ESET’s EternalBlue Vulnerability Checker

A free tool released by ESET ‘to help combat the recent ransomware, WannaCry (WannaCryptor).’

The press release goes on to say that:

ESET’s EternalBlue Vulnerability Checker can be used to determine whether your Windows machine is patched against EternalBlue, the exploit behind the WannaCry ransomware epidemic that is still being used to spread cryptocurrency mining software and other malware.

This obviously isn’t the only way to check, and it may not be the only tool of its kind out there – I haven’t been looking for such a tool. And clearly, checking for a specific vulnerability isn’t a substitute for a sound patching strategy, or for using security software that detects malware (including WannaCryptor) reasonably reliably. But while I haven’t tested it personally, I’d be very surprised (in view of my longstanding association with ESET) if this tool didn’t do what it says on the tin, so some people and organizations might well find this useful.

David Harley

Decryption hope for WannaCryptor a.k.a. Wannacry

Wannacry in-memory key recovery for WinXP – Adrian Guinet warns:

“This software has only been tested and known to work under Windows XP. In order to work, your computer must not have been rebooted after being infected.

Please also note that you need some luck for this to work (see below), and so it might not work in every cases!”

However, wanakiwi claims to have tested it successfully with versions up to Windows 7, but points to some alternative information. WannaCry — Decrypting files with WanaKiwi + Demos

Dan Goodin for Ars Technica: Windows XP PCs infected by WCry can be decrypted without paying ransom – “Decryption tool is of limited value, because XP was unaffected by last week’s worm.”

John Leyden for The Register: There’s a ransom-free fix for WannaCry‬pt. Oh snap, you’ve rebooted your XP box – “Sooo… that’s not gonna work for you mate”

David Harley

WannaCryptor news updates

Because of the apparent seriousness of the issue, I borrowed my earlier blogs on this topic for ITsecurity UK. So it’s only fair that I borrow back a couple of updates from that article.

You may have seen that someone was able to ‘switch off’ the attack by registering a domain. (‘Accidental hero’ finds kill switch to stop spread of ransomware cyber-attack.) While it sounds as if this bought the world some time, it doesn’t mean there won’t be further attacks. I still recommend that you patch if you can.

There are reports of further variants, including one which is alleged not to include a kill switch. That might not be an accurate report, but certainly no-one should be relying on the neutralization of kill-switch domains rather than patching.

And if you have been caught out by the malware and were thinking of paying up, be warned that payment may not get your files back, according to Checkpoint: WannaCry – Paid Time Off?

Analysis by Microsoft here. MS recommends that you update to Windows 10 (no comment…) and/or apply the MS17-010 update. If that’s not possible, they recommend that you:

Hat tip to Artem Baranov for links to further information.

David Harley

 

WannaCryptor – XP patch available

Unusually, Microsoft has provided a patch for systems that are no longer supported, but are vulnerable to the Microsoft Security Bulletin MS17-010 flaw exploited by WannaCryptor (a.k.a. WannaCrypt among other names). These include Windows XP, Windows 8, and Windows Server 2003. A patch for later operating systems (i.e. those versions of Windows still supported) was made available in March 2017.

If you didn’t take advantage of the patch for Windows 8.1 and later at the time, now would be a good time to do so. (A couple of days earlier would have been even better.)

If you’re running one of the unsupported Windows versions mentioned above (and yes, I appreciate that some people have to), I strongly recommend that you either upgrade or take advantage of the new patch.

Microsoft’s announcement is here: Customer Guidance for WannaCrypt attacks, with links to the update and further information. Detection of the threat has also been added to Windows Defender.

Kudos to Microsoft for going the extra mile…

Additional analysis and/or commentary by ESET – Huge ransomware outbreak disrupts IT systems worldwide, WannaCryptor to blame, Malwarebytes – The worm that spreads WanaCrypt0r, and Sophos: Wanna Decrypter 2.0 ransomware attack: what you need to know. Among other vendors, of course. [Added subsequently: Symantec – What you need to know about the WannaCry Ransomware]

David Harley

Ransomware Avalanche – WannaCryptor and Jaff

It probably hasn’t escaped your notice that there is a huge outbreak of ransomware affecting organizations pretty much worldwide. The main cause of upset is the malware ESET calls Win32/Filecoder.WannaCryptor.D (other security software is available…)

At the moment it’s unclear how much actual data has been affected, and how many systems have been shut down as a proactive measure. One thing that does seem clear is that systems that haven’t been patched against MS2017-010 are vulnerable to the  ‘externalblue’ exploit from the ShadowBroker NSA leak unless they have security software that blocks that exploit.

Being in the UK, I’m especially interested in the effect on the NHS, though I’m not in a position to tell you much about it. Here are a couple of links:

Some sources link this with Jaff, but the information I have doesn’t suggest a resemblance. ESET detects it as PDF/TrojanDropper.Agent.Q trojan – the sample I received came as an attachment called nm.pdf. Commentary by EMSISOFT. Commentary by The Register.

David Harley

Emsisoft ‘Spotlight on Ransomware’ series

Emsisoft’s CMO Holger Keller contacted me to point out that the company is running a series of ‘Spotlight on Ransomware’ articles. I haven’t had a chance to look at them properly, but the company does useful work on providing ransomware decryptors and you may well find the articles of use and interest. Added to the RANSOMWARE RECOVERY AND PREVENTION page.

The first two articles are:

  • Spotlight on Ransomware: Common infection methods – the writer says: ‘Malware writers and attackers use a variety of sophisticated techniques to spread their malware. There are three commonly used ransomware infection methods that will be explored in this post; malicious email attachments and links, drive-by downloads and Remote Desktop Protocol attacks. It is our hope that we can help you to focus on protecting the areas most likely to be compromised by cybercriminals and to reduce your risk of infection, starting right now.’
  • Spotlight on Ransomware: How ransomware works – the writer says: ‘In Part Two, we will explore what happens once you’ve made that unfortunate click on a link or document, and what the ransomware does to your system to take control.’

David Harley

Karmen – Ransomware-as-a-Service keeping Bizet*

Ransomware-as-a-Service derived from Hidden Tear, sold by DevBitox on the dark web.

Analysis by Recorded Future: Karmen Ransomware Variant Introduced by Russian Hacker

Recorded Future on Hidden Tear

Commentary by John Leyden for The Register: Profit with just one infection! Crook sells ransomware for  – Nifty dashboard shows the bitcoin rolling in

*Carmen (the opera)

David Harley

Spanish Harmada: support scams sail again

Here’s another article by Josep Albors and myself for ESET: Spanish Harmada: more on tech support scams. Excerpt:

‘After our recent joint blog Support scams now reign in Spain, Josep Albors was contacted by a Spanish online newspaper asking for further information and general commentary. So here, first, is my general commentary on the evolution of the tech support scam and why the current high incidence of reports in Spain (and, to a lesser extent, other parts of the world) is so significant. The subsequent article in El Confidencial can be found here (in Spanish).’

David Harley

Ransomware Timeline

I’m not really in a position to track and write about every development in the world of ransomware. (Rather, I’ve concentrated on information on specific families and pointers to useful information and advice.) 

If a regular timeline is of use to you, though, David Balaban contacted me about his Ransomware Chronicle, which tersely flags ‘New ransomware released’, ‘Old ransomware updated’, ‘Ransomware decrypted’ and ‘Other important events’. No links to further information, though, at time of writing. He also provides ransomware reports for Tripwire’s State of Security blog. 

David Harley