new ransomware shuts down FedEx other orgs
new ransomware shuts down FedEx other orgs
https://www.hardocp.com/news/2017/05/12 ... e_vigilant
Huge WannaCry Ransomware Outbreak Happening Now
Updates for this ransomware outbreak will be posted here.
Posted by Kyle 12:34 PM (CST)
Big Ransomware Outbreak Today - Be Vigilant
Update 7: Microsoft Statement - "Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt. In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance."
Update 6: FedEx has instructed approximately 80,000 employees, via email, to turn off their computers till Monday while it tries to deal with the WannCry ransomware.
Update 5: FedEx (FDX ) here in the United States has now been impacted by the WannaCry ransomware. FedEx has not determined exactly how it is spreading, but it is. Virtual Machines currently seem to be the most vulnerable on its network. FedEx is currently shutting down its PCs and taking its ESX servers offline as well.
Update 4: In-house HardOCP security experts have reported that the Russian Ministry of the Interior (Police) network has now been taken down by WannyCry ransomware.
Update 3: Microsoft pushed out a Security Bulletin MS12-010-Critical server patch in March as reported by the BBC, but many have not yet updated the vulnerable systems.
Update 2: HardOCP in-house security experts have verified that the WannaCry ransomware attack is being conducted using Eternal Blue. Eternal Blue was an exploitation tool released in Vault 7, the NSA tool dump from WikiLeaks. You can use this page to watch the current infection rate worldwide after you click connect.
Update: HardOCP in-house security experts have verified that the WannaCry ransomware is using a remote command execution vulnerability through Server Message Block (SMB).
While the outbreak was at first mainly located in Spain, it has quickly spread worldwide. It would be good for our System Admin readers to be very aware of this as it seems to be a very nasty strain of ransomware. Microsoft issued a patch for this on March 14th.
Huge WannaCry Ransomware Outbreak Happening Now
Updates for this ransomware outbreak will be posted here.
Posted by Kyle 12:34 PM (CST)
Big Ransomware Outbreak Today - Be Vigilant
Update 7: Microsoft Statement - "Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt. In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance."
Update 6: FedEx has instructed approximately 80,000 employees, via email, to turn off their computers till Monday while it tries to deal with the WannCry ransomware.
Update 5: FedEx (FDX ) here in the United States has now been impacted by the WannaCry ransomware. FedEx has not determined exactly how it is spreading, but it is. Virtual Machines currently seem to be the most vulnerable on its network. FedEx is currently shutting down its PCs and taking its ESX servers offline as well.
Update 4: In-house HardOCP security experts have reported that the Russian Ministry of the Interior (Police) network has now been taken down by WannyCry ransomware.
Update 3: Microsoft pushed out a Security Bulletin MS12-010-Critical server patch in March as reported by the BBC, but many have not yet updated the vulnerable systems.
Update 2: HardOCP in-house security experts have verified that the WannaCry ransomware attack is being conducted using Eternal Blue. Eternal Blue was an exploitation tool released in Vault 7, the NSA tool dump from WikiLeaks. You can use this page to watch the current infection rate worldwide after you click connect.
Update: HardOCP in-house security experts have verified that the WannaCry ransomware is using a remote command execution vulnerability through Server Message Block (SMB).
While the outbreak was at first mainly located in Spain, it has quickly spread worldwide. It would be good for our System Admin readers to be very aware of this as it seems to be a very nasty strain of ransomware. Microsoft issued a patch for this on March 14th.
Re: new ransomware shuts down FedEx other orgs
Why not just have window pop up that thing it does when you go to install something when anything tries to encrypt a file that is not on a list of know things that can be allowed to encrypt? sounds like a answer to me.
- FlyingPenguin
- Flightless Bird
- Posts: 32773
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Re: new ransomware shuts down FedEx other orgs
It's using the SMB server exploit in the leaked NSA tool dump. Microsoft fixed this in the March security rollup so the only PCs likely to be infected are those that aren't current with security updates.
So if you aren't updated yet, do so, and force Windows Defender to update.
https://support.microsoft.com/en-us/help/4013389/title
So if you aren't updated yet, do so, and force Windows Defender to update.
https://support.microsoft.com/en-us/help/4013389/title
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "
Re: new ransomware shuts down FedEx other orgs
It's been slowed down...for now.
Accidental hero' finds kill switch to stop spread of ransomware cyber-attack
https://www.theguardian.com/technology/ ... ber-attack
Accidental hero' finds kill switch to stop spread of ransomware cyber-attack
https://www.theguardian.com/technology/ ... ber-attack
- FlyingPenguin
- Flightless Bird
- Posts: 32773
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Re: new ransomware shuts down FedEx other orgs
It's inexcusable that UK's National Health System is still using WinXP PCs.
"As soon as the Shadow Brokers dump came out everyone [in the security industry] realized that a lot of people wouldn’t be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.”
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "
- FlyingPenguin
- Flightless Bird
- Posts: 32773
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Re: new ransomware shuts down FedEx other orgs
BTW: There is no fix for WinXP since it's no longer supported, but apparently a good percentage of the UK medical system still uses it and Server 2003 (apparently used a lot in VMs) which is the same code base.
