Unusually, Microsoft has provided a patch for systems that are no longer supported, but are vulnerable to the Microsoft Security Bulletin MS17-010 flaw exploited by WannaCryptor (a.k.a. WannaCrypt among other names). These include Windows XP, Windows 8, and Windows Server 2003. A patch for later operating systems (i.e. those versions of Windows still supported) was made available in March 2017.
If you didn’t take advantage of the patch for Windows 8.1 and later at the time, now would be a good time to do so. (A couple of days earlier would have been even better.)
If you’re running one of the unsupported Windows versions mentioned above (and yes, I appreciate that some people have to), I strongly recommend that you either upgrade or take advantage of the new patch.
Microsoft’s announcement is here: Customer Guidance for WannaCrypt attacks, with links to the update and further information. Detection of the threat has also been added to Windows Defender.
Kudos to Microsoft for going the extra mile…
Additional analysis and/or commentary by ESET – Huge ransomware outbreak disrupts IT systems worldwide, WannaCryptor to blame, Malwarebytes – The worm that spreads WanaCrypt0r, and Sophos: Wanna Decrypter 2.0 ransomware attack: what you need to know. Among other vendors, of course. [Added subsequently: Symantec – What you need to know about the WannaCry Ransomware]
Because of time issues, I added the malware ESET calls OSX/Filecoder.E to the Specific Ransomware Families and Types page but didn’t give it an article of its own here. Since there is important news (to potential victims) from Malwarebytes and Sophos, I’m repairing that omission here.
Note that both Reed and Cluley sometimes refer to the malware as FileCoder. This is potentially misleading: while ESET, which first uncovered the thing, detects it as OSX/Filecoder.E, the term ‘Filecoder’ is used generically by the company to denote crypto-ransomware, so you/we need to use the full name ‘OSX/Filecoder.E’ to distinguish it from other, unrelated ransomware families.
Jérôme Segura examines another attack somewhere on the thin borderline between ransomware and tech support scams: Tech support scam page triggers denial-of-service attack on Macs. This is another instance of scammers encouraging victims to call a fake helpline by hitting them with some sort Denial of Service (DoS) attack: in this case, by causing Mail to keep opening email drafts until the machine freezes, or using iTunes., apparently to put up a fake alert.
Commentary by David Bisson for Tripwire: Tech Support Scam Creates Series of Email Drafts to Crash Macs.
Interesting analysis from Pieter Arntz for Malwarebytes of the VinCE screen locker, intended to persuade the victim into calling the ‘helpline’ number the malware displays. An example of malware that illustrates an almost imperceptible distinction between a tech support scam and true ransomware.
A closer look at a tech support screen locker
This AVIEN article also added to Tech Support Scams and Ransomware, to Specific Ransomware Families and Types, and to PC ‘Tech Support’ Scam Resources. The latter has now been renamed by dropping the reference to cold-calls, as cold-calling is no longer the only (or, arguably, the most effective) means of implementing tech support scams.
Hat tip to David Bisson, whose commentary for Graham Cluley’s blog called the issue to my attention.
Support scammers tend to be seen by people with a reasonable understanding of technology as being pretty low-grade, as scammers go.
‘Support desk’ scammers are sometimes subjected to humiliating telephone exchanges by people who take an understandable pleasure in wasting their time by pretending to be even dumber victims. They capitalize on the fact that scammers at this level are often easily confused if the victim doesn’t follow the script, and don’t have the technical knowledge to respond appropriately to reverse social engineering. Yet some of the tricks they deploy to convince victims that their systems are compromised so that they seek help from a fake helpline have become surprisingly sophisticated. As have the scammer organizations themselves.
For Malwarebytes, William Tsing offers an explanation as to how support scammers ‘can be sophisticated enough to set up infrastructure handling and network tracking, SEO cloaking, and payment processing.’ His suggestion is that behind the scam companies is a ‘criminal underclass’ offering prefabricated scam packages ‘that only require a credit card and ill intent to set up.’ And since most cybercrime works on a similar model, that comes as no surprise. In his article, he dissects a specific example of a Scam in a Box: Scamming as a service – seriously.
For Malwarebytes, Jérôme Segura gives details of some tricks currently used by tech support scammers to deceive Chrome users.
Tech support scams and Google Chrome tricks
Commentary from Help Net Security: Google Chrome users targeted by tech support scammers
ESET Senior Research Fellow
An article by me for ESET, sparked off by a conversation with Kevin Townsend, in the wake of research commissioned by Malwarebytes, on the pros and cons of paying to get your data back after a ransomware attack.
ESET Senior Research Fellow
John Leyden heralds a post apparently due to appear on the Malwarebytes site later today (25th May 2016) about a wave of malvertising exploiting the Flash Player exploit (CVE-2016-4117) recently addressed by Adobe in order to direct victims to the Angler exploit kit and launch infection with the CryptXXX ransomware.
I’m guessing that we’re talking about CryptXXX 3.0, which I wrote about earlier today: CryptXXX 3.0: gang breaks own decryptor.
Worth looking out for (the article and the malware).
[Added: Malwarebytes article now published as New Wave of Malvertising Leverages Latest Flash Exploit. Jerome Segura observes:
Malwarebytes describes getting the jump on a group apparently responsible for impersonating legitimate security companies. Well, that sort of impersonation is pretty standard for tech support scammers, but in this case Malwarebytes is talking about ‘a fraudulent page which the crooks built by stealing the graphics from the Malwarebytes website and altering it to trick people into calling a toll-free number.’
And not only Malwarebytes. The article includes some screenshots of fake sites impersonating Microsoft, AVG, Kaspersky, ESET and so on.
Here’s the Malwarebytes article: The hunt for tech support scammers. Commentary by SC Magazine: Scammers impersonate legit cyber-security companies
Added to tech support resources page.