCry ransomware hits systems worldwide (lien direct) |  The WannaCry ransomware is hitting organisations around the world - including the UK's National Health Service - assisted by a vulnerability that the NSA chose to keep secret from MIcrosoft.
|
Wannacry | ||
|
2017-05-12 17:32:57 | Leaked NSA Exploit Spreading Ransomware Worldwide (lien direct) | Attackers behind today's WannaCry ransomware outbreak in Europe are spreading the malware using the EternalBlue exploit leaked by the ShadowBrokers. | Wannacry | ||
|
2017-05-12 17:24:40 | WannaCry / Wana Decryptor / WanaCrypt0r Technical Nose Dive (lien direct) | Today was a big day for the WanaCrypt0r ransomware as it took the world by storm by causing major outbreaks all over the world. While BleepingComputer has covered these outbreaks in-depth, I felt it may be a good idea to take a technical look at the WanaCrypt0r ransomware for those in the IT field who have to support victims. [...] | Wannacry | ||
|
2017-05-12 17:13:26 | Massive wave of ransomware ongoing, (Fri, May 12th) (lien direct) | For a few hours, bad news are spreading quickly about a massive wave of infections by a new ransomware called WannaCry width:600px" /> (Source: MalwareTech) Big targets have been telecom operators (ex: Telefonica in Spain) and hospitals in UK. Once the malware has infected a computer, it spreads across the network looking for new victims using the SMB protocol. The ransomware usesthe Microsoft vulnerability MS17-10[1]. (This vulnerability was used by ETERNALBLUE[2]) Here are some IOCs that we already collected: SHA256: 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 SHA1: 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 51e4307093f8ca8854359c0ac882ddca427a813c MD5: 509c41ec97bb81b0567b059aa2f50fe8 7bf2b57f2a205768755c07f238fb32cc 7f7ccaa16fb15eb1c7399d422f8363e8 File extension: .wncry Ransomware notification: padding:5px 10px"> alert tcp $HOME_NET 445 - any any (msg:ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response content:|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0| content:|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|) Until now, the best protection is of course to patch your systems as soon as possible and keep your users aware of the new ransomware campaign to preven them to open suspicious emails/files. [1]https://technet.microsoft.com/en-us/library/security/ms17-010.aspx [2]https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/ We will update this diary with more information if available. Xavier Mertens (@xme) ISC Handler - Freelance Security Consultant PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. | Wannacry | ||
 |
2017-05-12 15:30:00 | \'WannaCry\' Rapidly Moving Ransomware Attack Spreads to 74 Countries (lien direct) | A wave of ransomware infections took down a wide swath of UK hospitals and is rapidly moving across the globe. | Wannacry |
To see everything:
Our RSS (filtrered)
