May 26, 2017 at 08:08WannaCry results: a selection of basic materials at Habrahabr and not only
History shows that it is impossible to exclude repetitions of WannaCry in one variation or another, but you need to understand that promptly counteracting such attacks is a rather difficult task. In order to prepare, strengthen “protection” and take appropriate preventive measures, it is very important not to lose sight of the analysis of the most noticeable (at least) IS incidents.
To do this, we decided to take the most rated materials that were published on Hacker News, and everything that was published on the WannaCry topic on Habrahabr and Geektimes.ru. We supplemented the final thematic selection with the comments of ITMO University experts. Flickr / Michele MF / CC
A selection of devices exposed to WannaCry
A year of free pizza and 10 thousand dollars for a white-hat who saved the Internet
All the necessary information about WannaCry, Wcry and WannaCrypt
WannaCry: the most popular ransomware virus in history
New WannaCry variations discovered
WannaCry: decryption with WanaKiwi + demo
WannaCrypt blackmailer attacks non-updated systems
WannaCry: analysis, indicators of compromise and recommendations for prevention
WannaCry ransomware family attack: situation analysis and preparedness for the next attacks
Wannacry - X-Team, away
Wana Decrypt0r 2.0 ransomware analysis
WannaCry 2.0: a clear confirmation that you definitely need a backup
The guy accidentally stopped the global spread of the crypto ransomware WannaCrypt
Fake WannaCry, HP has a firewood keylogger, Chrome loads the excess
Parsing CVE-2017-0263 vulnerability for Windows privilege escalation
Kuzmich Pavel Alekseevich, Director of the Laboratory of Computer Forensics at ITMO University:
Grigory Sablin, viral analyst, IT security expert at ITMO University, winner of the international computer information protection competition:
PS We will be grateful for the discussion in the comments of additional materials and opinions that you found interesting. Putting this selection together :)
To do this, we decided to take the most rated materials that were published on Hacker News, and everything that was published on the WannaCry topic on Habrahabr and Geektimes.ru. We supplemented the final thematic selection with the comments of ITMO University experts. Flickr / Michele MF / CC
What they say "they"
A selection of devices exposed to WannaCry
We decided to start with a good collection of devices that fell into the lens of their users' smartphones. The authors managed to collect a wide variety of examples: from home PCs to office systems and payment acceptance points. For those who are already tired of the hype around WannaCry, there is a special section at the end of the material .
A year of free pizza and 10 thousand dollars for a white-hat who saved the Internet
Immediately after revealing the identity of the hero in the media, a number of companies took the initiative and offered their options for rewarding for services to the IT community. The fair reward or self-promotion of “generous” companies is up to you.
All the necessary information about WannaCry, Wcry and WannaCrypt
Troy Hunt, a security expert with a direct relationship with Microsoft, began collecting data on WannaCry on May 13th. As events developed, the material was supplemented with technological details and various analytics (including the financial results of the ransomware-ransomware "work"). Among other things, Troy wrote a separate article on why you should not refuse to update the OS.
WannaCry: the most popular ransomware virus in history
One of the Microsoft MVPs has put together its wiki page on the subject of everything that the ransomware-ransomware managed to “do”. Here you can find information about how infection occurs and get recommendations for preventive measures. The material is filled with a huge number of useful links (including the next three parts of the expert’s story).
New WannaCry variations discovered
A brief note on what new varieties of WannaCry are all about. Features and examples with kill-switch and without it. In addition to the posts on his blog, the expert gave a brief commentary in the NYtimes thematic article and collected a couple of examples and comparisons confirming the connection between WannaCry and Lazarus Group.
WannaCry: decryption with WanaKiwi + demo
A practical guide to decrypting data that has been exposed by WannaCry. Tested on versions from Windows XP (x86) to Windows 7 (x86), including Windows 2003 (x86), Vista and 2008 and 2008 R2.
