Windows 10: Ransomware attacks reported on Windows machines internationally

What I'd like to know is how they get files encrypted...

Is UAC the weak link here?
Lets say one adds a block of random bytes at certain offsets (including the header), not encryption as such, but that altered file needs to be saved in it's corrupt state - can that be done as standard user?

Edit..
Yep, of course... was focusing on system files... which is not the case... need some coffee to wakey, wakey *chuckle

 

Hi, no issues with Avast... and I can't speak at all for their effectiveness other than what's on their site... just thought I'd give them a whirl. Cryptoprevent is updated periodically- the commercial version auto-updates. I've had that on my PC for months. The other one I came across recently.

CryptoPrevent: Does it work? - Anti-Virus, Anti-Malware, and Privacy Software

 

This may give some idea how it works, Craig:

From: The Rise of Locky: Dridex Crew Bets on Ransomware | Invincea
Anatomy of a Locky Infection

In Figure 3 below, we show the event timeline from Invincea’s Threat Management console for an attempted Locky infection. In this example, a Microsoft Word document attached to an email with a file name beginning with “invoice” was opened by a user protected by Invincea.



The weaponized Word document – likely using malicious macro scripts – launched a program to drop and run Locky ransomware. Next, back-up versions of the OS were deleted, and the data was encrypted. Finally, the ransomware instructions were presented to the user and the original Trojan was deleted from the machine to defeat forensic analysis. Of course, none of these actions actually damaged the user’s computer or data because Invincea’s spear-phishing protection was in place.

 

Thanx Faf *Eek

This thing is becoming a real concern.. we need to get to the bottom of it.

 

Hi there

@Superfly and @Fafhrd

Scrambled ASCII text based stuff doesn't need anything like Word Macros etc etc.

The usual way is to scan / check email attachments -- but that is no good against a LOW TECH attack that doesn't use attachments, macros or anything else in Ms Office or equivalent.

You can very easily code a binary file into a bog standard ASCII TEXT message so the email server won't recognize say an illegal inbound .exe file or Ms word macros etc.

Now on the workstation the email message does it's nasty business -- it's really a program - and won't be detected by any Virus scanning stuff and there you are --it's only a matter of time before the backend database is corrupted to such an extent it becomes inoperable without a restore etc.

Old XMODEM / YMODEM / ZMODEM protocols for example. Since ASCII compresses down very much a trick was to convert the file to ascii and compress it before transmission -- this made for shorter transmission times -- very important back in the days where BAUD rates were still being used -- 2400 BAUD (old Hayes Modem) was regarded as a state of the art bit of kit !!!!!.

It's almost impossible these days to ban emails in a workplace and confidential emails are often transmitted in scrambled form as people don't want this in plain text all over the Internet.

Unfortunately there is always a fundamental weakness in CLIENT / SERVER systems -- it doesn't matter HOW SECURE the server is because an authorised user will always be allowed to update the real data base from some sort of front end terminal. Most countries have fairly stringent "Data Protection Acts" so if confidential data is being updated on to the backend it's almost impossible to verify the "compliance" of the data without breaking the various laws governing the storage of confidential data.

In large organisations where you could have serveral 1000's of terminals with all sorts of levels of staff it is virtually impossible to ensure these machines won't get hacked.


It's not easy solving this stuff -- but a better solution is to use distributed systems rather than central Client / Server systems --in fact even the "Dreaded Cloud" would be more effective.

It will require expense and initiative to bind this all together so people can get data from various sources to get a complete record -- that's where I believe the guys who want to make money in I.T will be involved in next -- not a trivial problem at all.

Cheers
jimbo

 

The thing with this hack is looks like it's being spread by the NSA's eternal blue hack which doesn't require a user to run a compromised file on their system, it just hits systems that haven't had the MSFT patch against it that was released a few months back.

 

It all depends on what your email client opens the ascii file with.

Notepad would just try to send it to the screen and fail to show the binary characters properly.

