Author Topic: Global Ransomware Attack (Read 4057 times)

Boruch999 · « **on:** May 15, 2017, 09:36:59 AM »

A question for someone who understands how this stuff works.

For a system that was vulnerable, infected, but powered down when the attack hit, would disconnecting from the internet prior to powering up enable the cleaning of the system before worm could get instructions to encrypt? If so, why is that not being widely disseminated?

AsherO · « **Reply #1 on:** May 15, 2017, 09:51:05 AM »

Quote from: Boruch999 on May 15, 2017, 09:36:59 AM

A question for someone who understands how this stuff works.

For a system that was vulnerable, infected, but powered down when the attack hit, would disconnecting from the internet prior to powering up enable the cleaning of the system before worm could get instructions to encrypt? If so, why is that not being widely disseminated?

What does it mean that the system was infected if no files were encrypted?

Boruch999 · « **Reply #2 on:** May 15, 2017, 09:55:25 AM »

Quote from: AsherO on May 15, 2017, 09:51:05 AM

What does it mean that the system was infected if no files were encrypted?

Attack was facilitated by a worm. Apparently malicious code was implanted in systems by clicking on email links and lay dormant (or spread themselves further but did not encrypt) until activated Friday. It's possible the trigger was a date/time but I think it's much more likely they triggered it and a time of their choice.

real-brisker · « **Reply #3 on:** May 15, 2017, 12:12:20 PM »

Connected?

www.11alive.com/mb/money/verizon-wireless-users-experiencing-outage-monday-morning/439777262

yuneeq · « **Reply #4 on:** May 15, 2017, 12:25:36 PM »

Quote from: Boruch999 on May 15, 2017, 09:36:59 AM

A question for someone who understands how this stuff works.

For a system that was vulnerable, infected, but powered down when the attack hit, would disconnecting from the internet prior to powering up enable the cleaning of the system before worm could get instructions to encrypt? If so, why is that not being widely disseminated?

It might help, but probably not.
What would probably help is swiping out the harddrive before the files get encrypted.
Copy over any unencrypted files and wipe out the rest.

But before taking any of our advice you should probably ask a recovery expert like DHData or the likes.

Boruch999 · « **Reply #5 on:** May 15, 2017, 12:30:40 PM »

Quote from: yuneeq on May 15, 2017, 12:25:36 PM

It might help, but probably not.
What would probably help is swiping out the harddrive before the files get encrypted.
Copy over any unencrypted files and wipe out the rest.

But before taking any of our advice you should probably ask a recovery expert like DHData or the likes.

Thanks, but b"H his was a theoretical question, the steps you suggested are included in what I intended by "cleaning of the system." If a tool could be created that can remove the worm, great, otherwise your plan.

DanH · « **Reply #6 on:** May 15, 2017, 02:06:09 PM »

You usually aren't told you are infected until after your files are already encrypted..
If you had the virus, and the encryption process didn't start, AND it "activated" itself via internet, then *possibly* that would help. Better option would be to access that drive offline (meaning, not booting that drive) and then retrieving your info / clean the worm.

For this particular ransomware, see:
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

AsherO · « **Reply #7 on:** May 15, 2017, 02:20:05 PM »

Quote from: DanH on May 15, 2017, 02:06:09 PM

For this particular ransomware, see:
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

The unfortunate thing is that this is in no way a fix. The group behind the exploit can re-release the ransomware without this randomized site...

DanH · « **Reply #8 on:** May 15, 2017, 02:48:11 PM »

Quote from: AsherO on May 15, 2017, 02:20:05 PM

The unfortunate thing is that this is in no way a fix. The group behind the exploit can re-release the ransomware without this randomized site...

As he himself says

AsherO · « **Reply #9 on:** May 15, 2017, 03:20:47 PM »

Quote from: DanH on May 15, 2017, 02:48:11 PM

As he himself says

Wrote it before I read that tidbit.

Yisroel Tech · « **Reply #10 on:** May 15, 2017, 11:28:30 PM »

Quote from: Boruch999 on May 15, 2017, 09:36:59 AM

A question for someone who understands how this stuff works.

For a system that was vulnerable, infected, but powered down when the attack hit, would disconnecting from the internet prior to powering up enable the cleaning of the system before worm could get instructions to encrypt? If so, why is that not being widely disseminated?

The real answer to your question is no. Everything can happen, but once you are infected with a ransomware the program does not need the internet to continue its operation of encrypting files (at least in all ransomware that I saw analysis od, which is a lot.)

In a theoretical situation, which would probably never happen, that you somehow figure out that you are infected but the (or some of the) files are still not encrypted, the best thing would be to load the hard drive from a different system (a non-Windows boot CD preferred) and grab all files, and then attempt to clean everything (cleaning an actual virus is...never a definite thing, it might be cleaned or the virus might be more persistent, unless a real pro - and a pro in virus removal because a lot of computer pros do not have a clue in this stuff - does it.

