> The initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff. There is also a working theory that initial compromise may have come from SMB shares exposed to the public internet. Results from Shodan show over 1.5 million devices with port 445 open – the attacker could have infected those shares directly.
I think this is an important take-away. I found it strange that so many media outlets and IT departments were jumping on the "do not open suspicious emails" bandwagon even although there hasn't been a lot of evidence of such phishing emails. That is: screenshots of infected devices have been popping up all across the world, but almost no examples of a particular entry email have been shown.
Of course, it might be easier for an IT dep. to state: "it must have been unleashed by someone clicking on some email they got" rather than "oops, we still had unpatched Windows machines exposed to the public internet". Why go through the trouble of sending out emails when your worm already contains a replication/infection mechanism. Just use a botnet to scan those 1 million IPs and see if SMB is open.
That being said, it does not surprise me to see yet again an issue in SMB. This has been a particularly weak point in Windows for decades now. I remember "hacking tutorials" from 15 years ago where you'd just go out and nmap public IP ranges to see if you could access hidden shares (e.g. like so: http://www.madirish.net/59). Also there was this issue of Windows keeping weak NetBIOS password hashes around which could be trivially unhashed (https://vuldb.com/?id.13824), years ago.
A fair amount of ransomware is distributed via email, so it's not such a bad idea when this issue is front and centre and all over the news to reinforce good behaviour amongst users.
It's not like 'stop clicking random shit in emails' is bad advice.
I'm surprised by how carefully the worm seems to be coded. They make sure they have an internet connection, they check for disk space in order not to run out while encrypting, they save a backup copy of the "tasksched" executable before replacing it, they shutdown databases (I assume in order to prevent corruption?) etc...
I guess they want to make sure the decryption process will work without any issue so that the victim will be more likely to pay other ransoms or spread word of mouth that it does actually work.
I wish all software devs were as thorough as these people...
I would guess the shutdown of apps are not of good intent, rather to release file locks so they can delete the unencrypted database and exchange files.
1. New address per machine (easier to detect payments made, hides profit total.)
2. Deterministic wallet stores all profit in a simple 12 word seed "password."
3. Phone numbers directly to bitcoin vendors. (people running insecure systems love phones.)
4. Phone number to tech support company that bills your credit card to walk you through paying the ransom.
5. Delayed symptoms. Secretly encrypt backups (windows efs might be able to do it nonobviously) Then once all your backups are secretly encrypted, it encrypts the key, and now you can't use backups to save yourself.
6. Advertise affiliated antivirus (I hear this is what cloudflare does by hosting bad actors, they inflate their demand from protection from bad actors, just a rumor though.)
7. Infect a friend. Get a discount on your ransom if you infect a friend and they pay.
It doesn't seem reasonable that 300k infections= less than 1 in 1000 payments. Are peoples files really so worthless, or bitcoin really so hard, or people so untrusting of unencrypt. I imagine they could have sold their 0 day idea for more money to a whitehat perhaps? Maybe more generalized bug bounties could be deployed to offer financial incentive to harden systems and be non evil.
I don't know a single person who would pay upwards of $300 to get their files back if they got hit with ransomware. Hell, I've got something like 10 years of personal files on my machine and I wouldn't pay that much for them. I would bet a lot more people would be willing to pay if the fee was more like $50. That takes it out of the category of 'a lot of money for computer files' for a lot of people and puts it in the category of 'minor inconvenience'.
I sometimes fix friends & older family members computers as a favor and I've noticed that they usually don't really have any files anyway. I always make a backup before reformatting them and usually it includes their bookmarks and maybe 2-3 random files scattered in their 'Documents' folder, none of which are important. Their machines are more like just gateways to the internet than anything.
Through machines moves over the years I'm sure I have multiple copies of the most important ones anyway (keys, etc). If not oh well, life goes on. Shoulda made backups in the first place if they were that important to me.
"Are peoples files really so worthless, or bitcoin really so hard, or people so untrusting of unencrypt."
