The Cookie Machine - Click here to drag window

DUMMY TEXT - Real text set in assets/js/theCookieMachine.js

Views: 82,629     Votes:  6 
Tags: malware   ransomware   wannacry  
Link: 🔍 See Original Answer on Information Security 🔗

URL: https://security.stackexchange.com/q/159674
Title: How is the "WannaCry" Malware spreading and how should users defend themselves from it?
ID: /2017/05/17/How-is-the-_WannaCry_-Malware-spreading-and-how-should-users-defend-themselves-from-it_
Created: May 17, 2017    Edited:  May 17, 2017
Upload: November 24, 2022    Layout:  post
TOC: false    Navigation:  false    Copy to clipboard:  false


NHS was doomed to be first one hit

There are many great answers here but this answer is enlightening given recent events. On January 18th, 2017 US-Cert urged admins to firewall off SMBv1 but comments on this story says the only reason Windows XP support is still around is because the NHS (UK’s National Health Services which got shutdown on Friday May 12th) pays M$ tons of cash to keep it alive.

If you have an older Windows Vista backup laptop like myself, you might be interested in KB4012598 for Windows 8, XP, Vista, Server 2008 and Server 2003 which are equivalents to much talked about MS17-010. These are manual patches for EOL (End of Life) Windows versions off of support and automatic updates. Microsoft took the extraordinary step of releasing these patches over the last 48 hours.

Linux users can be effected too

If there are Linux users reading this answer I’d like to point out vulnerabilities discussed in Ask Ubuntu on this Question I posted.

Technical details not listed in other answers

This article discusses blocking specific ports and disabling SMBv1 and SMBv2 in favour of SMBv3. Part of the article states the FBI says you shouldn’t pay the criminals to get your data back but in all honesty I would pay 300 bucks to get my life back.

Spooky coincidences

The Shadow Brokers have made 31 grand so far according to one article today. Interesting fact the name first appeared (AFAIK) as a fictional group wheeling and dealing in secrets in a Sci-Fi video game invented in Edmonton about 10 years ago. Second interesting fact they charge $300 to unlock your ransomed data and I used to charge $300 for data repairs of GL, AR, IC, PR, etc. That said I highly doubt the Shadow Brokers are based out of Edmonton where I live.

Version two is out and kill switch won’t work

The creation of the website http://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ which operates as a kill-switch to the ransomware is reported to have been side-stepped by a new version of “Wanna Cry”. I haven’t read many articles confirming this but in any respect the SMBv1 and SMBv2 holes should be plugged. People shouldn’t rely on the kill-switch working with future “Wanna Cry” versions or any new malware / ransomware utilizing the loop-hole.

If you wonder what the kill-switch website benignly says, it is:

sinkhole.tech - where the bots party hard and the researchers
harder…

Microsoft Conspiracy Theories

Those that don’t believe in conspiracies can press the back button. The NSA and Microsoft knew this was coming according to this article circulating a petition demanding to know what Microsoft knew, when, where and how. The allegations are based on the timing of Shadow Brokers, NSA getting hacked and MS security updates.

⇧ Check if Bash version is >= given version number What is the "Wanna Cry" ransomware's possible impact on Linux users?  ⇩