Ransomware Attack

[Octavious]

http://www.foxnews.com/tech/2017/06/27/ ... ption.html

Normally I wouldn't find this all that interesting, but it happens to have totally crippled my client today. We had to turn off any connection we have with them until it's sorted out. Apparently a bunch of computers are wiped or locked out.

[Isgrimnur]

The more days go by, the more I think I'll be using the security part of my master's degree a fair bit for the rest of my career.

[Vorret]

People and especially businesses need to disable bitlocker on their computers...

[GreenGoo]

Is this a new attack? They just got hit in May.

This is the sort of thing that results in a world wide investigation with many countries cooperating and participating. And if they find anyone even remotely associated with the attack in anyway, they burn them for life.

There's being a criminal and there's being criminally stupid.

While I understand this isn't necessarily a single individual or group, it won't matter if authorities decide it's your door they need to knock on/smash open with a tank.

[hitbyambulance]

The more days go by, the more I think I'll be using the security part of my master's degree a fair bit for the rest of my career.

it's the career path i'm recommending to current IT people - get into security (or coding).

[Octavious]

Is this a new attack? They just got hit in May.

This is the sort of thing that results in a world wide investigation with many countries cooperating and participating. And if they find anyone even remotely associated with the attack in anyway, they burn them for life.

There's being a criminal and there's being criminally stupid.

While I understand this isn't necessarily a single individual or group, it won't matter if authorities decide it's your door they need to knock on/smash open with a tank.

Yup from what I can see this is a new attack. This particualr company is still 100% shutdown worldwide.

[Anonymous Bosch]

People and especially businesses need to disable bitlocker on their computers...

Or better yet, use the free CryptoPrevent utility to help easily minimise the threats of such ransomware more comprehensively (it's basically a simpler way for individual users to implement the recommended settings of Third Tier's Ransomware Prevention Kit). An ounce of prevention is worth a pound of cure, particularly in terms of ransomware.

[Jaymann]

I was wondering what happens if you yank your hard drive and replace it.

[Isgrimnur]

The more days go by, the more I think I'll be using the security part of my master's degree a fair bit for the rest of my career.

it's the career path i'm recommending to current IT people - get into security (or coding).

I'll be a double threat!

[hepcat]

[Isgrimnur]

Thanks, random Twitter user!

Spoiler:

If he's getting named by Krebs,
he might know some stuff.

[hepcat]

A random Twitter user defeated the last attempt.

[Moliere]

But does he have a masters degree in Cyber Security? I want to know that his knowledge is accredited.

[hepcat]

No, but he did stay at a Holiday Inn Express last night.

[FishPants]

It's ridiculous that Mondelez and Merck were taken offline (among many others). This is the same fucking vulnerability as Wannacry that was already stale then -- and they still didn't patch? Hope some CISOs got their walking papers today.

[Octavious]

Mondelez shutdown every single computer today. We didn't get a single email, as well they shut that off. I was trying to connect to their VPN this morning. It connected, but none of their pages would load. And then I saw the internal email to not f'n touch their VPN until further notice.

They didn't process a single order today. The amount of money that will cost them hurts my head. I highly doubt they will have it sorted out even by the end of the week.

[Paingod]

I can see the Director if IT now.

"I've been telling you for years that we needed to invest in a better Disaster Recovery solution. This is not my fault. You told me there wasn't a budget for it, and you decided the "Business Risk" was worth it to keep running Symantec and other piecemeal solutions. This is why we needed something better."

It's staggering how many companies refuse to invest in adequate disaster recovery until after a disaster; then it's a top priority. It's also why I formalize the process of them telling me that they won't invest in it. When shit breaks, I hold up the document they sent me saying "I don't want to spend that much" and sigh.

[GreenGoo]

I was wondering what happens if you yank your hard drive and replace it.

I'm not sure I understand the question.

Replacing the hard drive results in a new hard drive. That's true whether your old drive is encrypted (and you don't have the key) or not. The data on the old drive is still just as unavailable as it was before swapping it out.

The problem is the locked data, not whether the computer continues to function or not. You could easily just wipe the drive completely and start over if you wanted which would return the system to full functionality, minus any data that was locked away via encryption.

[Octavious]

Hot mess they are pretty much reinstalling thousands and thousands of computers. All our projects are going to end up getting delayed a month from the looks of it.

[Paingod]

Hot mess they are pretty much reinstalling thousands and thousands of computers. All our projects are going to end up getting delayed a month from the looks of it.

Jeebus. I don't envy the task of rebuilding every PC in a huge company, even with good images and lots of help. Scrooge that.

I'm actually disappointed that they didn't patch after the last wave of ransomware. I've read that this basically piggybacks the same vulnerability and then doubles-down on spreading across the network. I made sure every PC here was up to date before I left work the day WannaCry was reported to be spreading like wildfire.

[Octavious]

Ya I have no idea how they handle their windows updates globally. I know this started in Europe and starting spreading to everywhere else. It sounded like it was really really bad. I know that when we want to release stuff through them it turns into a 90 year process as they overtest and then impose blackout dates all over the place. I wouldn't doubt that they do similar crap with windows updates.

[malchior]

So it is starting to look like this one is a wiper pretending to be ransomware. Some company's really need to figure out their shit. Unpatched systems? Pass the hash attacks? Inexcusable for the big guys at this point.

