Jump to content
BadBoyTazz4Ever

Crypto Locker and other Ransomware

Recommended Posts

So this past weekend my news feeds, FB Feed, Emails and WhatsApp has been buzzing with the latest Ransomware spread that looked like a wild fire running through the plantations.

 

Having had my fair share of run ins with Ransomware at a client that has been hit 7 times in 3 months this sh!t is really a huge problem. We had this stuff spread through limited accounts, admin accounts over the network, etc, etc. I couldn't figure out how in heavens name these things keeps on getting by the AV Sandbox that most AV's now use to test software before it is allowed to run on your PC till i read a report this weekend about how this weekend spread was stopped by a IT tech realizing the domain was not registered and when he registered it and the Ransomware detected it was only reporting to one IP they killed themselves because they thought they where running in a Sandbox.

 

We have now implemented a group policy at the client that prevents apps from running from the AppData folder hopefully this will help stop this a bit more and we have switched off hide known file extensions so the client can see all extensions.

 

Updates to windows is still one of our biggest issues in this regard as most of our clients are on very limited data caps so updates are run at most twice a month but on avg ones a month. So do any of you guys know of software that can help distribute updates on a network from one central pc so that each pc doesn't have to download the updates apart from using Windows Server software and domain controllers etc? I know with windows 10 you can set the update to update from the network only and set only one pc to update from the internet but most of our clients still run Windows 7 and we even have a few XP mashines running (lucky most of those don't have inet access just a pc standing in a corner for a guy that works on some odd piece of software that connects to some ancient machine they still use asking them why they don't update the PC they will easily tell you that the software costs X hundred thousand bucks and then they have to update the machine as well for X hundred thousand on top of that.

 

So i was wondering what other measures apart from educating your clients, AV are you guys using to protect against this type of software?

 

Some of the Links that i have read and found interesting:

Global ransomware attacks: What we know

 

How One Simple Trick Just Put Out That Huge Ransomware Fire

 

An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak

 

Deeper Lessons From This Week's Massive Ransomware Attack

 

Share this post


Link to post
Share on other sites
Xiphan    1,326
13 minutes ago, BadBoyTazz4Ever said:

Got this mail this morning from Microsoft:

 

The WannaCry Malware Attack


Hope this helps someone.

 

Yeah, I heard about that. There's even been several articles about it because of how it took down PCs still running XP in the UK for National Healthcare services of all things! :blink: 

Share this post


Link to post
Share on other sites
1 minute ago, Xiphan said:

 

Yeah, I heard about that. There's even been several articles about it because of how it took down PCs still running XP in the UK for National Healthcare services of all things! :blink: 

 

Really scary thing is i know of a few bank ATM's that are still running XP laptops and i know that cause i wanted to draw money at the till and it was out of order and you could see the Windows XP taskbar at the bottom.

Edited by BadBoyTazz4Ever

Share this post


Link to post
Share on other sites
Xiphan    1,326
Just now, BadBoyTazz4Ever said:

 

Really scary thing is i know of a few bank ATM's that are still running XP laptops and i know that cause i wanted to draw money at the till and it was out of order and you could see the Windows XP taskbar at the bottom.

 

Yeah, that is equally scary. :crazy: 

Share this post


Link to post
Share on other sites
Xiphan    1,326

Also, due to the severity of the outbreak Microsoft has released KB4012598 for earlier versions of Windows as well; i.e. XP, Server 2003 and Windows 8. It can be downloaded here as a standalone msu or imported directly into your WSUS server.

Share this post


Link to post
Share on other sites

Yea you know it's big when MS releases a update for OS it hasn't released a Update for in what is now 3years at least?

 

The thing i "love" the most about this is the blame game that is currently going on about who's fault this is. Most blame bad system admins that don't run updates regularly but, others blame ms for not detecting the "loop holes" before they release software, others blame the NSA or what ever acronym organisation in the developed the tools to exploit the loopholes they found, etc, etc, etc

 

I get the system admins not running updates instantly, hell how many times has MS released a update and it ends up just breaking more than if had to fix. Double edged sword being System Admins at this point in time.

Share this post


Link to post
Share on other sites
Xiphan    1,326

They even offer a standalone tool which you can run alongside your existing security software to help protect you against ransomware: https://go.kaspersky.com/Anti-ransomware-tool_soc.html

 

Kaspersky-Anti-Ransomware-Tool-for-Business.PNG

 

I'm guessing it's a heuristic program which prevents suspicious apps from accessing files commonly targeted by ransomware and making modifications to them.

Share this post


Link to post
Share on other sites

Source

 

Quote

A new strain of ransomware – called Petya, and which emerged in Ukraine and Russia yesterday – has spread to the US and South Africa.

 

The Ukrainian Cyber Police said on Twitter that the original infection was made through an automatic software update feature built into M.E.Doc, accounting software used by companies which work with the Ukrainian government.

 

Symantec said Petya uses EternalBlue, a hacking weapon developed by the NSA, leaked online by a group known as the Shadow Brokers, and used in the WannaCry ransomware last month.

 

The NSA said it is moderately confident that WannaCry was the work of North Korean hackers.

 

EternalBlue exploits a vulnerability in all versions of Windows which Microsoft patched in March. Due to how serious the attack was, Microsoft also released a patch for versions of Windows that it no longer supports – except through custom support agreements.

Petya ransomware a smokescreen

Krebs on Security reports that the ransomware included in Petya may be a smokescreen.

 

Quoting Nicholas Weaver, a security researcher at the International Computer Science Institute, the report stated that Petya appears to be engineered to be destructive, and masquerades as a ransomware strain.

 

Like WannaCry, Petya’s ransom note shows the same Bitcoin address for every victim. Most ransomware creates a custom address for each infected user, to ensure payment tracking is possible.

 

Petya also asks victims to contact the extortionists holding their files to ransom by email. Weaver noted that most ransomware asks victims to communicate with them via Tor.

 

Weaver said, with moderate confidence, that this was a deliberate, malicious, destructive attack, or perhaps a test disguised as ransomware.

 

Group-IB, a Russian security firm, reported that Petya includes a tool called LSADump, which can harvest passwords and other data from Windows computers and domain controllers on the network.

Petya in South Africa

Reports on Radio 702 suggest that companies in South Africa have been infected by Petya. When powering up their computers, users were shown the screen below.

It has been reported that Petya is also referred to as NotPetya.

Petya

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×