Hijack s/w that hit NHS any information to make sure you avoid it ?

jpaul

jpaul

jpaul

Soldato
Joined
1 Mar 2010
Posts
24,134
There seems to be some info here
https://www.bleepingcomputer.com/ne...n-computers-amid-massive-ransomware-outbreak/
about hijack s/w that hit NHS today.

Does not seem to say how it was spreading - does anyone know ?

A ransomware outbreak is wreaking havoc all over the world, but especially in Spain, where Telefonica — one of the country's biggest telecommunications companies — has fallen victim, and its IT staff is desperately telling employees to shut down computers and VPN connections in order to limit the ransomware's reach.

The culprit for these attacks is v2.0 of the WCry ransomware, also known as WannaCry or WanaCrypt0r ransomware.

..
UPDATE [May 12, 2017, 09:50 AM ET]: Felow Spannish newspaper El Pais reports that Santander bank and consultancy firm KPMG may have also been affected.

...
This appears to be the same attack that has hit the NHS IT systems in the UK today
Click to expand...
 
seems it spreads via email attachments, so ... nothing novel

.WNCRY Virus – How Does It Spread
Similar to the previous .wcry variant , this ransomware iteration may also use the very same methods to spread. They are connected with the usage of different types of tools used specifically to distribute malicious files and URLs without being detected:

  • Spamming software (spam bots, crawlers, etc)
  • Pre-configured list of e-mail addresses of potential victims to which spam mail may be sent.
  • Intermediary malware to conduct the infection.
  • A set of servers and distribution domains for command and control and the download of .WNCRY file virus’ payload.
Even though the WanaCrypt0r 2.0 ransomware may spread via torrent websites, fake updates or other fake setups and executables uploaded on shady hots, the virus’s primary method of spreading may be via convincingly created e-mails. Such e-mails aim to get victims to click on a malicious e-mail attachment and hence become infected with the .WNCRY file virus.

The attachments may usually be .js, .exe or other type of executable files, but in some situations they are also related with malicious macros. These malicious macros may be activated once the user enables the content on a document. Here is how this infection process is conducted:
Click to expand...
 
This is potentially just the payload depending on how it was spread - could have simply been via an email attachment or could have been using some other malware to spread it. From the sounds of this one I suspect its the payload from some other distribution mechanism though.
 
The absolute very best thing you can possibly do is make sure you have a good backup system in place. Then, if you do get pwned, it'll just be an annoying but minor inconvenience.
 
ok - so maybe I should install updates


Today’s WannaCry attack appears to use an NSA exploit codenamed ETERNALBLUE, a software weapon that would have allowed the spy agency’s hackers to break into any of millions of Windows computers by exploiting a flaw in how certain version of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in governments) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them–but from the moment the agency lost control of its own exploit last summer, there’s been no such assurance.



Today shows exactly what’s at stake when government hackers can’t keep their virtual weapons locked up.



As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, “I am actually surprised that a weaponized malware of this nature didn’t spread sooner.”

...
Predictably, Edward Snowden - who has been warning about just such an eventuality - chimed in on Twitter, saying "Whoa: @NSAGov decision to build attack tools targeting US software now threatens the lives of hospital patients."
Click to expand...



The Russian interior ministry confirmed that 1,000 of its computers had been affected, about 0.1 per cent of the total, but said its servers were not harmed.

The People’s Daily in China tweeted that similar attacks may have hit China and there were reports of similar attacks in dozens of other countries, including Russia, Portugal, Taiwan, Germany and Vietnam. MegaFon, one of Russia’s largest telecoms operators, confirmed it had been hacked.
Click to expand...
 
jpaul said:
UPDATE [May 12, 2017, 09:50 AM ET]: Felow Spannish newspaper El Pais reports that Santander bank and consultancy firm KPMG may have also been affected.
Click to expand...

Ah crap, I got an email from Santander today "[email protected]" stating that my "online statement is now available". Thing is I never requested nor have I ever received an "online statement" from them before its all paper documents. It always arrives at the start of the month rather than the middle. Very odd. Can't see an attachment is there anyway of peeking at the contents without potentially activating any malicious code? Its got my full name and part of my postcode so it looks like its from Santander direct rather than the usual spoofed header crap.
 
Last edited:
Blackjack Davy said:
Ah crap, I got an email from Santander today "[email protected]" stating that my "online statement is now available". Thing is I never requested nor have I ever received an "online statement" from them before its all paper documents. It always arrives at the start of the month rather than the middle. Very odd. Can't see an attachment is there anyway of peeking at the contents without potentially activating any malicious code? Its got my full name and part of my postcode so it looks like its from Santander direct rather than the usual spoofed header crap.
Click to expand...

just delete it.
Santander sent your 'statement is online' messages through their online banked logged in email system, not directly.
If you've got one directly, it might be a virus, and your ISP may have striped the attachment, or your own email client may have stripped the attachment.
just delete it.
 
Dolph said:
Ms have now published patches for tye out of support of option like xp.

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Click to expand...


I ain't been able to get any updates for my Win 7, since they switched them to Win 10s way of doing them last November (not done that fix you can do), so can i just grab the fix for this one, from your link, the Affected Software, Win 7 64bit SP1 (4012212) Security Only, then when the catalogue loads up to download it, do i grab the top one, March, 2017 Security Only Quality Update for Windows 7 for x64-based Systems (KB4012212), which is 33.2mb, or the next one down, March, 2017 Security Only Quality Update for Windows 7 (KB4012212), which is only 18.8mb ?, although guessing its the top one, for 64bit.

Thanks.

Ive got defender updated btw.

EDIT: Shes In! :D
 
Last edited:
Don't use XP/Vista/8, keep your system up to date and disable SMB, that's the minimum you need to be safe from this ransomware.

More importantly, don't download & run everything you see.
 
so, was there any new data to justify attribution of this to North Korea ?
This older article had seemed pretty thorough to attribute it to an
we assessed that a WannaCry campaign launched by an unsophisticated cybercriminal actor was the most plausible scenario based on the information that is currently available
Click to expand...

....
During their previous destructive campaigns, the Lazarus Group, for example, have generally displayed a consistent level of geographic targeting – primarily against organizations in South Korea and the US. Specific industries such as media companies, financial institutions and critical national infrastructure have been the main targets of attack, but in the case of WannaCry, infections were widely distributed across the world, and the malware appeared to spread virtually indiscriminately with no control by its operators. Had the attackers used a phishing vector, they would have been able to limit the malware’s capability to spread outside a network and instead used spear phishing emails to target selected organizations.
Click to expand...

so seems like the UK ingratiating itself, for political reasons, with the USA anti NK stance; so yes maybe that is a GD topic
 
You must log in or register to reply here.
Back
Top Bottom