Serious WANNACRY 2.0 = Terminator 3 - I will be back! Is back with 2.0 now

[Sammyboy RSS Feed]

An honorable member of the Coffee Shop Has Just Posted the Following:




http://www.wnd.com/2017/05/wannacry-...o-kill-switch/


http://thehackernews.com/2017/05/wan...er-attack.html



WannaCry Kill-Switch(ed)? It’s Not Over! WannaCry 2.0 Ransomware Arrives
Saturday, May 13, 2017 Swati Khandelwal

wannacry-2-ransomware-attack
If you are following the news, by now you might be aware that a security researcher has activated a "Kill Switch" which apparently stopped the WannaCry ransomware from spreading further.

But it's not true, neither the threat is over yet.

However, the kill switch has just slowed down the infection rate.

Updated: Multiple security researchers have claimed that there are more samples of WannaCry out there, with different 'kill-switch' domains and without any kill-switch function, continuing to infect unpatched computers worldwide (find more details below).

So far, over 237,000 computers across 99 countries around the world have been infected, and the infection is still rising even hours after the kill switch was triggered by the 22-years-old British security researcher behind the twitter handle 'MalwareTech.'

For those unaware, WannaCry is an insanely fast-spreading ransomware malware that leverages a Windows SMB exploit to remotely target a computer running on unpatched or unsupported versions of Windows.

So far, Criminals behind WannaCry Ransomware have received nearly 100 payments from victims, total 15 Bitcoins, equals to USD $26,090.
CLICK TO TWEET

Once infected, WannaCry also scans for other vulnerable computers connected to the same network, as well scans random hosts on the wider Internet, to spread quickly.

The SMB exploit, currently being used by WannaCry, has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself "The Shadow Brokers" over a month ago.

"If NSA had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened," NSA whistleblower Edward Snowden says.

Kill-Switch for WannaCry? No, It's not over yet!
wannacry-ransomware-kill-switch
In our previous two articles, we have put together more information about this massive ransomware campaign, explaining how MalwareTech accidentally halted the global spread of WannaCry by registering a domain name hidden in the malware.

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

The above-mentioned domain is responsible for keeping WannaCry propagating and spreading like a worm, as I previously explained that if the connection to this domain fails, the SMB worm proceeds to infect the system.

Fortunately, MalwareTech registered this domain in question and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system. (read his latest blog post for more details)

Updated: Matthieu Suiche, a security researcher, has confirmed that he has found a new WannaCry variant with a different domain for kill-switch function, which he registered to redirect it to a sinkhole in an effort to slows down the infections.

hxxp://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com/

The newly discovered WannaCry variant works exactly like the previous variant that wreaked havoc across the world Friday night.

But, if you are thinking that activating the kill switch has completely stopped the infection, then you are mistaken.

Since the kill-switch feature was in the SMB worm, not in the ransomware module itself., "WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant," MalwareTech told The Hacker News.

You should know that the kill-switch would not prevent your unpatched PC from getting infected, in the following scenarios:

If you receive WannaCry via an email, a malicious torrent, or other vectors (instead of SMB protocol).
If by chance your ISP or antivirus or firewall blocks access to the sinkhole domain.
If the targeted system requires a proxy to access the Internet, which is a common practice in the majority of corporate networks.
If someone makes the sinkhole domain inaccessible for all, such as by using a large-scale DDoS attack.

MalwareTech also confirmed THN that some "Mirai botnet skids tried to DDoS the [sinkhole] server for lulz," in order to make it unavailable for WannaCry SMB exploit, which triggers infection if the connection fails. But "it failed hardcore," at least for now.

WannaCry 2.0, Ransomware With *NO* Kill-Switch Is On Hunt!
wannacry-2-ransomware-attack
Initially, this part of story was based on research of a security researcher, who earlier claimed to have the samples of new WannaCry ransomware that comes with no kill-switch function. But for some reason, he backed off. So, we have removed his references from this story for now.

However, shortly after that, we were confirmed by Costin Raiu, the director of global research and analysis team at Kaspersky Labs, that his team had seen more WannaCry samples on Friday that did not have the kill switch.