[Octavious]

On the plus side I've really cleared out my backlog of work I couldn't get to. They are still on total lockdown. It's crazyyyyyyy.

[Isgrimnur]

Guardian

Firstly, the ransom note includes the same Bitcoin payment address for every victim – most ransomware creates a custom address for every victim. Secondly, the malware asks victims to communicate with the attackers via a single email address which has been suspended by the email provider after they discovered what it was being used for. This means that even if someone pays the ransom, they have no way to communicate with the attacker to request the decryption key to unlock their files.

[Octavious]

Yup which is why they are wiping and reloading god knows how many computers.

[Octavious]

Our IT did an audit of our servers and went oh crap and are emergency patching. Now this I'm not surprised about. Even if we have 4 freaking network admins for one tiny office.

[Isgrimnur]

If being responsible for security it part of your job, how is it you don't watch the media enough to know about these things?

[Punisher]

I've been in IT for a while now and have dealt with companies large and small as well as communicating with various peers
here are some reasons I've seen this happens..

1) Incompetence. yes it happens..even with experienced people
2) "Budget" Many companies, even large ones see the IT department as a sinkhole of expenses.
3) Testing... Many big companies won't deploy anything without rigorous testing.. for good reason... I have been involved/heard about multiple cases where a patch was pushed and broke some critical software requiring days of downtime in a few cases. As Octavious mentioned, this testing can take a while... sometimes months...
I'm sure there are other valid reasons, but it's late and my meds are kicking in so that's it for tonight.

[gbasden]

People and especially businesses need to disable bitlocker on their computers...

Why on earth would you disable bitlocker? The malware is using an SMB attack vector using the Eternal Blue exploit. The first thing they should do is apply the patch that has been out for months, now, as well as disabling SMB v1 if they haven't already done so.

https://www.symantec.com/connect/blogs/ ... -need-know

https://blogs.technet.microsoft.com/mmp ... abilities/

None of the mitigation advice mentions bitlocker at all, and removing your own device encryption does nothing but make it easier for people to steal data from your machines. Am I missing something?

[Yog-Sothoth]

Guardian

Firstly, the ransom note includes the same Bitcoin payment address for every victim – most ransomware creates a custom address for every victim. Secondly, the malware asks victims to communicate with the attackers via a single email address which has been suspended by the email provider after they discovered what it was being used for. This means that even if someone pays the ransom, they have no way to communicate with the attacker to request the decryption key to unlock their files.

Turns out it's probably a cyberweapon masquerading as ransomware.

https://securelist.com/expetrpetyanotpe ... are/78902/

[Octavious]

I've been in IT for a while now and have dealt with companies large and small as well as communicating with various peers
here are some reasons I've seen this happens..

1) Incompetence. yes it happens..even with experienced people
2) "Budget" Many companies, even large ones see the IT department as a sinkhole of expenses.
3) Testing... Many big companies won't deploy anything without rigorous testing.. for good reason... I have been involved/heard about multiple cases where a patch was pushed and broke some critical software requiring days of downtime in a few cases. As Octavious mentioned, this testing can take a while... sometimes months...
I'm sure there are other valid reasons, but it's late and my meds are kicking in so that's it for tonight.

I give 10-1 odds it was testing. They are nuts about testing and also they have had MAJOR management changes the last 4-6 months. Half the people don't know what their roles are anymore, so I can totally see how this happened. Just got a message that they will likely move my release to the first week of August. That blows, means I have to watch the release over the weekend and that's my birthday. I'm going to push it another week just because of that!

[LawBeefaroni]

Ouch.

Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden “kill switch” for the malware, has been arrested by the FBI over his alleged involvement in another malicious software targeting bank accounts.

[Punisher]

Ouch.

Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden “kill switch” for the malware, has been arrested by the FBI over his alleged involvement in another malicious software targeting bank accounts.

as they say.. takes one to know one.

[hepcat]

I did not expect that. The kid seemed so sincere in all his interviews.

[Anonymous Bosch]

Ouch.

Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden “kill switch” for the malware, has been arrested by the FBI over his alleged involvement in another malicious software targeting bank accounts.

Brings to mind to the old Nietzche quote:

"He who fights with monsters should look to it that he himself does not become a monster. And if you gaze long into an abyss, the abyss also gazes into you."

[LawBeefaroni]

Or takes one to know one .

Kronos was before wanna. Although it looks like he was arrested because he sold Kronos on alphabay. No evidence that he actually used it to steal accounts. Fine line too be sure though.

[Sudy]

My company got hit on Friday.

[FishPants]

But.. How? They hadn't patched endpoints yet? That's a crazy lag time on a pretty widely published vulnerability.

[malchior]

There might have been something new on Friday. One of my friends had big outages on Friday as well...and there was some chatter in the CTI channels. It is early and all that but this is going to be a continuing threat for some time.

[Punisher]

But.. How? They hadn't patched endpoints yet? That's a crazy lag time on a pretty widely published vulnerability.

It could have been an end user who caused it.. That happens.. A lot..
We had a client get hit by a virus AND an intrusion due to a user replying to fake emails. We had to lock down the whole company and implement a bunch of security procedures.
A week later, the same user did the same thing and gave outside people her password... and again the week after. We STILL don't understand how she still has a job... She has also been complaining that the procedures slow her work down...
I suspect she knows where the bodies are buried.