FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!

Ransome Ware




Two weeks back, there is a massive attack of what you called "WannaCry Ransomeware". Around 200,000 has been victimized by this attack. What could be the reason behind this? Is it about money? With their talent and knowledge I believed they can earn it with proper medium. Or maybe they wanted to proved something. Regardless of what is it, once you've hit this ransomeware there is no turning back. You can say goodbye to your data because even if you pay there is no guarantee that they will give you back the encryption key. Anyway I feel sad with all the establishments and people that has been victimized by this attack. Crying or Very sad



13 blog comments below

There is some hope, however. In the last few days, new ways to recover your files have been published, such as:
https://github.com/gentilkiwi/wanakiwi

It is a matter of time that someone finds a 0-day exploit on the wannacry crypt process.
restonpiston on Sun May 21, 2017 2:32 pm
That is an awesome news. Good thing that there are still people wants to share their knowledge to the world free. Two thumbs up for them. Smile
jestoy0514 on Mon May 22, 2017 7:02 am
Apparently the origin for the ransomware that is doing the rounds is in North Korea and they used a software tool they had stolen from the US National Security Agency. The tool is called EternalBlue. EternalBlue exploits a vulnerability in MS Windows and infects and locks a computer until a ransom is paid (bitcoins seem to be the preferred payment). Microsoft says they fixed it in the last updates. So guess we need to update our Windows. Not that they'd be interested in people with free hosting sites. They'd probably go for people with money instead.

Wonder whether they're using it to fund their ballistic missile programme? Think
deanhills on Mon May 22, 2017 4:32 pm
Sorry to contradict you deanhills, but North Korea didn't stole Eternal Blue. As many media has pointed, like in here, the exploit was stolen by someone and published by Wikileaks. The hackers used that to crear WCry.
restonpiston on Wed May 24, 2017 12:06 am
The North Korea alleged involvement was reported in the New York Times - apparently there is evidence for it linking it to the Lazarus Group:
https://www.nytimes.com/2017/05/22/technology/north-korea-ransomware-attack.html?_r=0

I first learned about it in the South African Sunday Times - it's a reliable newspaper (as reliable as newspapers could be considered to be - but yes, it could be wrong too - who knows). Unfortunately the Sunday Times don't provide free reading of their articles - one has to pay to read them, but the article below gives the same info with plenty more details - without the reference to North Korea being the culprit:

http://www.timeslive.co.za/scitech/2017/05/15/How-to-protect-yourself-from-weeping-over-a-WannaCry-attack1
deanhills on Wed May 24, 2017 1:47 pm
It's actually a group called the shadow brokers that stole the nsa data and released part of it for free auctioned the rest.

what impressed me the most was that there's another group that had infected a larger amount of computers for a mining botnet using the same exploit ( eternalblue ) and backdoor ( doublepulsar

These guys actually blocked the 445 port in post exploitation phase just to be sure other malware couldn't compromise their botnet.

if this initial outbreak had never taken place the number of infections of wCry would have been a lot higher.

The good thing is, this virus just uses your computer to mine the monero cryptocurrency and it does it stealthily while wCry just F***'s you over big time.


These are the wallets used by the wCry authors

https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Marcuzzo on Wed May 24, 2017 10:24 pm
@Marcuzzo. Any simple advice for avoiding ransomware? Or is it the common sense one. Not to click on strange links, not to click on any link that doesn't make 100% sense? And to update Windows regularly?
deanhills on Thu May 25, 2017 6:49 am
@dean, keeping your windows updated and never trusting mail attachmentd is good practice and even then there's a chance they still get in.
I understand that people don't like auto updates, which was disabled (by the user) on most home computers back in the early XP days because everybody had terrible experience with botched 2000 updates.
You can disable optional updates but at least leave criticals and security updates enabled. This is enabled on our systems by default.
A 0-day may get through but by patching early and often you still have a little more control.

wCry was distributed in 2 ways being phishing mails (exploit the user) and the smb 0-day ( exploit the system) and the latter was a piece of art.

Upon infection it would scan the local network for vulnerable devices and attack those. I think most computers got hit popped by that worm-like behaviour.
Marcuzzo on Thu May 25, 2017 1:21 pm
There is only one true way to protect yourself from ransomware, do backups. If a backup was done and you are now infected, you can restore to the uninfected state.
restonpiston on Thu May 25, 2017 8:11 pm
That goes without saying... Only an idiot doesn't create backups regularly.

At work we don't even try to recover data from computers that have been infected.


F12-> pxe boot -> restage

And if the user had rights on fileshares we would restore data from de backup tapes, max 24hrs old
Marcuzzo on Fri May 26, 2017 10:58 am
In the meanwhile looks as though Bitcoins increased in value during the WannaCry Ransomware attacks. Could be that the real perpetrators were the ones who wanted the Bitcoins to increase in value? One probably should check those who have large stocks of Bitcoins to find the guys behind the attacks. Wonder whether that would be possible to do?
deanhills on Fri May 26, 2017 9:48 pm
It may be deanhills. What you said might be true but some people said that bitcoins is untraceable.
jestoy0514 on Tue May 30, 2017 3:43 pm
some people also believe that The Onion Router network is completely anonymous.
Marcuzzo on Thu Jun 01, 2017 9:40 pm



FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.