Ransomware back in the news

Page may contain affiliate links. Please see terms for details.
Nigel-YZ1

Nigel-YZ1

Guru
Location
Somewhere else... maybe soon.
Tin Pot said:
Possibly. I wouldn't be confident until the whole thing is unravelled and analysed with confidence. Rumours of trojans also contained within it, for example.

Signatures are out for AV and NIPS, and of course the patch has been around for ages, so if you get hit now your CIO needs to be answering the tough questions.

Some more info:
https://www.symantec.com/connect/blogs/petya-ransomware-outbreak-here-s-what-you-need-know?om_ext_cid=biz_social_NAM_twitter_Asset Type - Blog,Petya
Click to expand...

I'm definitely not confident.
While some are crowing about repeats of Wannacry and laughing about lessons not learned, a small minority are seeing that this one doesn't move via SMB, it's being moved by PSExec and WMIC.
 
jefmcg

jefmcg

Guru
Location
The dark heart of the former British Empire
Nigel-YZ1 said:
I lock my bike and am happy I've done something to secure it. I'll question if the lock or chain are still strong enough periodically, and check them for signs of tampering. There seems to be no forward progress in making the lamp post to which I've chained it more resilient to being sawn through.
Click to expand...
So, you feel that you are responsible for securing your bike. Why then do you regard the suggestion that people should secure their PCs as victim blaming?
 
Nigel-YZ1

Nigel-YZ1

Guru
Location
Somewhere else... maybe soon.
Tin Pot

Tin Pot

Guru
Nigel-YZ1 said:
I'm definitely not confident.
While some are crowing about repeats of Wannacry and laughing about lessons not learned, a small minority are seeing that this one doesn't move via SMB, it's being moved by PSExec and WMIC.
Click to expand...

Not true, if Rapid7 are to be believed.

rapid7 said:
We've confirmed that this ransomworm achieves its initial infection via a malicious document attached to a phishing email, requiring a victim to download and open it (update: see the 16:50 text below). After that, it does indeed use the EternalBlue and DoublePulsar exploits to spread laterally. Unlike WannaCry, though, it is currently using these mechanisms to spread only on internal networks.
Click to expand...

https://community.rapid7.com/community/infosec/blog/2017/06/27/petya-ransomware-explained
 
Nigel-YZ1

Nigel-YZ1

Guru
Location
Somewhere else... maybe soon.
Tin Pot said:
Not true, if Rapid7 are to be believed.
https://community.rapid7.com/community/infosec/blog/2017/06/27/petya-ransomware-explained
Click to expand...

Maybe both true?

https://blogs.technet.microsoft.com...-old-techniques-petya-adds-worm-capabilities/

The authors are hedging their bets and going for multiple spreading techniques.
It's all part of the dance that I was witnessing last night. All the time I was sat there wanting to know the initial attack vector, and all I was reading was about the effects after someone already had it.
MS are saying infected software update, but I also read about Word macros being used too.
In the end I dialed in and shut down our backup NAS just in case, and sent an email to my users. They're a great bunch for questioning suspect stuff.
 
Tin Pot

Tin Pot

Guru
Nigel-YZ1 said:
Maybe both true?

https://blogs.technet.microsoft.com...-old-techniques-petya-adds-worm-capabilities/

The authors are hedging their bets and going for multiple spreading techniques.
It's all part of the dance that I was witnessing last night. All the time I was sat there wanting to know the initial attack vector, and all I was reading was about the effects after someone already had it.
MS are saying infected software update, but I also read about Word macros being used too.
In the end I dialed in and shut down our backup NAS just in case, and sent an email to my users. They're a great bunch for questioning suspect stuff.
Click to expand...

Smart move - you have off lines too? Sometimes hard to justify in our cloud obsessed world.

I was only challenging you on that it does indeed spread over SMB - we already agree other vectors are also in use.

I'm challenging security companies for better response tools, email continues to be a problem after an outbreak is determined as removing emails that haven't been opened can be an arduous task.

Worm style vectors are old hat fixed by security basics; NAC, segregation, least privilege, etc.
 
Tin Pot

Tin Pot

Guru
More on vectors, tax software source...

http://www.bbc.co.uk/news/technology-40428967
 
Nigel-YZ1

Nigel-YZ1

Guru
Location
Somewhere else... maybe soon.
Tin Pot said:
Smart move - you have off lines too? Sometimes hard to justify in our cloud obsessed world.

I was only challenging you on that it does indeed spread over SMB - we already agree other vectors are also in use.

I'm challenging security companies for better response tools, email continues to be a problem after an outbreak is determined as removing emails that haven't been opened can be an arduous task.

Worm style vectors are old hat fixed by security basics; NAC, segregation, least privilege, etc.
Click to expand...

Yes, the NAS is the main bulk target and is on line but locked down to domain admin only, that takes a weekly backup of the servers and a nightly from selected workstations using Veeam Endpoint backup. It's a Synology which cuts down the OS risk. I rotate USB drives on the production server, with only one connected at a time.

I've got email going through SpamStopsHere before it hits Office 365. They're 99.9% successful at stopping the crap. Probably a dozen got through in the last 1.5 years, and all of them were links to compromised URLs or fake DropBox. Anything with an attachment goes to my Postmaster account for approval.

I agree that some means of freezing emails for examination would be an extra step.
I think it's about time Outlook had the ability to block anything clickable in an email outside of Junk. It's only been asked for constantly for 20+ years.

I implemented software whitelisting and a domain local admin separated from the domain admin last week.

And I'm still clutching my teddy expecting something else to go wrong!! :cry:
 
Tin Pot

Tin Pot

Guru
Nigel-YZ1 said:
Yes, the NAS is the main bulk target and is on line but locked down to domain admin only, that takes a weekly backup of the servers and a nightly from selected workstations using Veeam Endpoint backup. It's a Synology which cuts down the OS risk. I rotate USB drives on the production server, with only one connected at a time.

I've got email going through SpamStopsHere before it hits Office 365. They're 99.9% successful at stopping the crap. Probably a dozen got through in the last 1.5 years, and all of them were links to compromised URLs or fake DropBox. Anything with an attachment goes to my Postmaster account for approval.

I agree that some means of freezing emails for examination would be an extra step.
I think it's about time Outlook had the ability to block anything clickable in an email outside of Junk. It's only been asked for constantly for 20+ years.

I implemented software whitelisting and a domain local admin separated from the domain admin last week.

And I'm still clutching my teddy expecting something else to go wrong!! :cry:
Click to expand...

This is the life you chose! ;) Bon chance.
 
Inertia

Inertia

I feel like I could... TAKE ON THE WORLD!!
Ouch

The virus that began spreading through European computers yesterday informed users that they could unlock their machines by paying a $300 ransom. But it looks like the bug’s creators had no intention of restoring the machines at all. In fact, a new analysis reveals they couldn’t; the bug was designed to wipe computers outright

Petya virus is something worse than ransomware, new analysis shows - The Verge
https://apple.news/Ati9qPAHSTFq_Mc6PdG84Qw
 
fossyant

fossyant

Ride It Like You Stole It!
Location
South Manchester
The company my missus works for was affected last time, or their cloud host was. I believe the host had to pay to get their servers unlocked. Stopped business for a few days (all their work/systems are cloud based).
 
You must log in or register to reply here.

Similar threads

BrumJim
BBC News Quiz 03/05/24
Replies
49
ianrauk
BBC News Quiz 26/04/24
Replies
50
BrumJim
BBC News Quiz 19/04/24
Replies
41
BrumJim
BBC News Quiz 12/04/24
Replies
47
Top Bottom