A free tool released by ESET ‘to help combat the recent ransomware, WannaCry (WannaCryptor).’
The press release goes on to say that:
ESET’s EternalBlue Vulnerability Checker can be used to determine whether your Windows machine is patched against EternalBlue, the exploit behind the WannaCry ransomware epidemic that is still being used to spread cryptocurrency mining software and other malware.
This obviously isn’t the only way to check, and it may not be the only tool of its kind out there – I haven’t been looking for such a tool. And clearly, checking for a specific vulnerability isn’t a substitute for a sound patching strategy, or for using security software that detects malware (including WannaCryptor) reasonably reliably. But while I haven’t tested it personally, I’d be very surprised (in view of my longstanding association with ESET) if this tool didn’t do what it says on the tin, so some people and organizations might well find this useful.
Unusually, Microsoft has provided a patch for systems that are no longer supported, but are vulnerable to the Microsoft Security Bulletin MS17-010 flaw exploited by WannaCryptor (a.k.a. WannaCrypt among other names). These include Windows XP, Windows 8, and Windows Server 2003. A patch for later operating systems (i.e. those versions of Windows still supported) was made available in March 2017.
If you didn’t take advantage of the patch for Windows 8.1 and later at the time, now would be a good time to do so. (A couple of days earlier would have been even better.)
If you’re running one of the unsupported Windows versions mentioned above (and yes, I appreciate that some people have to), I strongly recommend that you either upgrade or take advantage of the new patch.
Microsoft’s announcement is here: Customer Guidance for WannaCrypt attacks, with links to the update and further information. Detection of the threat has also been added to Windows Defender.
Kudos to Microsoft for going the extra mile…
Additional analysis and/or commentary by ESET – Huge ransomware outbreak disrupts IT systems worldwide, WannaCryptor to blame, Malwarebytes – The worm that spreads WanaCrypt0r, and Sophos: Wanna Decrypter 2.0 ransomware attack: what you need to know. Among other vendors, of course. [Added subsequently: Symantec – What you need to know about the WannaCry Ransomware]
It seems that it’s now possible to decrypt Crysis-encrypted files that have the .dharma extension: Alleged Master Keys for the Dharma Ransomware Released on BleepingComputer.com.
ESET has updated its Crysis decryptor to take advantage of the newly-released keys. Kaspersky has done the same with its Rakhni decryptor. I imagine others will do the same, if they haven’t already.
* The Dharma Bums is a novel by Jack Kerouac. And On The Road is another. Sorry, I couldn’t resist.
Because of time issues, I added the malware ESET calls OSX/Filecoder.E to the Specific Ransomware Families and Types page but didn’t give it an article of its own here. Since there is important news (to potential victims) from Malwarebytes and Sophos, I’m repairing that omission here.
Note that both Reed and Cluley sometimes refer to the malware as FileCoder. This is potentially misleading: while ESET, which first uncovered the thing, detects it as OSX/Filecoder.E, the term ‘Filecoder’ is used generically by the company to denote crypto-ransomware, so you/we need to use the full name ‘OSX/Filecoder.E’ to distinguish it from other, unrelated ransomware families.
My colleague Josep Albors came to a surprising conclusion in his Spanish language blog article Fake technical support is the most detected threat in Spain during January. I was so taken with the article that I generated a somewhat free translation with copious extra commentary for WeLiveSecurity: Support scams now reign in Spain.
ESET’s WeLiveSecurity blog put together an article combining commentary from Stephen Cobb, Lysa Myers and myself: Ransomware: Key insights from infosec experts.
Yesterday, the site also commented on a story – Austrian hotel experiences ‘ransomware of things attack’ – that I also touched upon for ITSecurity UK: Key Card Ransomware: News versus FUD.
An article by me for ESET, sparked off by a conversation with Kevin Townsend, in the wake of research commissioned by Malwarebytes, on the pros and cons of paying to get your data back after a ransomware attack.
ESET Senior Research Fellow
My friend and colleague Stephen Cobb, for ESET, recently posted an article on Jackware: When connected cars meet ransomware. He says:
I define jackware as malicious software that seeks to take control of a device, the primary purpose of which is not data processing or digital communications. A car would be such a device. A lot of cars today do perform a lot of data processing and communicating, but their primary purpose is to get you from A to B. So think of jackware as a specialized form of ransomware. With regular ransomware, such as Locky and CryptoLocker, the malicious code encrypts documents on your computer and demands a ransom to unlock them. The goal of jackware is to lock up a car or other device until you pay up.
Fortunately, and I stress this: jackware is, as far as I know, still theoretical. It is not yet “in the wild”
So speculation, but informed speculation, a hot topic, and well-written (of course).
[Also published on the Mac Virus blog, which also addresses smartphone security issues]
Not quite ransomware (though there is a suggestion that it may happen), but but my ESET Lukas Stefanko describes a fake lockscreen app that takes advantage of the currently prevalent obsession with Pokémon GO to install malware. The app locks the screen, forcing the user to reboot. The reboot may only be possible by removing and replacing the battery, or by using the Android Device Manager. After reboot, the hidden app uses the device to engage in click fraud, generating revenue for the criminals behind it by clicking on advertisements. He observes:
This is the first observation of lockscreen functionality being successfully used in a fake app that landed on Google Play. It is important to note that from there it just takes one small step to add a ransom message and create the first lockscreen ransomware on Google Play.
In fact, it would also require some other steps to enable the operators to collect ransom, but the point is well taken. It’s an obvious enough step that I’m sure has already occurred to some ransomware bottom-feeders. And it’s all to easy for a relatively simple scam to take advantage of a popular craze.
Clicking on porn advertisements isn’t the only payload Lukas mentions: the article is also decorated with screenshots of scareware pop-ups and fake notifications of prizes.
The ESET article is here: Pokémon GO hype: First lockscreen tries to catch the trend
Somewhat-related recent articles from ESET:
Other blogs are available. 🙂
Here’s an article from my colleague ESET Camilo Gutiérrez Amaya, Head of Awareness & Research for Latin America: Ransomware: First files … now complete devices.
The article is actually adapted from the ransomware section of ESET’s 2016 trends paper (In)security Everywhere, but worth reading if you haven’t read that somewhat hefty document.