Windows 10: New global ransomware attack hits East Europe and spreading

Page 8 of 10 FirstFirst ... 678910 LastLast
  1. Wynona's Avatar
    Posts : 21,168
    Windows 10 Skip Ahead Preview Build 18219
       30 Jun 2017 #71

    AndreTen said: View Post
    Microsoft posted very interesting article about Petya outbreak, including how Windows telemetry helped understand malware spreading.

    Attachment 141869
    Now, if you would just translate, please!?!?!?!?
      My ComputerSystem Spec

  2. Hydrate's Avatar
    Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit
       30 Jun 2017 #72

    Wynona said: View Post
    Now, if you would just translate, please!?!?!?!?
    I'll challenge myself here to translate into laymen terms. The blue flags indicate where Microsoft's protection against the ransomware is available and mitigated the threat and eliminated it.

    1. A malicious software update containing the petya.dll (dynamic link library) provided by the threat actor (entity responsible for this madness) was executed upon patient zero's machine knowing it had been vulnerable, supposedly a client of a Ukrainian account company who has run into similar security issues. AppLocker would have restricted access to executable files, therefor stopping petya.
    2. In Microsoft Windows NT, Microsoft Windows 2000, and Microsoft Windows Server 2003, you can retrieve a handle to any process in the system by enabling the SeDebugPrivilege in the calling process. The calling process can then call the OpenProcess() Win32 API to obtain a handle with PROCESS_ALL_ACCESS.More Information

      This functionality is provided for system-level debugging purposes. For debugging non-system processes, it is not necessary to grant or enable this privilege.


      This privilege allows the caller all access to the process, including the ability to call TerminateProcess(), CreateRemoteThread(), and other potentially dangerous Win32 APIs on the target process. https://support.microsoft.com/en-us/...debugprivilege
      This allows the malware to propagate and hijack the master boot record with full privileges from SeDebug.


    I just got too lazy to continue, but essentially the SMB exploits spread across the networks from available from the other machines running SMB v1 and steals network credentials, find a list of all other machines, and spreads itself again using commands from WMIC and PSEXEC for remote execution across a network and allow petya.dll to spread and hijack more MBRs.
      My ComputerSystem Spec

  3. f14tomcat's Avatar
    Posts : 36,186
    Triple boot - Win 10 Pro, Win 10 Pro Insider (2) - (and a sprinkling of VMs)
       30 Jun 2017 #73

    Hydrate said: View Post
    I'll challenge myself here to translate into laymen terms. The blue flags indicate where Microsoft's protection against the ransomware is available and mitigated the threat and eliminated it.

    1. A malicious software update containing the petya.dll (dynamic link library) provided by the threat actor (entity responsible for this madness) was executed upon patient zero's machine knowing it had been vulnerable, supposedly a client of a Ukrainian account company who has run into similar security issues. AppLocker would have restricted access to executable files, therefor stopping petya.
    2. This allows the malware to propagate and hijack the master boot record with full privileges from SeDebug.


    I just got too lazy to continue, but essentially the SMB exploits spread across the networks from available from the other machines running SMB v1 and steals network credentials, find a list of all other machines, and spreads itself again using commands from WMIC and PSEXEC for remote execution across a network and allow petya.dll to spread and hijack more MBRs.
    Is this and issue:

    Click image for larger version. 

Name:	2017-06-30_15h07_57.png 
Views:	3 
Size:	85.5 KB 
ID:	141898
      My ComputersSystem Spec

  4. Hydrate's Avatar
    Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit
       30 Jun 2017 #74

    f14tomcat said: View Post
    Is this and issue:

    Click image for larger version. 

Name:	2017-06-30_15h07_57.png 
Views:	3 
Size:	85.5 KB 
ID:	141898
    I'd think that this speaks for itself. Stop using SMB1 | Storage at Microsoft

    It's not a secure protocol and the only reasons you should be running it is for Windows XP, compatibility reasons across different devices such as old printers.

    So, disable it otherwise or patch your system from Petya's known attack vectors such as using WUSA for an update, MBAM, Perfmon, AppLocker, the list goes on.
      My ComputerSystem Spec

  5. AndreTen's Avatar
    Posts : 14,127
    Windows 10 (Pro and Insider Pro)
    Thread Starter
       30 Jun 2017 #75

    Wynona said: View Post
    Now, if you would just translate, please!?!?!?!?
    What is the most fascinating @Wynona, malware did have strict policy to stay undisclosed. If certain AV solution was present on infected computer it went straight to destroying of file system, otherwise it went for compromising computer and checked the network for further vulnerabilities.

