Tag Archives: ransomware

EternalRocks: Neue Attacke nach WannaCry

Mehrere Sicherheitsexperten haben einen neuen “SMB worm” entdeckt, der gleich 7 der von den ShadowBrokers veröffentlichten NSA-Hacks ausnutzt. (WannaCry hat lediglich 2 verwendet) Damit ist dieser neue Wurm in diesem Bereich zwar weitaus gefährlicher – auf der anderen Seite enthält er (zumindest bisher) anscheinend keinen Crypto-Locker.

Keinen Kill-Switch

Nach einer Analyse kontaktiert der Wurm nach einer Infektion einen C&C-Server im Tor-Netzwerk. Erst nach 24 Stunden erhält er eine Antwort. Anschließend lädt er ein Archiv herunter und installiert dieses auf dem lokalen PC. Mit dieser neuen Software werden zufällige IPs kontaktiert, auf die dann eine weitere Installation versucht wird.

Keine Entwarnung

Auch die Tatsache, daß EternalRocks bisher keine Schadsoftware zu enthalten scheint bedeutet nicht, daß es sich um einen ungefährlichen Wurm handelt. Immerhin besteht eine Verbindung zu einem C&C-Server, von der jederzeit Schadsoftware verteilt werden kann.

Es besteht aber auch die Möglichkeit, daß es sich mit EternalRocks lediglich um einen Testlauf für eine neue Ransomware handelt. Die Angreifer könnten in einem Probelauf etwaige Probleme ermitteln um anschließend eine “echte Schadsoftware” zu verbreiten.

WannaCry: Hauptsächlich Windows 7 betroffen

Bild: Kaspersky via Twitter

Kaspsersky hat gestern erste Ergebnisse zur ermittelten Verbreitung von WannaCry veröffentlicht.

Demnach wurden mehr als 98% aller befallenen Computer mit einer Variante von Windows 7 betrieben – wobei die 64-bit Version mit 60% am meisten befallen wurde.

Windows XP unter 0.2%

Der Anteil befallener Windows XP PCs so gering, daß er in dieser Statistik nicht auftaucht.

WannaCry: next round on the way

According to some reports, a new version of WannaCry that does ignore the yesterday registered Domain has been found in the wild. The new version seems to be same to the previous, but will most likely not being stopped.

New infections tomorrow

As lots of PCs are off due to weekend, several experts expect a second flow of infections on Monday morning – when lots of computers are powered on in companies worldwide. Secondly they also expect new versions of the ransomware the very next days.  By now, approx 150 different variants of the ransomware have been detected.

Only 40.000 US$ income by now

By now only few people payed the money to release their data – compared to the very high amount of infected machine worldwide. This might be due to several big companies affected, which mostly run a good backup strategy allowing them to simply reset their machines. As the bitcoins wallets are known, it’s easy to check them all for current the income.

WannaCry: more details about the ransomware attack

Meanwhile, the major attack of WannaCry aka WanaDecrypt0r 2.0 has been stopped. As I noted in my previous post, some  stop switch was found by accident when an expert noticed that a special domain gets addressed from WannaCry. As the domain was available, he registered it hoping to collect more information and data sent out from the ransomware.

Image from malwaretech.com

After the domain was online, the automatic spreading of WannaCry stopped. However, this does not affect already infected systems. Also there are rumors that some Antivirus Programs currently block access to that domain because of unsuspicious data. This would mean in fact that those programs would allow WannaCry to spread more and more.

“EternalBlue”-issue known by NSA for years

The security issue used by WannaCry is called EternalBlue and was part of a leak of NSA documents, spread by The Shadow Brokers in April this year. If they would have noticed Microsoft for that issue, we would not have those massive problems today.

Due to the seriousness of the attack, Microsoft released a patch even for older Windows Versions that are usually not supported anymore.


Massive Cyberattack hits UK Health System, Deutsche Bahn

A massive Cyberattack that seems to have source in Russia currently spreads the world. After first analysis by Kaspersky and Avast they think it’s a new version of the crypt locker WannaCry. The software requires a payment of 300$ in bitcoins to release the encryption key, and blackmails the owners that the key would be deleted in few days if not being payed.

Following the latest updates, the ransomware meanwhile successfully attacked more than 75.000 PCs in 100 countries worldwide. Analysing the ransoware, a way to stop spreading seems to be found. According to some press, a security expert noticed a domain being accessed from the ransomware and registered this. After activating that domain the ransomware stopped spreading. Seems some routine stops its work when the domain could be contaced.

In general, this new attack was made possible after some NSA documents were leaked. NSA knew about this security issue for several times, but did not inform the software vendor, keeping millions of PCs unsafe. After the documents were leached, the vendor released a patch for this issue very shortly, which is available since March. Following current situtation, several PCs have yet not installed that update.

Before you now say “user’s fault – why dont install the update?” keep in mind that according to current information big companies or public organisations are affected. Following the usual “update-mess” of some vendors (fix one issue but create two others at the same time) it is absolutely normal for todays administrators NOT to install a patch as soon as it’s available.