> The initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff. There is also a working theory that initial compromise may have come from SMB shares exposed to the public internet. Results from Shodan show over 1.5 million devices with port 445 open – the attacker could have infected those shares directly.<p>I think this is an important take-away. I found it strange that so many media outlets and IT departments were jumping on the "do not open suspicious emails" bandwagon even although there hasn't been a lot of evidence of such phishing emails. That is: screenshots of infected devices have been popping up all across the world, but almost no examples of a particular entry email have been shown.<p>Of course, it might be easier for an IT dep. to state: "it must have been unleashed by someone clicking on some email they got" rather than "oops, we still had unpatched Windows machines exposed to the public internet". Why go through the trouble of sending out emails when your worm already contains a replication/infection mechanism. Just use a botnet to scan those 1 million IPs and see if SMB is open.<p>That being said, it does not surprise me to see yet again an issue in SMB. This has been a particularly weak point in Windows for decades now. I remember "hacking tutorials" from 15 years ago where you'd just go out and nmap public IP ranges to see if you could access hidden shares (e.g. like so: <a href="http://www.madirish.net/59" rel="nofollow">http://www.madirish.net/59</a>). Also there was this issue of Windows keeping weak NetBIOS password hashes around which could be trivially unhashed (<a href="https://vuldb.com/?id.13824" rel="nofollow">https://vuldb.com/?id.13824</a>), years ago.
I'm surprised by how carefully the worm seems to be coded. They make sure they have an internet connection, they check for disk space in order not to run out while encrypting, they save a backup copy of the "tasksched" executable before replacing it, they shutdown databases (I assume in order to prevent corruption?) etc...<p>I guess they want to make sure the decryption process will work without any issue so that the victim will be more likely to pay other ransoms or spread word of mouth that it does actually work.<p>I wish all software devs were as thorough as these people...
Evil Ransomware improvements we may see:<p>1. New address per machine (easier to detect payments made, hides profit total.)<p>2. Deterministic wallet stores all profit in a simple 12 word seed "password."<p>3. Phone numbers directly to bitcoin vendors. (people running insecure systems love phones.)<p>4. Phone number to tech support company that bills your credit card to walk you through paying the ransom.<p>5. Delayed symptoms. Secretly encrypt backups (windows efs might be able to do it nonobviously) Then once all your backups are secretly encrypted, it encrypts the key, and now you can't use backups to save yourself.<p>6. Advertise affiliated antivirus (I hear this is what cloudflare does by hosting bad actors, they inflate their demand from protection from bad actors, just a rumor though.)<p>7. Infect a friend. Get a discount on your ransom if you infect a friend and they pay.<p>It doesn't seem reasonable that 300k infections= less than 1 in 1000 payments. Are peoples files really so worthless, or bitcoin really so hard, or people so untrusting of unencrypt. I imagine they could have sold their 0 day idea for more money to a whitehat perhaps? Maybe more generalized bug bounties could be deployed to offer financial incentive to harden systems and be non evil.
I always say that visual studio 6 was the best version they ever made. At least somebody out there agrees with me.<p>"As noted in our attribution post last year, use of Visual Studio 6.0 is not a significant observation on its own – however, this development environment dates from 1998 and is rarely used by malware coders. Nonetheless, it has been seen repeatedly with Lazarus attacks."
according to the article, the balances of the bitcoin addresses collecting the ransoms are<p>15.13562354 BTC = $26410
13.78022431 BTC = $24045
5.98851225 BTC = $17361<p>Assuming $300 per ransom, this works out to a total of 226 victims who paid. this seems a little low compared to the huge amount of infected devices.
Isn't it curious that folks like kim dotcom who do not hold hospitals or anyone to ransom earn global notoriety, are raided by swat teams and face the full force of the law while those that hold hospitals to ransom can operate with impunity with people reduced to tracking their bitcoin earnings on twitter.<p>Is it the job of NSA and all the global security services with their overarching reach, resources and power to warn, track and disable these activities or is to spy on citizens?<p>Half or more of these activities are used by agencies to shut down or sabotage unfriendly interests and I suspect that's the only reason these shady figures are allowed to exist, treated with kid gloves, operate with near impunity and rarely see consequences. They serve as 'assets' to provide cover. Without consequences these activities will spiral.<p>Things like ddos ultimately benefit companies like cloudflare. And the preponderance of these kind of worms force people to move their data to the cloud or give up more control to large companies who promise security. This is a subtle form of extortion. We don't know the extortionists but we do know the beneficiaries.<p>This slowly but surely disempowers individuals and takes control away and shifts it to large companies.<p>Holding a hospital ransom whatever its security policies is a serious crime and treating it as just another hack rather than extreme criminality and blaming the victims is an extremely self serving technical perspective.
Does anyone else find it a little odd that something as big (and corporate as BAE) are running a blog from blogspot on an unsecured domain?<p>Is this site legitimate?
Quote: "The initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff."<p>Would it be easy to find it if the initial attack vector uses some semi-obscure torrent? Would people find out quickly?
Notable that he calls the "kill-switch" a "mistake". For example, Chrome does the same thing. When it starts it checks for some presumably non-existant domain name.
Did these happenings had any effect on windows market share? Hope somebody will blog on that too.<p>I hope many people have understood to not have public windows servers at least. It could most probably affect their business in the long run (Not saying that GNU/Linux is safe. But it is <i>safer</i>).