"I can confirm we've had versions without the kill switch domain connect since yesterday," told The Hacker News.

Updated: WannaCry 2.0 is Someone Else's Work

Raiu from Kaspersky shared some samples, his team discovered, with Suiche, who analysed them and just confirmed that there is a WannaCrypt variant without kill switch, and equipped with SMB exploit that would help it to spread rapidly without disruption.

What's even worse is that the new WannaCry variant without a kill-switch believed to be created by someone else, and not the hackers behind the initial WannaCry ransomware.

"The patched version matt described does attempt to spread. It's a full set which was modified by someone with a hex editor to disable the kill switch," Raiu told me.

Updated: However, Suiche also confirmed that the modified variant with no kill switch is corrupted, but this doesn't mean that other hackers and criminals would not come up with a working one.

"Given the high profile of the original attack, it's going to be no surprise at all to see copycat attacks from others, and perhaps other attempts to infect even more computers from the original WannaCry gang. The message is simple: Patch your computers, harden your defences, run a decent anti-virus, and - for goodness sake - ensure that you have secure backups." Cyber security expert Graham Cluley told The Hacker News.

Expect a new wave of ransomware attack, by initial attackers and new ones, which would be difficult to stop, until and unless all vulnerable systems get patched.

"The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it'll continue to spread," Matthew Hickey, a security expert and co-founder of Hacker House told me.

"We will see a number of variants of this attack over the coming weeks and months so it's important to patch hosts. The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success."

Even after WannaCry attacks made headlines all over the Internet and Media, there are still hundreds of thousands of unpatched systems out there that are open to the Internet and vulnerable to hacking.

"The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host," Microsoft says.

Believe me, the new strain of WannaCry 2.0 malware would not take enough time to take over another hundred of thousand vulnerable systems.

Video Demo of WannaCry Ransomware Infection

Hickey has also provided us two video demonstrations, showing packet traces that confirm the use of Windows SMB vulnerability (MS17-010).

And Second one…

Since WannaCry is a single executable file, it can also be spread through other regular exploit vectors, such as spear phishing, drive-by-download attack, and malicious torrent files download, warned Hickey.

Get Prepared: Upgrade, Patch OS & Disable SMBv1

MalwareTech also warned of the future threat, saying "It's very important [for] everyone [to] understand that all they [the attackers] need to do is change some code and start again. Patch your systems now!"

"Informed NCSC, FBI, etc. I've done as much as I can do currently, it's up to everyone to patch," he added.

As we notified today, Microsoft took an unusual step to protect its customers with an unsupported version of Windows — including Windows XP, Vista, Windows 8, Server 2003 and 2008 — by releasing security patches that fix SMB flaw currently being exploited by the WannaCry ransomware.

Even after this, I believe, many individuals remain unaware of the new patches and many organizations, as well as embedded machines like ATM and digital billboard displays, running on older or unpatched versions of Windows, who are considering to upgrade their operating system, would take time as well as it’s going to cost them money for getting new licenses.

Quick Tip to stop #WannaCry (for all Windows users, even if you have installed the updates, Just disable SMB if not in use) pic.twitter.com/zfhj0sS4ZY
— The Hacker News (@TheHackersNews) May 13, 2017



So, users and organizations are strongly advised to install available Windows patches as soon as possible, and also consider disabling SMBv1 (follow these steps), to prevent similar future cyber attacks.

For god sake: Apply Patches. Microsoft has been very generous to you.

Almost all antivirus vendors have already been added signatures to protect against this latest threat. Make sure you are using a good antivirus, and keep it always up-to-date.

Moreover, you can also follow some basic security practices I have listed to protect yourself from such malware threats.

WannaCry has Hit Over 200,000 Systems in 150 Countries, Warned Europol
wannacry-infections
Update: Speaking to Britain's ITV, Europol chief Rob Wainwright said the whole world is facing an "escalating threat," warning people that the numbers are going up and that they should ensure the security of their systems is up to date.

"We are running around 200 global operations against cyber crime each year, but we've never seen anything like this," Wainwright said, as quoted by BBC.