I think that is super small subset. Average people use a ton of cloud software nowadays: google docs, dropbox etc. Let alone use a desktop for anything besides work. The files they super care about (photos) are usually on their device or scattered all over facebook. Work files/computers, well they don't care about, that is some IT's guys job.
So the probability to get paid = [their ability to get bit coin] * [inability to have it already backed up] * [value of file[s]]. That does seem like a high bar. I also don't see an IT guy convincing a corporate attorney / accountant that wiring money to obtain bitcoin as an easy feat.
I always say that visual studio 6 was the best version they ever made. At least somebody out there agrees with me.
"As noted in our attribution post last year, use of Visual Studio 6.0 is not a significant observation on its own – however, this development environment dates from 1998 and is rarely used by malware coders. Nonetheless, it has been seen repeatedly with Lazarus attacks."
1998 was still a great year in Windows world. In 1999 the DotNet vision made lot's of things kind of legacy - kind of, because despite all odds Win32 and shell32/Explorer are still thriving where as DotNet Framework is now officially legacy tech. And UWP hasn't caught on, as mobile is dead end for MS and their Store is incredible bad.
True Visual Studio was really great. And like many, one had a VS6 and VB6 install still around. Even if VS6 C++ is really outdated nowadays, it doesn't contain this spy-home feature that shipper with VS 2015 and VCredist 2015 (RTM, patch 1, patch 2). Back in the 1990s MS was a good company.
It's easy to find out the total. There's even a twitter bot[1] reporting it. At the moment the total is 44.98BTC = $80,925.
I'd argue ofc it's more because there are some variations of the worm that's not being accounted by many yet.
Earlier reports I'd heard said that this group was unprepared or poorly prepared to handle the incoming ransom. Many of these ransomware campaigns use a fully automated mechanism to deliver keys upon payment, this group did not.
I was listening to an NPR report on this and their explanation for the low amount was that the group wasn't handing over the keys after payment. Which I guess implies people who get infected are first researching what to do before paying.
Isn't it curious that folks like kim dotcom who do not hold hospitals or anyone to ransom earn global notoriety, are raided by swat teams and face the full force of the law while those that hold hospitals to ransom can operate with impunity with people reduced to tracking their bitcoin earnings on twitter.
Is it the job of NSA and all the global security services with their overarching reach, resources and power to warn, track and disable these activities or is to spy on citizens?
Half or more of these activities are used by agencies to shut down or sabotage unfriendly interests and I suspect that's the only reason these shady figures are allowed to exist, treated with kid gloves, operate with near impunity and rarely see consequences. They serve as 'assets' to provide cover. Without consequences these activities will spiral.
Things like ddos ultimately benefit companies like cloudflare. And the preponderance of these kind of worms force people to move their data to the cloud or give up more control to large companies who promise security. This is a subtle form of extortion. We don't know the extortionists but we do know the beneficiaries.
This slowly but surely disempowers individuals and takes control away and shifts it to large companies.
Holding a hospital ransom whatever its security policies is a serious crime and treating it as just another hack rather than extreme criminality and blaming the victims is an extremely self serving technical perspective.
Isn't it curious that folks like kim dotcom who do not hold hospitals or anyone to ransom earn global notoriety, are raided by swat teams and face the full face of the law while those that hold hospitals to ransom can operate with impunity with people reduced to tracking their bitcoin earnings on twitter.
It's a very classic and widespread law enforcement problem: They catch those who are easiest to catch. There's an anecdote that so beautifully displays this fallacy.
A police officer sees a drunken man intently searching the ground near a lamppost and asks him the goal of his quest. The inebriate replies that he is looking for his car keys, and the officer helps for a few minutes without success then he asks whether the man is certain that he dropped the keys near the lamppost.
“No,” is the reply, “I lost the keys somewhere across the street.” “Why look here?” asks the surprised and irritated officer. “The light is much better here,” the intoxicated man responds with aplomb.
