new ransomware shuts down FedEx other orgs

Discussions of applications and operating systems and any problems, tips or suggestions. Win XP, 9x/2k, Linux, NT, photo editing, Virus/Spyware help
Post Reply
User avatar
wvjohn
Posts: 9238
Joined: Wed Nov 22, 2000 7:09 am
Contact:

new ransomware shuts down FedEx other orgs

Post by wvjohn »

https://www.hardocp.com/news/2017/05/12 ... e_vigilant

Huge WannaCry Ransomware Outbreak Happening Now
Updates for this ransomware outbreak will be posted here.


Posted by Kyle 12:34 PM (CST)
Big Ransomware Outbreak Today - Be Vigilant
Update 7: Microsoft Statement - "Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt. In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance."

Update 6: FedEx has instructed approximately 80,000 employees, via email, to turn off their computers till Monday while it tries to deal with the WannCry ransomware.

Update 5: FedEx (FDX ) here in the United States has now been impacted by the WannaCry ransomware. FedEx has not determined exactly how it is spreading, but it is. Virtual Machines currently seem to be the most vulnerable on its network. FedEx is currently shutting down its PCs and taking its ESX servers offline as well.

Update 4: In-house HardOCP security experts have reported that the Russian Ministry of the Interior (Police) network has now been taken down by WannyCry ransomware.

Update 3: Microsoft pushed out a Security Bulletin MS12-010-Critical server patch in March as reported by the BBC, but many have not yet updated the vulnerable systems.

Update 2: HardOCP in-house security experts have verified that the WannaCry ransomware attack is being conducted using Eternal Blue. Eternal Blue was an exploitation tool released in Vault 7, the NSA tool dump from WikiLeaks. You can use this page to watch the current infection rate worldwide after you click connect.

Update: HardOCP in-house security experts have verified that the WannaCry ransomware is using a remote command execution vulnerability through Server Message Block (SMB).

While the outbreak was at first mainly located in Spain, it has quickly spread worldwide. It would be good for our System Admin readers to be very aware of this as it seems to be a very nasty strain of ransomware. Microsoft issued a patch for this on March 14th.
User avatar
Pugsley
Posts: 7454
Joined: Mon Aug 19, 2002 11:54 pm
Location: NW Indiana
Contact:

Re: new ransomware shuts down FedEx other orgs

Post by Pugsley »

Why not just have window pop up that thing it does when you go to install something when anything tries to encrypt a file that is not on a list of know things that can be allowed to encrypt? sounds like a answer to me.
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: new ransomware shuts down FedEx other orgs

Post by FlyingPenguin »

It's using the SMB server exploit in the leaked NSA tool dump. Microsoft fixed this in the March security rollup so the only PCs likely to be infected are those that aren't current with security updates.

So if you aren't updated yet, do so, and force Windows Defender to update.

https://support.microsoft.com/en-us/help/4013389/title
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
psypher
Golden Member
Posts: 884
Joined: Sun Nov 02, 2014 1:05 pm
Location: Marietta

Re: new ransomware shuts down FedEx other orgs

Post by psypher »

It's been slowed down...for now.

Accidental hero' finds kill switch to stop spread of ransomware cyber-attack
https://www.theguardian.com/technology/ ... ber-attack
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: new ransomware shuts down FedEx other orgs

Post by FlyingPenguin »

It's inexcusable that UK's National Health System is still using WinXP PCs.
"As soon as the Shadow Brokers dump came out everyone [in the security industry] realized that a lot of people wouldn’t be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.”
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: new ransomware shuts down FedEx other orgs

Post by FlyingPenguin »

BTW: There is no fix for WinXP since it's no longer supported, but apparently a good percentage of the UK medical system still uses it and Server 2003 (apparently used a lot in VMs) which is the same code base.

I guess this is the real wakeup call that organizations need to drop XP.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: new ransomware shuts down FedEx other orgs

Post by FlyingPenguin »

BREAKING NEWS!!!

Microsoft decided to release manual patches for the SMB server exploit for XP and Server 2003! Kudos Microsoft.

If you're still running one of these, or know someone who is, patch now.

I'm still running a server 2003 box just for file sharing at home, which I'm in the process of replacing with a new Win7 Pro box that has also been activated for Win10 so I can update it later. But I'm not ready to swap it out yet, so I'm going to patch it right now even though it never goes out on the internet.

The initial vector is still an email (although it could be delivered in a variety of ways) but once inside your network it infects other systems using the SMB exploit.

https://blogs.technet.microsoft.com/msr ... t-attacks/
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: new ransomware shuts down FedEx other orgs

Post by FlyingPenguin »

FedEx is getting hit REAL bad. Seems to be their ESX VM servers. I suspect they are either running a lot of Server 2003 VMs or else they don't allow their servers to update. The latter is very common practice, because IT is always afraid an update will break something, and there's a false sense of security if a server is not directly exposed on the Internet.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: new ransomware shuts down FedEx other orgs

Post by FlyingPenguin »

WannaCry ransomware is reborn without its killswitch, starts spreading anew

http://boingboing.net/2017/05/14/as-predicted.html
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: new ransomware shuts down FedEx other orgs

Post by FlyingPenguin »

NHS was repeatedly warned of cyber-attack
http://www.bbc.com/news/uk-39912825
...Kingsley Manning, a former chairman of NHS Digital, - which provides the health service's IT systems - told the BBC on Saturday that several hundred thousand computers were still running on Windows XP.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
wvjohn
Posts: 9238
Joined: Wed Nov 22, 2000 7:09 am
Contact:

New version without the killswitch in the wild

Post by wvjohn »

http://boingboing.net/2017/05/14/as-predicted.html

Yesterday, the world got a temporary respite from the virulent Wcry ransomware worm, which used a leaked NSA cyberweapon to spread itself to computers all over the world, shutting down hospitals, financial institutions, power companies, business, and private individuals' computers, demanding $300 to reactivate them.

The respite was thanks to a sloppy bit of programming from the worm's creator, who'd left a killswitch in the code: newly infected systems checked to see if a certain domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) existed before attempting to spread the infection; by registering this domain, security researchers were able to freeze the worm.

But a day later, it's back, and this time, without the killswitch. Security researchers running honeypots have seen new infections by versions of the worm that can spread even when the iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain is live.

"I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday.
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: new ransomware shuts down FedEx other orgs

Post by FlyingPenguin »

Everyone should also be aware that the patch ONLY keeps the worm on an infected PC from infecting other PCs on the same LAN. It DOES NOT protect a PC from the initial infection which is delivered via an email attachment.

Best practices still apply: don't open attachments.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
Err
Life Member
Posts: 5842
Joined: Thu Nov 22, 2007 11:54 am

Re: new ransomware shuts down FedEx other orgs

Post by Err »

Here is a link to the Microsoft catalog to download the patch. bleepingcomputer.com is reporting that the version without a killswitch never made it to the wild,

http://www.catalog.update.microsoft.com ... =KB4012598
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: new ransomware shuts down FedEx other orgs

Post by FlyingPenguin »

LOL!

Sophos waters down 'NHS is totally protected' by us boast
https://www.theregister.co.uk/2017/05/15/sophos_nhs/
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
Post Reply