What they say "with us"
WannaCrypt blackmailer attacks non-updated systems
It is not surprising that the main expertise on the topic was provided on behalf of the largest companies, in one way or another connected either with the vulnerability itself or with IS issues. Microsoft was no exception and prepared a translation of the article with an analysis of the situation, which was released May 12 in the company's official blog.
WannaCry: analysis, indicators of compromise and recommendations for prevention
Cisco is sharing with the hawkers the results of a study of the encryption program. The core material was prepared by a dedicated division of Cisco Talos. Its English version can be viewed here .
WannaCry ransomware family attack: situation analysis and preparedness for the next attacks
Panda Security gave its point of view on what happened on May 12 and talked about what distinguishes WannaCry from other attacks that we saw earlier. The following criteria are described: the direction of infection, interaction with a vulnerable system, distribution and encryption processes. In addition, the company provided useful recommendations and related links.
Wannacry - X-Team, away
CROC wrote practical material on how communication with customers who sought help came in. In addition, experts cited options for action that they considered to respond on the spot. What came of this and where they stopped Wannacry almost immediately - read the material.
Wana Decrypt0r 2.0 ransomware analysis
An interesting analysis of the Wana Decrypt0r 2.0 ransomware features (the second version of WannaCry) was prepared by specialists from T&T Security and Pentestit. Here is a complete set: statistics, technological nuances and analytical considerations.
WannaCry 2.0: a clear confirmation that you definitely need a backup
In addition to a brief introduction to WannaCry, its operating principles, and Acronis products that might be useful to readers, the company has provided an interesting list of “victims.”
The guy accidentally stopped the global spread of the crypto ransomware WannaCrypt
Revision Geektimes.ru reports on the latest news on the topic. In addition to the story of an accidental find that "saved the Internet," you can read about how Microsoft accused the NSA of accumulating exploits, and new WannaCry variations , including without a stop crane.
Fake WannaCry, HP has a firewood keylogger, Chrome loads the excess
Kaspersky Lab parses the consequences of the hype over malware. An example is a couple of the latest news, which once again reminds us that the most basic and harmless functionality of the software is the first thing that attackers use.
Parsing CVE-2017-0263 vulnerability for Windows privilege escalation
Positive Technologies decided to follow the news about WannaCry and talk about the context menu vulnerability and operating options.
Kuzmich Pavel Alekseevich, Director of the Laboratory of Computer Forensics at ITMO University:
Most likely, the employees of those organizations where they recorded the infection used computers to receive mail and surf the Internet and, not convinced of the security of the letters they received and the websites they opened, downloaded malware onto them.
It is possible that in this way the confidential information of their customers could be compromised - in the case of commercial organizations, as well as large amounts of personal data - in the case of government departments. It is hoped that such information was not processed on these computers.
Ransomware is a well-known method of fraud and there are still certain approaches for protection. First, you need to be careful about clicks on certain links on the Web. Similarly with mail - very often viruses spread in files attached to letters supposedly from your Internet provider or bank. Thirdly, it is important to at least sometimes make backup copies of significant documents on separate removable media.
Most often, the infection and the active phase of the virus — data encryption — is manifested as a significant decrease in computer performance. This is a consequence of the fact that encryption is an extremely resource-intensive process. This can also be noticed when files with an incomprehensible extension appear, but usually at this stage it is too late to take any action.
Grigory Sablin, viral analyst, IT security expert at ITMO University, winner of the international computer information protection competition:
Attackers exploit vulnerability in SMB protocol MS17_010 - the patch is already on Microsoft servers. Those who have not been updated may fall under the distribution. But, it can be said, these users themselves are to blame - they used pirated software or did not update Windows. I myself wonder how the situation will develop: a similar story was with MS08_67, then the Kido worm used it, and then many became infected too.
Not the fact that it will be possible to recover all locked files. This virus can penetrate anywhere due to the fact that many computers have not yet been updated. By the way, this exploit was taken from the archive, which was "leaked" from the US National Security Agency (NSA), that is, this is an example of how special services can act in any emergency situation.
PS We will be grateful for the discussion in the comments of additional materials and opinions that you found interesting. Putting this selection together :)