Quote

Attack was facilitated by a worm. Apparently malicious code was implanted in systems by clicking on email links and lay dormant (or spread themselves further but did not encrypt) until activated Friday. It's possible the trigger was a date/time but I think it's much more likely they triggered it and a time of their choice.

You somewhat misunderstood this specific infection (WannaCry) and its way of infecting.

The initial infection for some computers was through email link etc. (it is not entirely clear at this point.) And on the systems that were infected that way the virus was a regular virus, nothing with a worm or time-activation. Just after (or at least when it was well in the midst) of taking the local computer's files ransom, the worm kicked in and scanned first the LAN for any PC with this vulnerability not patched, and infected it, then it started scanning random IPs over the internet for this vulnerability.

But the point, relevant to your question, is, that once a PC was infected one way or the other it started encrypting right away.

Boruch999 · « **Reply #11 on:** May 16, 2017, 06:16:32 AM »

Quote from: Yisroel Tech on May 15, 2017, 11:28:30 PM

The real answer to your question is no. Everything can happen, but once you are infected with a ransomware the program does not need the internet to continue its operation of encrypting files (at least in all ransomware that I saw analysis od, which is a lot.)

In a theoretical situation, which would probably never happen, that you somehow figure out that you are infected but the (or some of the) files are still not encrypted, the best thing would be to load the hard drive from a different system (a non-Windows boot CD preferred) and grab all files, and then attempt to clean everything (cleaning an actual virus is...never a definite thing, it might be cleaned or the virus might be more persistent, unless a real pro - and a pro in virus removal because a lot of computer pros do not have a clue in this stuff - does it.
You somewhat misunderstood this specific infection (WannaCry) and its way of infecting.

The initial infection for some computers was through email link etc. (it is not entirely clear at this point.) And on the systems that were infected that way the virus was a regular virus, nothing with a worm or time-activation. Just after (or at least when it was well in the midst) of taking the local computer's files ransom, the worm kicked in and scanned first the LAN for any PC with this vulnerability not patched, and infected it, then it started scanning random IPs over the internet for this vulnerability.

But the point, relevant to your question, is, that once a PC was infected one way or the other it started encrypting right away.

Ransom messages apparently only popped up Friday. You mean to suggest that peoples data was encripted long before and they just didn't realize it, or that with in the space of a few hours hundreds of thousands of systems were initially infected, encrypted, and ransomed?

Yisroel Tech · « **Reply #12 on:** May 16, 2017, 06:37:23 AM »

Quote from: Boruch999 on May 16, 2017, 06:16:32 AM

Ransom messages apparently only popped up Friday. You mean to suggest that peoples data was encripted long before and they just didn't realize it, or that with in the space of a few hours hundreds of thousands of systems were initially infected, encrypted, and ransomed?

The latter. And I'm not merely suggesting...that was how it worked. On mid Thursday the virus was first released in the wild and on Friday it already had 200k+ PCs infected!

That, my friend, is the power of human laziness and ignorance... Or as someone puts it: Microsoft may have patches Windows but has not released a patch for human stupidity...

Boruch999 · « **Reply #13 on:** May 16, 2017, 07:08:48 AM »

Quote from: Yisroel Tech on May 16, 2017, 06:37:23 AM

The latter. And I'm not merely suggesting...that was how it worked. On mid Thursday the virus was first released in the wild and on Friday it already had 200k+ PCs infected!

That, my friend, is the power of human laziness and ignorance... Or as someone puts it: Microsoft may have patches Windows but has not released a patch for human stupidity...

I see now that is how it is being reported. At the time of my original post I had read an article that stated the opinion that the virus lay dormant (from an encryption point of view) and spread for a while, as it was unlikely that it could spread so fast otherwise. I guess that was before the exact mechanism was known.

DanH · « **Reply #14 on:** May 17, 2017, 01:36:02 PM »

https://blog.malwarebytes.com/cybercrime/2017/05/wanna-cry-some-more-ransomware-roundup-special-edition/

DansDeals.com Forums

Author Topic: Global Ransomware Attack (Read 4057 times)

Boruch999

Global Ransomware Attack

AsherO

Re: Global Ransomware Attack

Boruch999

Re: Global Ransomware Attack

real-brisker

Re: Global Ransomware Attack

yuneeq

Re: Global Ransomware Attack

Boruch999

Re: Global Ransomware Attack

DanH

Re: Global Ransomware Attack

AsherO

Re: Global Ransomware Attack

DanH

Re: Global Ransomware Attack

AsherO

Re: Global Ransomware Attack

Yisroel Tech

Re: Global Ransomware Attack

Boruch999

Re: Global Ransomware Attack

Yisroel Tech

Re: Global Ransomware Attack

Boruch999

Re: Global Ransomware Attack

DanH

Re: Global Ransomware Attack