The recent WannaCry ransomware

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
ResearchMed
Posts: 6840
Joined: Fri Dec 26, 2008 11:25 pm

Re: The recent WannaCry ransomware

Post by ResearchMed » Mon May 15, 2017 7:43 pm

neurosphere wrote:
Bylo Selhi wrote: Re the advice to "Backup your systems," pay special attention to "Make sure you have offline backups." This ransomware encrypts data on all accessible drives on your network. If you leave a backup drive connected then that data will be compromised as well. And of course "Test those backups to make sure they can be restored." applies at all times. There's no use in making backups if they can't be restored when you actually need them.
Isn't it possible for viruses/ransomware to sit dormant in your files (including offline backups) such that if you are hit with an attack and then try to restore your files, you have restored the attack?

I guess the solution is to scan your off-line backup prior to restoring your data/files. But I can imagine that in the process of reconnecting my off-line files I might end up re-triggering the attack?

Ug. :?


This is exactly what has bothered me for some time, with a few twists.

Before this issue of spreading though vast networks/etc., my early concern was that malware could just have a delay of some sort.
So, "all is well" (or so it seems), and then... the date or event is triggered, and the main files blow up.
So, "okay, we're backed up", except that it's also past the trigger date/etc., so upon opening/downloading/etc., the backup... boom again.

Yes, "Ugh!" :shock:

RM
This signature is a placebo. You are in the control group.

sksbog
Posts: 188
Joined: Wed Jun 20, 2012 9:14 pm

Re: The recent WannaCry ransomware

Post by sksbog » Mon May 15, 2017 8:27 pm

The march software update from windows have proofed the ransomware. The affected machines had not applied that update.

User avatar
Bylo Selhi
Posts: 1073
Joined: Mon Feb 19, 2007 10:40 pm
Location: www.bylo.org in the Great White North
Contact:

Re: The recent WannaCry ransomware

Post by Bylo Selhi » Mon May 15, 2017 9:08 pm

neurosphere wrote:Isn't it possible for viruses/ransomware to sit dormant in your files (including offline backups) such that if you are hit with an attack and then try to restore your files, you have restored the attack?
I suppose it's possible, however, I'm not aware that it's ever happened.
I guess the solution is to scan your off-line backup prior to restoring your data/files. But I can imagine that in the process of reconnecting my off-line files I might end up re-triggering the attack?
Again, I suppose it's possible but I doubt it's likely. Backup programs usually write compressed copies of user data into a single, very large file. So the act of reconnecting a backup drive is unlikely to trigger a dormant virus unless you do it on a computer that's already infected by that virus.

However, if a computer is infected in the first place, standard practice is to hard format its drives, reinstall the operating system (now clean of that virus) and only then restore the backup. I suppose it would still be possible for a dormant virus stored in the backup to restart itself, etc. But then that presupposes that the computer was infected before the backup was made. Again possible, but not likely.

Now you're really scaring me :twisted:

Wakefield1
Posts: 806
Joined: Mon Nov 14, 2016 10:10 pm

Re: The recent WannaCry ransomware

Post by Wakefield1 » Mon May 15, 2017 9:39 pm

neurosphere wrote:
Bylo Selhi wrote: Re the advice to "Backup your systems," pay special attention to "Make sure you have offline backups." This ransomware encrypts data on all accessible drives on your network. If you leave a backup drive connected then that data will be compromised as well. And of course "Test those backups to make sure they can be restored." applies at all times. There's no use in making backups if they can't be restored when you actually need them.
Isn't it possible for viruses/ransomware to sit dormant in your files (including offline backups) such that if you are hit with an attack and then try to restore your files, you have restored the attack?

I guess the solution is to scan your off-line backup prior to restoring your data/files. But I can imagine that in the process of reconnecting my off-line files I might end up re-triggering the attack?

Ug. :?
"Advanced Persistent Threat" -might be made to be unobtrusive,could later act as a conduit for other malware to be installed,mostly keeps track of you or sends your information to someone-some of these might be used to collect information about your banking/financial log ins and key log for passwords
also rootkits that are deep modifications within the Windows operating system or even replace what should be antivirus software

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: The recent WannaCry ransomware

Post by Mudpuppy » Mon May 15, 2017 10:21 pm

ResearchMed wrote:
neurosphere wrote:
Bylo Selhi wrote: Re the advice to "Backup your systems," pay special attention to "Make sure you have offline backups." This ransomware encrypts data on all accessible drives on your network. If you leave a backup drive connected then that data will be compromised as well. And of course "Test those backups to make sure they can be restored." applies at all times. There's no use in making backups if they can't be restored when you actually need them.
Isn't it possible for viruses/ransomware to sit dormant in your files (including offline backups) such that if you are hit with an attack and then try to restore your files, you have restored the attack?

I guess the solution is to scan your off-line backup prior to restoring your data/files. But I can imagine that in the process of reconnecting my off-line files I might end up re-triggering the attack?

Ug. :?


This is exactly what has bothered me for some time, with a few twists.

Before this issue of spreading though vast networks/etc., my early concern was that malware could just have a delay of some sort.
So, "all is well" (or so it seems), and then... the date or event is triggered, and the main files blow up.
So, "okay, we're backed up", except that it's also past the trigger date/etc., so upon opening/downloading/etc., the backup... boom again.

Yes, "Ugh!" :shock:

RM
As with many things, you can throw more money at the problem to mitigate the risk. Multiple full backups over a period of time are possible if one has enough backup storage. And you could also mount the backup files under a different OS (where the virus can't run) in order to scrub them clean.

lazydavid
Posts: 1654
Joined: Wed Apr 06, 2016 1:37 pm

Re: The recent WannaCry ransomware

Post by lazydavid » Tue May 16, 2017 5:22 am

Wakefield1 wrote:Perhaps I have not understood the news articles about the ransomware or the articles don't agree as to the basic facts. One article said that the WannaCry was not coming via bad e-mail attachments or links,another didn't mention encrypted files but claimed that the computers were "locked" with ransom demanded (remember the easy to defeat ransomwares that appeared before the original Cryptolocker)
I was under the impression that most ordinary worms are blocked by every Windows from XP on up if the Windows firewall is turned on but perhaps this exploit empowers the malware to cross the firewall.
This is a wormable exploit, and not one that the Windows Firewall would typically protect you from, because it uses the SMB protocol over port 445. This is open by default when on a trusted home/work because it supports a lot of interprocess communication, along with file/print sharing. However, the first incursion into an environment is unlikely to be a network-based attack, because port 445 IS blocked at the network firewall level. So the initial attack vector will be an email with a link or an attachment, or perhaps a malicious ad. That establishes the beachhead. Now that one infected machine can go about infecting every other vulnerable machine on the network using the wormable exploit.

This is the challenge with security. The good guys have to win every single time, or they lose. 99% success rate is still failure. The bad guys only have to win once.

Da5id
Posts: 2035
Joined: Fri Feb 26, 2016 8:20 am

Re: The recent WannaCry ransomware

Post by Da5id » Tue May 16, 2017 6:55 am

Mudpuppy wrote: As with many things, you can throw more money at the problem to mitigate the risk. Multiple full backups over a period of time are possible if one has enough backup storage. And you could also mount the backup files under a different OS (where the virus can't run) in order to scrub them clean.
Automated offsite backups with versioning (I use Crashplan) is really key to recovering from this kind of problem. I also use Crashplan to back up to a local hard drive, but that could go if the house burns down or if it is encrypted by ransomware (I leave the drive mounted, could happen). Manual backups are often closing the barn door after the horse is in the next county -- you always "mean to get around to backing up next weekend".

Some other good ideas:
* Automated OS updates.
* Don't log in/run as administrator, and THINK about each time when asked to enter your admin password to install/change something. If in doubt, don't give permission.
* Don't give kids admin password on a PC you care about.
* Keep your antivirus/firewall/etc up to date and keep them running.

User avatar
Bylo Selhi
Posts: 1073
Joined: Mon Feb 19, 2007 10:40 pm
Location: www.bylo.org in the Great White North
Contact:

Re: The recent WannaCry ransomware

Post by Bylo Selhi » Tue May 16, 2017 12:50 pm

Da5id wrote:Automated offsite backups with versioning (I use Crashplan) is really key to recovering from this kind of problem.
ISTM the key to recovering from these sorts of situations (virus infections, ransomware, etc.) is to prevent them from happening in the first place, i.e. by practicising safe surfing/emailing, keeping OS updated, running AV/AM software that's updated regularly, etc. That may not be 100% effective but it will greatly reduce the chance of infection.

Ideally one should have multiple backups on multiple media in multiple locations to deal with as many possible disaster situations as possible. But again this can never be 100% effective. Ultimately how much effort you put into this depends on how valuable you consider the data that you want to protect.
* Don't give kids admin password on a PC you care about.
That's a good starts but as lazydavid says in the post above yours, once it infects a single PC this sort of exploit can spread across your LAN very quickly. So ISTM your kids (and anyone else on your LAN) needs to be as scrupulous about preventing virus infections as you are. That means they too have practice safe surfing/emailing, keep their OS updated, run AV/AM software that's updated regularly, etc. If they're too young (or too old, etc.) to do that then you'll have to either teach them how to do it or ensure that it gets done.

hilink73
Posts: 274
Joined: Tue Sep 20, 2016 3:29 pm

Re: The recent WannaCry ransomware

Post by hilink73 » Tue May 16, 2017 1:39 pm

just frank wrote:Sorry, this is not an internet or NSA problem...it is a MIcrosoft problem. They have been selling products with badly substandard security practices for decades.

People like to think that this is a problem needing innovation, or that people only attack Windows systems...nope. The basics of how to make a computer OS secure were worked out when Gates was in short pants...and are used by every other OS out there for obvious reasons. AS with many monopolies, monopoly power means selling a substandard product is ok. Microsoft has been cheaping out and only integrating some of those best security practices after disaster (involving mass customer data and privacy loss) strikes.

This was already apparent back in the DOS and Win 3.1 days....and why I have never owned a machine with a Microsoft OS or trusted one with my data.
Yes, this was in the late 90s/early 2000.
Since then MS has incorporated security into their whole development processes.

Compared to Apple or - even worse - Oracle (Java nightmare), MS shines in this industry.
Given that MS has a huge market share, the attack surface and thus the reward is huge, too.

P.S. I'm a Linux guy. (Just to make that clear.) Also, working in IT security. :-)
PPS: And nice to see so many computer guys here.

hilink73
Posts: 274
Joined: Tue Sep 20, 2016 3:29 pm

Re: The recent WannaCry ransomware

Post by hilink73 » Tue May 16, 2017 1:54 pm

Wakefield1 wrote:I suspect the worm behavior could get into unpatched systems from the Internet eventually.)
Maybe.
This malware exploits a bug in the SMB implementation of various versions of Windows.
As long as port 445 is blocked using a firewall, the malware cannot propagate.
Also, patching the system before an infection will remove the exploitable vulnerability, preventing the host from getting infected.

According to our sources, it is still unclear how the malware was able to enter those networks (email attachment, web drive by, network, USB stick, etc).
But, attacking via email attachment seems to be unlikely at the moment.

Also, enterprises normally use firewalls to control network traffic from and to the Internet.
Having port 445 exposed to the Internet should be very, very rare as this would violate security best practices (and common sense, hehe).

The patch for this vulnerability was published by Microsoft in March!
So (at home), do auto-install available patches/hotfixes. It's the best defense we have.

squirm
Posts: 1368
Joined: Sat Mar 19, 2011 11:53 am

Re: The recent WannaCry ransomware

Post by squirm » Tue May 16, 2017 1:59 pm

Vendors often need to validate updates, you can't just install updates on your operating systems and hope your hardware and software infrastructure works. It's complicated and it's not like pressing the update Button on your laptop.

Post Reply