I guess this is the real wakeup call that organizations need to drop XP.
I guess this is the real wakeup call that organizations need to drop XP.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "
- FlyingPenguin
- Flightless Bird
- Posts: 32773
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Re: new ransomware shuts down FedEx other orgs
BREAKING NEWS!!!
Microsoft decided to release manual patches for the SMB server exploit for XP and Server 2003! Kudos Microsoft.
If you're still running one of these, or know someone who is, patch now.
I'm still running a server 2003 box just for file sharing at home, which I'm in the process of replacing with a new Win7 Pro box that has also been activated for Win10 so I can update it later. But I'm not ready to swap it out yet, so I'm going to patch it right now even though it never goes out on the internet.
The initial vector is still an email (although it could be delivered in a variety of ways) but once inside your network it infects other systems using the SMB exploit.
https://blogs.technet.microsoft.com/msr ... t-attacks/
Microsoft decided to release manual patches for the SMB server exploit for XP and Server 2003! Kudos Microsoft.
If you're still running one of these, or know someone who is, patch now.
I'm still running a server 2003 box just for file sharing at home, which I'm in the process of replacing with a new Win7 Pro box that has also been activated for Win10 so I can update it later. But I'm not ready to swap it out yet, so I'm going to patch it right now even though it never goes out on the internet.
The initial vector is still an email (although it could be delivered in a variety of ways) but once inside your network it infects other systems using the SMB exploit.
https://blogs.technet.microsoft.com/msr ... t-attacks/
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "
- FlyingPenguin
- Flightless Bird
- Posts: 32773
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Re: new ransomware shuts down FedEx other orgs
FedEx is getting hit REAL bad. Seems to be their ESX VM servers. I suspect they are either running a lot of Server 2003 VMs or else they don't allow their servers to update. The latter is very common practice, because IT is always afraid an update will break something, and there's a false sense of security if a server is not directly exposed on the Internet.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "
- FlyingPenguin
- Flightless Bird
- Posts: 32773
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Re: new ransomware shuts down FedEx other orgs
WannaCry ransomware is reborn without its killswitch, starts spreading anew
http://boingboing.net/2017/05/14/as-predicted.html
http://boingboing.net/2017/05/14/as-predicted.html
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "
- FlyingPenguin
- Flightless Bird
- Posts: 32773
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Re: new ransomware shuts down FedEx other orgs
NHS was repeatedly warned of cyber-attack
http://www.bbc.com/news/uk-39912825
http://www.bbc.com/news/uk-39912825
...Kingsley Manning, a former chairman of NHS Digital, - which provides the health service's IT systems - told the BBC on Saturday that several hundred thousand computers were still running on Windows XP.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "
New version without the killswitch in the wild
http://boingboing.net/2017/05/14/as-predicted.html
Yesterday, the world got a temporary respite from the virulent Wcry ransomware worm, which used a leaked NSA cyberweapon to spread itself to computers all over the world, shutting down hospitals, financial institutions, power companies, business, and private individuals' computers, demanding $300 to reactivate them.
The respite was thanks to a sloppy bit of programming from the worm's creator, who'd left a killswitch in the code: newly infected systems checked to see if a certain domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) existed before attempting to spread the infection; by registering this domain, security researchers were able to freeze the worm.
But a day later, it's back, and this time, without the killswitch. Security researchers running honeypots have seen new infections by versions of the worm that can spread even when the iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain is live.
"I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday.
Yesterday, the world got a temporary respite from the virulent Wcry ransomware worm, which used a leaked NSA cyberweapon to spread itself to computers all over the world, shutting down hospitals, financial institutions, power companies, business, and private individuals' computers, demanding $300 to reactivate them.
The respite was thanks to a sloppy bit of programming from the worm's creator, who'd left a killswitch in the code: newly infected systems checked to see if a certain domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) existed before attempting to spread the infection; by registering this domain, security researchers were able to freeze the worm.
But a day later, it's back, and this time, without the killswitch. Security researchers running honeypots have seen new infections by versions of the worm that can spread even when the iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain is live.
"I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday.
- FlyingPenguin
- Flightless Bird
- Posts: 32773
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Re: new ransomware shuts down FedEx other orgs
Everyone should also be aware that the patch ONLY keeps the worm on an infected PC from infecting other PCs on the same LAN. It DOES NOT protect a PC from the initial infection which is delivered via an email attachment.
Best practices still apply: don't open attachments.
Best practices still apply: don't open attachments.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "
Re: new ransomware shuts down FedEx other orgs
Here is a link to the Microsoft catalog to download the patch. bleepingcomputer.com is reporting that the version without a killswitch never made it to the wild,
http://www.catalog.update.microsoft.com ... =KB4012598
http://www.catalog.update.microsoft.com ... =KB4012598
- FlyingPenguin
- Flightless Bird
- Posts: 32773
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Re: new ransomware shuts down FedEx other orgs
LOL!
Sophos waters down 'NHS is totally protected' by us boast
https://www.theregister.co.uk/2017/05/15/sophos_nhs/
Sophos waters down 'NHS is totally protected' by us boast
https://www.theregister.co.uk/2017/05/15/sophos_nhs/
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "