We will now get script kiddies doing it for a laugh by changing the domain
At least when this has repeated 15 times then most of the PC's in the world will be upto date haha NHS computer systems hacked!?
- Thread starter Tone1979
- Start date
At least when this has repeated 15 times then most of the PC's in the world will be upto date haha Thanks, forgot about that part
Most crypto variants purposely erase all your shadow copies so that's not much help. Don't run as an administrator, kids!
Was meaning more for my backup solution - it would be handy to have automatic versioning in realtime as well as the incidental versioning that comes from regularly swapping out a copy of the data as currently when stuff is backed up to it it just overwrites the older file.
Hmm anyone know if there is any connection between this and the recent vulnerabilities found in Intel AMT and the blank password vulnerability? seems somewhat suspicious timing and would be practically invisible unless someone could rule out all other entry points conclusively.
One of the main problems with NHS IT is that other than the national systems (such as Spine, which NHS Digital take care of) is that the quality is totally variable as each Trust can pretty much do whatever they want. It's such a mess. I work for NHS Digital so get to see the massive amount of variance. No one seems to want to introduce any kind of standard approach.
Apparently there's already a new strain of this ransomware with no kill switch. I think we were quite lucky with the first strain - if it wasn't for the kill switch I do think we'd still be dealing with the mess on a larger scale. By definition, ransomware isn't designed to steal your data (and I don't recall seeing a variation of any ransomware which does so) - rather cause disruption and nuisance - so I do feel everyone has been let off lightly, but the issue I foresee is the malware creators will be designing a new type of malware which leaves no obvious trace of it's intrusion and instead steals the data piggyback on the same exploits. Over 100,000 new wcrypt infections in the past 24 hours alone so there's still tens of thousands of machines unpatched and that will only grow into the week.
This one is packaged up with a backdoor mechanism and some exploits for remote desktops so could easily sideload other malware/key loggers/rootkits or be used to manually harvest info. If someone has made use of the remote desktop exploits manually it could be almost impossible to trace if data has been stolen or not - I almost half suspect that the bigger infection is a smokescreen for a more targetted attack on something specific.
EDIT: Which made me think of something else - if this is the work of an organised group especially with a specific target in mind then they might go as far as DDOSing the sinkhole domain offline which would allow existing infections to resume operation :|
Last edited:
.The various opinions I have read seem to point to the SMB exploit and the hopping through open RDP sessions being far better quality code than the relative trash that is the actual ransomware portion, which makes sense if it was a stolen/leaked NSA toolkit. There's no chance that people are going to be rolling out those XP patches or putting firewalls inside their network in a quick fashion, so expect other stuff to use the same methods to get in/spread.
Looks like people are just throwing out varients with differnet kill switch urls for the lolz no doubt.
https://twitter.com/msuiche
https://twitter.com/GossiTheDog
https://twitter.com/msuiche
https://twitter.com/GossiTheDog
From what I've seen seems quite common these days for the original coders to just sell via bitcoin their work rather than deploy it themselves like the old days and a 3rd party to actually package up and deploy it - often with links to organised crime, etc.
Yeah thats a huge problem, no standardisation.
Exactly, In the UK a lot of I.T is switched off at weekends, for obvious reasons if nobody is using it, hopefully there is no problem Monday onwards, but i really doubt it, and not just the NHS, the whole of the world has just had their weekends and a lot of businesses shutdown at weekends.
Are these not closed by default?
They should definitely be closed by default. But they might have been opened to facilitate any SMB usage, which is of course possible but I cannot believe that the rules would be so lax as to not filter for specific IP addresses for the port access. That's just asking for something like this to happen. Most system admins are of the belief that it'd never happen to them though. Honestly, if that's how this has happened, people in charge of the infrastructure need to be held accountable. I've done some reading on the ransomware and I cannot imagine it will have been able to spread the way that it has without the firewall ports being vulnerable in the first instance.
Years ago there was a similar issue with the Windows Messaging service, which had ports open by default in every router. Fortunately the extent of this was simply annoying pop up messages that you'd get in Windows. Then there was the Sasser worm which affected lsass.exe which also behaved in a similar manner. This reminds me of having to deal with those back in the day!
Because, to quote Milton Friedman, "no one spends someone else's money as carefully as he spends his own".
would most likely have been another infection method. i.e email, internet link or compromised device/storage.
edit: from MS technet
"We haven’t found evidence of the exact initial entry vector used by this threat, but there are two scenarios we believe are highly possible for this ransomware family:
- Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit
- Infection through SMB exploit when an unpatched computer can be addressed in other infected machines"