If it's your browser, or an email client like outlook, then anything may happen.

 

It seems nobody is doing BACKUPS at all. That's an easy and affordable way to be protected from ransomware. *Think

The No More Ransom Project

 

Actually the UK government has one system incapable of being hacked electronically - all Acts of Parliament must be written on vellum.
- calf or goat skin.

Why is the UK still printing its laws on vellum? - BBC News

Now, just consider- how many of your files will be accessible and readable by anything in, say, 900 years?

But with BREXIT, there will be a vast amount of legislation.... so maybe I'll buy shares in vellum manufacturers!

 

Is there a way to tell if you have the patch?

 

The worm that spreads WanaCrypt0r

Posted: May 12, 2017 by Zammis Clark
Something that many security researchers have feared has indeed come true. Threat actors have integrated a critical exploit taking advantage of a popular communication protocol used by Windows systems, crippling thousands of computers worldwide with ransomware.
Within hours of being leveraged, a flaw that had been recently patched by Microsoft has been used to distribute the WanaCrypt0r ransomware and wreak havoc worldwide.
In this blog post, we will describe the worm responsible for spreading this ransomware by looking at its capabilities and what has made this threat so successful.
Main functionality

WanaCrypt0r has been most effective—not only does the ransomware loop through every open RDP session on a system and run the ransomware as that user, but the initial component that gets dropped on systems appears to be a worm that contains and runs the ransomware, spreading itself using the ETERNALBLUE SMB vulnerability (MS17-010).
The WinMain of this executable first tries to connect to the website http://www.iuqerfsodp9ifjaposdfjhgos...ewrwergwea.com. It doesn’t actually download anything there, just tries to connect. If the connection succeeds, the binary exits.
This was probably some kind of kill switch or anti-sandbox technique. Whichever it is, it has backfired on the authors of the worm, as the domain has been sinkholed and the host in question now resolves to an IP address that hosts a website. Therefore, nothing will happen on any new systems that runs the executable. This only applies to the binary with the hash listed above; there may well be new versions released in the future.

read more at:

The worm that spreads WanaCrypt0r - Malwarebytes Labs | Malwarebytes Labs

MS Patch for SMB1.0/CIFS File Sharing Support:

Microsoft Security Bulletin MS17-010 - Critical

Seems systems from Vista onwards are affected, so the XP speculation is pointless.

 

If there's collusion the user would use his "Unscramble" key for the email -- then BANG !!!!!
In large organisations employing 100,000's of people -- it's impossible to vet everybody and there will always be some people with greviances -- so even in this case where it was a purely external attack (or so it seems) there's no reason to suppose the next invasion could involve "malcontented insiders".

In a busy hospital where there nearly always is 100% Chaos - people don't notice things like a computer say in a back small room which might only be mainly used for office supplies or monitoring Laundry requirements etc.

The publicity given to this malware will certainly give some people ideas - and while upgrading from XP is certainly necessary it isn't by any manner of means the whole story.

Couldn't believe the INANE remarks of a UK Govt Minister --- "The NHS must learn from this !!!!!!!"

I'm sure any I.T dept on the planet when a defect is discovered usually does that as a matter of course and takes steps (not always successfully) to prevent a repeat.

Cheers
jimbo

 

No, there's no money for spare computers in back small rooms, and if there's a small back room, it's somebody's office, so the PC is not spare. If it's networked then there's a logon, so there's an audit trail.

 

Political will is an important factor in this issue - the London Government is responsible for the NHS in England and are in favour a private medical system, and a lack of IT resource causes this failure,

In Wales where the Devolved government is given responsibility for the running of the NHS, and is in favour of a Publicly funded NHS, the Welsh NHS IT system appears to be much better funded, and the Windows 7 (mainly ) based system are unaffected.

Indeed Since this attack has started the IT system has sent me several electronic reminders for upcoming appointments - I've had two this morning

 

If you have W10 and Updates are up to date you are protected.....it was included with monthly Malicious Software Removal Tool.