Very Large scale RansomeWare / CryptoWare 'attack' hits many nations

Well, this is the largest incident I have seen so far in terms of this specific computer problem known as RansomWare or CryptoWare.  Among me and my colleagues we simply refer to this as 'being crypto'd'. 

How it happens? :  Well you have to actually click something for this to work the way it does. The infection comes embedded in a document that is send to you via email or other methods. The infection is in the document in the form of a 'macro' . A macro is a set of instructions in the form of a script that executes a command and does a certain task.

What happens next? : When the macro is executed it will search out files that are in standard locations on your PC. Now that is really not so bad in of itself. However if you have network drives mapped with authorization/authentication to those folders, then those files are going to be affected. Those network files typically reside on a central serer for the organization. Once it seeks out those network drives it starts from the top folder typically and begins the encryption of your files.

What are your options? : If your IT company or staff is worth their weight in anything, they would have regular back ups of the data from the server. The company I work for has regular back ups for 99% of our clients. A few small companies that got hit over the last year now understand the importance of these back ups. It's like insurance, you hope you never need it, but are glad when it's there.  .... The other option is to pay the ransom which does not guarantee you will get your files back. You pay the ransom to a BitCoin wallet address and they send you the decrypt file to restore the files to their original state.

How do you stay safe? :  Well this one is a tricky one as it really comes down to user education to recognize the issue.  Strange emails from people you don't know? Delete them, and don't even feel bad. If it's important someone will send it again or contact you directly to inquire if you received the document.  Another tip to recognize a possible infection or phishing attempt is to simply hover the mouse over the link if there is one in the email. If the popup shows a different address than one you see on the screen, don't even click it and immediately delete the email.

Spam filters, firewalls, anti-virus will NOT, I repeat and stress, NOT help protect you against ransomware.  IN the future these may help, but only if the definition of the infection is known. Once that happens, then spam filters can recognize the fingerprint in the document and block it. What it comes down to is user education which will be your best defense against this type of issue.

With the recent large scale infection of over 100,000 organizations in about 100 nations, this is a very very large incident. Now this was not so much an attack, I feel that the infection already happened and was simply waiting for a specific time to execute. That can and has happened. I've seen that before where a document was already on the server or a PC and the macro was set to go off a week or so later. Typically we see the issue right away when the document is opened. The user already knows something happened.

This was not a hack by that definition. This is an infection via an embedded macro in a document that was received by a person and they allowed that document to come in. This attack was also timed very well. Near the end of the day on a Friday. Most organizations are already in recovery mode and then there will be some on Monday that we do not know have been infected.

I CANNOT STRESS THIS ENOUGH :  I have been telling everyone I know that a cascading effect will happen to cause many computer systems to fail. Now when those computer systems control health care, traffic and other important infrastructures then you have a very large risk of bringing everything to a halt. The more things are interconnected, the scale of the attacks will be more frequent and much larger.

An unprecedented "ransomware" cyberattack that has already hit tens of thousands of victims in 150 countries could wreak even more havoc Monday as people return to their desks and power up their computers at the start of the work week.

Officials and experts on Sunday urged organizations and companies to update their operating systems immediately to ensure they aren't vulnerable to a second, more powerful version of the malicious software, dubbed WannaCry. The cyberattack paralyzed computers that run Britain's hospital network, Germany's national railway and scores of other companies and government agencies worldwide.

The attack, already believed to be the biggest online extortion scheme ever recorded, is an "escalating threat" after hitting 200,000 victims across the world since Friday, according to the head of Europol, Europe's policing agency.

"At the moment, we are in the face of an escalating threat," director Rob Wainwright told Britain's ITV. "The numbers are going up, I am worried about how the numbers will continue to grow when people go to work and turn [on] their machines on Monday morning."

Views: 92

Reply to This

Replies to This Discussion

very helpful GH.

This already happen to my computer. I have a file on desktop with that bug and yes they want bitcoin to get my files back. Can't help but think it's the fake government doing it for some money, they're the ones who designed the computer and all the programs, not some little squirrel in a closet.

The good thing is once the infection reaches the end of the file list in a folder it self terminates and wont spread anymore, however the damage is done and restoring from back ups is your only option.

So apparently you can blame some IT techs for not doing their job. There was a new exploit found in Windows Server 2003 (who is using it today is dumb) which allowed this compromise to take place.  The clients we service had those servers patched up some time ago, so they were spared the tragedy that is this new wave of ransomware.  Just shows the caliber of the techs I run with.  :D

Can instructions be imbedded in pictures?  A friend is concerned that these macro's can be imbedded in them.  I also wonder about emojis?

Anything can be hidden in any type of file. The difference is it just stored data, or an executable program that causes problems. Now hidden data CAN be stored in various other files, but it's a question of if the embedded data is an executable, meaning some code launches to do certain things with other programs outside of the file.  With Word and Excel it is in the form of Macros.

You take a picture on your phone or camera. There is embedded data in that file that will show the source of the pic (aka information about your hardware used to take the pic.   stuff like camera type, resolution, phone ID ect. When you scan images/documents that happens as well.  This is simply stored data and not executable in anyway.

I am not 100% sure if simply pics can contain executable code, i'll see what I can find.


© 2018   Created by rose.   Powered by

Badges  |  Report an Issue  |  Terms of Service