> Isn't it curious that folks like kim dotcom who do not hold hospitals or anyone to ransom earn global notoriety, are raided by swat teams and face the full face of the law while those that hold hospitals to ransom can operate with impunity with people reduced to tracking their bitcoin earnings on twitter.
Isn't it curious that people who are known to the authorities are arrested, whereas persons unknown are not? That's your question?
Quote: "The initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff."
Would it be easy to find it if the initial attack vector uses some semi-obscure torrent? Would people find out quickly?
Notable that he calls the "kill-switch" a "mistake". For example, Chrome does the same thing. When it starts it checks for some presumably non-existant domain name.
Did these happenings had any effect on windows market share? Hope somebody will blog on that too.
I hope many people have understood to not have public windows servers at least. It could most probably affect their business in the long run (Not saying that GNU/Linux is safe. But it is safer).
Macuyiko|8 years ago
I think this is an important take-away. I found it strange that so many media outlets and IT departments were jumping on the "do not open suspicious emails" bandwagon even although there hasn't been a lot of evidence of such phishing emails. That is: screenshots of infected devices have been popping up all across the world, but almost no examples of a particular entry email have been shown.
Of course, it might be easier for an IT dep. to state: "it must have been unleashed by someone clicking on some email they got" rather than "oops, we still had unpatched Windows machines exposed to the public internet". Why go through the trouble of sending out emails when your worm already contains a replication/infection mechanism. Just use a botnet to scan those 1 million IPs and see if SMB is open.
That being said, it does not surprise me to see yet again an issue in SMB. This has been a particularly weak point in Windows for decades now. I remember "hacking tutorials" from 15 years ago where you'd just go out and nmap public IP ranges to see if you could access hidden shares (e.g. like so: http://www.madirish.net/59). Also there was this issue of Windows keeping weak NetBIOS password hashes around which could be trivially unhashed (https://vuldb.com/?id.13824), years ago.
tomlong|8 years ago
It's not like 'stop clicking random shit in emails' is bad advice.
simias|8 years ago
I guess they want to make sure the decryption process will work without any issue so that the victim will be more likely to pay other ransoms or spread word of mouth that it does actually work.
I wish all software devs were as thorough as these people...
robinwassen|8 years ago
unknown|8 years ago
[deleted]
RichardHeart|8 years ago
1. New address per machine (easier to detect payments made, hides profit total.)
2. Deterministic wallet stores all profit in a simple 12 word seed "password."
3. Phone numbers directly to bitcoin vendors. (people running insecure systems love phones.)
4. Phone number to tech support company that bills your credit card to walk you through paying the ransom.
5. Delayed symptoms. Secretly encrypt backups (windows efs might be able to do it nonobviously) Then once all your backups are secretly encrypted, it encrypts the key, and now you can't use backups to save yourself.
6. Advertise affiliated antivirus (I hear this is what cloudflare does by hosting bad actors, they inflate their demand from protection from bad actors, just a rumor though.)
7. Infect a friend. Get a discount on your ransom if you infect a friend and they pay.
It doesn't seem reasonable that 300k infections= less than 1 in 1000 payments. Are peoples files really so worthless, or bitcoin really so hard, or people so untrusting of unencrypt. I imagine they could have sold their 0 day idea for more money to a whitehat perhaps? Maybe more generalized bug bounties could be deployed to offer financial incentive to harden systems and be non evil.
sp00ls|8 years ago
I sometimes fix friends & older family members computers as a favor and I've noticed that they usually don't really have any files anyway. I always make a backup before reformatting them and usually it includes their bookmarks and maybe 2-3 random files scattered in their 'Documents' folder, none of which are important. Their machines are more like just gateways to the internet than anything.
Through machines moves over the years I'm sure I have multiple copies of the most important ones anyway (keys, etc). If not oh well, life goes on. Shoulda made backups in the first place if they were that important to me.
ransom1538|8 years ago
I think that is super small subset. Average people use a ton of cloud software nowadays: google docs, dropbox etc. Let alone use a desktop for anything besides work. The files they super care about (photos) are usually on their device or scattered all over facebook. Work files/computers, well they don't care about, that is some IT's guys job.