"The latest count is over 200,000 victims in at least 150 countries. Many of those victims will be businesses, including large corporations. The global reach is unprecedented."

Above map is showing the WannaCry ransomware infection in just 24 hours.

This story is still updating, stay tuned to our Twitter page for more up-to-date information.
Swati - Hacking News
Swati Khandelwal
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.
Best Deals Gadgets, Software, Trainings
Latest Stories
Comments ()



https://hk.news.yahoo.com/%E5%8B%92%...225025103.html

勒索軟件變種來襲 4式嚴防鎖腦
[晴報]
晴報2017年5月15日
查看相片
勒索軟件變種來襲 4式嚴防鎖腦

【晴報專訊】勒索軟件WannaCry在上周末肆虐，全球逾22萬用戶中招，本港至少有兩名用 戶受攻擊。英 國雖有專家找到令病毒暫停擴散的「開關」，但病毒即推出「2.0」版。本港保安專家指，不少中 小企和學校仍 用舊版Windows，今日上班上學開電腦時或爆發病毒，建議用「4式」自保。

據網站MalwareTech的數據，截至本港時間昨晚7時，全球已有150個國家、22.5 萬用戶受Wa nnaCry攻擊。香港電腦保安事故協調中心至昨日接獲2宗受WannaCry攻擊個案，中心總經理黃家偉 指，2宗個案均屬高危，分別是個人用戶、使用Windows 7、無安裝防火牆。政府資訊科技總監辦公室、醫管局及機管局均稱，暫未有電腦系統事故報告。

全球逾22萬用戶 慘遭攻擊

WannaCry利用Windows漏洞進行遠端攻擊，用戶即使未有點擊可疑連結，亦有機會中招，勒索軟件 會對電腦內的文件進行加密，停止防毒軟件等應用程序運作，並要求受害者在限期前交300至60 0美元等值的 比特幣作贖金。有英國保安專家花了8.5英鎊將散播病毒的域名登記，暫時阻止了病毒傳播，但病 毒迅速推出「 2.0」版，令病毒再次傳播。

香港資訊科技商會資訊保安召集人范健文指，因為病毒會不斷變種，且WannaCry具有蠕蟲特 點，會主動搜 尋網絡內其他電腦進行攻擊，只要一部電腦中毒，內聯網裏面其他電腦很大機會受攻擊。

資訊科技界議員莫乃光指，本港不少家用電腦、學校和中小企電腦仍用舊版Windows，今日是 上班上學日， 或有機構開啟電腦爆發病毒。互聯網協會網絡保安及私隱小組召集人楊和生建議，今日上班開機前要 採取4招，防 止受勒索軟件攻擊。

今上班上學 港個案恐急增

中小企聯會永遠榮譽主席劉達邦估計，8成中小企正使用Windows系統，一間公司約有10至 20部電腦， 因成本問題，料大部分都不是使用最新的Windows 10，一旦被攻擊，輕則需暫時轉用人手做記錄，帶來不便，嚴重的話會遺失交易資料，令公司陷入停頓 。

教育局表示，已通知港、九、新界中小學留意事件，目前未收到學校求助。

俄國重災 英醫療系統中招

今次的WannaCry攻勢席捲全球，其中俄羅斯受影響最嚴重，國內最大的銀行和鐵路電子購票 系統都受影響 。而英國的公營醫療系統同樣受影響，醫院要被迫取消病人的預約，在新特蘭的日產汽車生產綫要暫 停。

在內地多個城市，公安部門、銀行櫃員機、醫院、高校、石油企業等均有電腦中招，內地當局估計有 近3萬個機構 受攻擊，國家網絡與信息安全信息通報中心要緊急發布軟件升級程式連結。

台灣亦是受攻擊的「重災區」，不少網民在討論區分享他們與黑客交涉的情況，有網民聲稱向黑客表 明自己月薪只 約400美元，黑客最終免費為該網民解鎖；亦有網民聲稱將黑客要求的1.9萬元新台幣（約4, 900港元） 贖款，成功「講價」至1,000元新台幣（約260港元）。


Click here to view the whole thread at www.sammyboy.com.