    In my opinion, main target was collecting of credentials, or just make as much mess as they could.
      My ComputerSystem Spec

  6. f14tomcat's Avatar
    Posts : 36,186
    Triple boot - Win 10 Pro, Win 10 Pro Insider (2) - (and a sprinkling of VMs)
       30 Jun 2017 #76

    Hydrate said: View Post
    I'd think that this speaks for itself. Stop using SMB1 | Storage at Microsoft

    It's not a secure protocol and the only reasons you should be running it is for Windows XP, compatibility reasons across different devices such as old printers.

    So, disable it otherwise or patch your system from Petya's known attack vectors such as using WUSA for an update, MBAM, Perfmon, AppLocker, the list goes on.
    Thanks, I have uninstalled that feature. The only reason I asked was this was a clean install about a month ago, and it was enabled by default. I did not proactively enable the feature. Not running XP. And don't have an old printer. That is odd to me.
      My ComputersSystem Spec

  7. AndreTen's Avatar
    Posts : 14,127
    Windows 10 (Pro and Insider Pro)
    Thread Starter
       30 Jun 2017 #77

    f14tomcat said: View Post
    Thanks, I have uninstalled that feature. The only reason I asked was this was a clean install about a month ago, and it was enabled by default. I did not proactively enable the feature. Not running XP. And don't have an old printer. That is odd to me.
    Guys, don't worry so much about SMBv1 for home networks (OK, it's not something you really need), unless you have some irresponsible admin user in your network. This is not 1st line of attack. Any router will block this.

    Main danger for home users is still phishing with attachments and browsing on internet.
      My ComputerSystem Spec

  8. f14tomcat's Avatar
    Posts : 36,186
    Triple boot - Win 10 Pro, Win 10 Pro Insider (2) - (and a sprinkling of VMs)
       30 Jun 2017 #78

    AndreTen said: View Post
    Guys, don't worry so much about SMBv1 for home networks (OK, it's not something you really need), unless you have some irresponsible admin user in your network. This is not 1st line of attack. Any router will block this.

    Main danger for home users is still phishing with attachments and browsing on internet.
    Wasn't worried about anything. Just curious why it was enabled by default. Haven't had any problems, and don't intend to.

    And the only admin user on this box is me........
      My ComputersSystem Spec

  9. AndreTen's Avatar
    Posts : 14,127
    Windows 10 (Pro and Insider Pro)
    Thread Starter
       30 Jun 2017 #79

    f14tomcat said: View Post
    Wasn't worried about anything. Just curious why it was enabled by default. Haven't had any problems, and don't intend to.

    And the only admin user on this box is me........
    Exactly.
    MS will disable it in the next builds, at least that is what they told..
      My ComputerSystem Spec

  10. bro67's Avatar
    Posts : 4,887
    Mac OS High Sierra 10.13.5
       30 Jun 2017 #80

    AndreTen, I think that we can at least now state to enable Firewall protection full time on any system, whether it is running Linux, Mac OS or Windows. When troubleshooting problems, we are all going to have to remember to address the issue of if a person has a firewall enabled and make sure that everyone asks what security software they are running also. The fact that if someone blocks or disables Netbios and/or SMB ports, it will break the system.
      My ComputerSystem Spec


 
Page 8 of 10 FirstFirst ... 678910 LastLast

Related Threads
It seems possible that this prophetic British Medical Journal letter from May 10 edition (online May 11, the day before the WannaCry Exploit hit the world) may have focussed the current ransomware attack on UK NHS hospitals: 135086 The...
So tonight, on the American TV show Chicago Med, the show dealt with the issue of ransomware. In this episode, the hospitalís entire computer network was locked out by Ransomware thus crippling the entire hospital. For the record, Chicago Med...
PAX (originally known as Penny Arcade Expo) is a series of gaming festivals held in Seattle, Boston, Melbourne, and San Antonio. PAX was created by Jerry Holkins and Mike Krahulik, the authors of the Penny Arcade webcomic, because they wanted to...
Solved Virus spreading over Wi-Fi!? in AntiVirus, Firewalls and System Security
So, my Dad is going to purchase a new Windows Device for me (A bit late for XMas). My Dad also owns devices that have been infected be Viruses and other infections. If I connect to the Wi-Fi on my Windows Device, can Viruses and other infections...
New Ransomware attack in AntiVirus, Firewalls and System Security
Only 5 days out and Win10 being screwed with. This link was in an E-Mail today: New Windows 10 scam will encrypt your files for ransom | ZDNet
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 22:10.
Find Us