So the probability to get paid = [their ability to get bit coin] * [inability to have it already backed up] * [value of file[s]]. That does seem like a high bar. I also don't see an IT guy convincing a corporate attorney / accountant that wiring money to obtain bitcoin as an easy feat.
davotoula|8 years ago
You don't want the seed distributed to all victims. There is risk it will be reverse engineered.
There is a way to ge
awqrre|8 years ago
fokinsean|8 years ago
This is great lol
nissimk|8 years ago
"As noted in our attribution post last year, use of Visual Studio 6.0 is not a significant observation on its own – however, this development environment dates from 1998 and is rarely used by malware coders. Nonetheless, it has been seen repeatedly with Lazarus attacks."
frik|8 years ago
True Visual Studio was really great. And like many, one had a VS6 and VB6 install still around. Even if VS6 C++ is really outdated nowadays, it doesn't contain this spy-home feature that shipper with VS 2015 and VCredist 2015 (RTM, patch 1, patch 2). Back in the 1990s MS was a good company.
ak39|8 years ago
unknown|8 years ago
[deleted]
raffomania|8 years ago
15.13562354 BTC = $26410 13.78022431 BTC = $24045 5.98851225 BTC = $17361
Assuming $300 per ransom, this works out to a total of 226 victims who paid. this seems a little low compared to the huge amount of infected devices.
unklefolk|8 years ago
https://www.trustar.co/wp-content/uploads/2017/05/WannaCryVe...
kbody|8 years ago
[1]: https://twitter.com/ransomtracker
wyldfire|8 years ago
vxNsr|8 years ago
Belphemur|8 years ago
They could have already moved a part of the coins to an exchange.
throw2016|8 years ago
Is it the job of NSA and all the global security services with their overarching reach, resources and power to warn, track and disable these activities or is to spy on citizens?
Half or more of these activities are used by agencies to shut down or sabotage unfriendly interests and I suspect that's the only reason these shady figures are allowed to exist, treated with kid gloves, operate with near impunity and rarely see consequences. They serve as 'assets' to provide cover. Without consequences these activities will spiral.
Things like ddos ultimately benefit companies like cloudflare. And the preponderance of these kind of worms force people to move their data to the cloud or give up more control to large companies who promise security. This is a subtle form of extortion. We don't know the extortionists but we do know the beneficiaries.
This slowly but surely disempowers individuals and takes control away and shifts it to large companies.
Holding a hospital ransom whatever its security policies is a serious crime and treating it as just another hack rather than extreme criminality and blaming the victims is an extremely self serving technical perspective.
Kenji|8 years ago
It's a very classic and widespread law enforcement problem: They catch those who are easiest to catch. There's an anecdote that so beautifully displays this fallacy.
A police officer sees a drunken man intently searching the ground near a lamppost and asks him the goal of his quest. The inebriate replies that he is looking for his car keys, and the officer helps for a few minutes without success then he asks whether the man is certain that he dropped the keys near the lamppost.
“No,” is the reply, “I lost the keys somewhere across the street.” “Why look here?” asks the surprised and irritated officer. “The light is much better here,” the intoxicated man responds with aplomb.
quirkafleeg|8 years ago
Isn't it curious that people who are known to the authorities are arrested, whereas persons unknown are not? That's your question?
piqufoh|8 years ago
Is this site legitimate?
justusthane|8 years ago
krabpaaltje|8 years ago
unknown|8 years ago
[deleted]
MrQuincle|8 years ago
Would it be easy to find it if the initial attack vector uses some semi-obscure torrent? Would people find out quickly?
gwu78|8 years ago
mistaken|8 years ago
pksadiq|8 years ago
I hope many people have understood to not have public windows servers at least. It could most probably affect their business in the long run (Not saying that GNU/Linux is safe. But it is safer).
13of40|8 years ago
unknown|8 years ago
[deleted]