Helpful ReplyI Hope No One Here Gets Hit With This New Ransomware!

Author
dlesaux
Max Output Level: -70 dBFS
  • Total Posts : 1034
  • Joined: 2009/09/13 09:25:18
  • Status: offline
2017/05/15 16:00:42 (permalink)

I Hope No One Here Gets Hit With This New Ransomware!

I haven't seen any posts about this besides one from a few months ago. Stay safe folks! Keep your security patches up to date! I wish you all well!

Peace!
Daniel

Sonar Platinum - 2017.10 and PreSonus Studio One 3.5.5
Windows 10 64 bit
Studiocat Skylake Desktop PC with Intel i7 6700k processor @ 4.20 GHz / 16G RAM 
Focusrite Scarlett 2i2 Audio Interface and Cakewalk UM-2G Midi Interface

Check out my website
#1
azslow3
Max Output Level: -42.5 dBFS
  • Total Posts : 3297
  • Joined: 2012/06/22 19:27:51
  • Location: Germany
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/15 16:20:03 (permalink)
I can add:
* keep your USB backup drives DISCONNECTED from the PC.
* do not expose your Network based backup storage as a writable shared disk.
 
Note that unlike previous incarnations, which was distributed as a malware (it had to be "clicked" to become active), the last version can be locally distributed as a virus, so can be activated on vulnerable system without user actions. At least that is how I have understood (I must say rather pure) description in the Internet.
The good news (if I understand the procedure correctly, I have analyzed only previous version but "registration of one domain name has solved future distribution" confirms that), encryption code is still downloaded from the Internet. I mean even when virus is already in the local system and now wants activate a new system, that is not going to work. In other words if your particular computer is not infected already, it can not be infected by the version injected 3 days ago.
 

Sonar 8LE -> Platinum infinity, REAPER, Windows 10 pro
GA-EP35-DS3L, E7500, 4GB, GTX 1050 Ti, 2x500GB
RME Babyface Pro (M-Audio Audiophile Firewire/410, VS-20), Kawai CN43, TD-11, Roland A500S, Akai MPK Mini, Keystation Pro, etc.
www.azslow.com - Control Surface Integration Platform for SONAR, ReaCWP, AOSC and other accessibility tools
#2
abacab
Max Output Level: -30.5 dBFS
  • Total Posts : 4464
  • Joined: 2014/12/31 19:34:07
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/15 18:06:30 (permalink)
This particular malware exploits a flaw that Microsoft released a patch for in the monthly rollups for supported systems in March 2017.  https://technet.microsoft...rary/security/MS17-010
 
Apparently when one system gets infected, this thing can spread by worming it's way into all vulnerable systems on that network.
 
So if you installed the March updates, you should be good.  There is also a special patch available for Win XP and other recently unsupported Windows systems available from the Microsoft catalog.
 
There is evidence that in many ransomware cases such as this, the initial infection arrives as an email attachment that executes a .hta file.  This connects to a malware domain over the web, and downloads the payload.
 
So stay patched, run a good AV, and don't open any sketchy email attachments! 

DAW: CbB; Sonar Platinum, and others ... 
#3
abacab
Max Output Level: -30.5 dBFS
  • Total Posts : 4464
  • Joined: 2014/12/31 19:34:07
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/15 18:14:12 (permalink)
azslow3
 
The good news (if I understand the procedure correctly, I have analyzed only previous version but "registration of one domain name has solved future distribution" confirms that), encryption code is still downloaded from the Internet. I mean even when virus is already in the local system and now wants activate a new system, that is not going to work. In other words if your particular computer is not infected already, it can not be infected by the version injected 3 days ago.
 



That was a clever hack of the "killswitch" domain.  https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/
 
But some experts are warning that since this exploit is now "in the wild", it will be simple for the bad guys to create variants that bypass this fix used against the latest exploit.  Possibly more to come!

DAW: CbB; Sonar Platinum, and others ... 
#4
pwalpwal
Max Output Level: -43 dBFS
  • Total Posts : 3249
  • Joined: 2015/01/17 03:52:50
  • Status: offline
kennywtelejazz
Max Output Level: -3.5 dBFS
  • Total Posts : 7151
  • Joined: 2005/10/22 06:27:02
  • Location: The Planet Tele..X..
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/15 22:01:27 (permalink)
Lots of decent people can get hurt with hacks like this one that is going on ..
I hope they catch the D Bags ....
My Chromebook has been working over time lately
 
Kenny
 

                   
Oh Yeah , Life is Good .
The internet is nothing more than a glorified real time cartoon we all star in.
I play a "Gibson " R 8 Les Paul Cherry Sunburst .
The Love of my Life is an American Bulldog Named Duke . I'm currently running Cakewalk By BandLab as my DAW .
 
https://soundcloud.com/guitarist-kenny-wilson
 
https://www.youtube.com/user/Kennywtelejazz/videos?view=0&sort=dd&shelf_id=1
 
http://www.soundclick.com/bands/pagemusic.cfm?bandID=427899



#6
ampfixer
Max Output Level: -20 dBFS
  • Total Posts : 5508
  • Joined: 2010/12/12 20:11:50
  • Location: Ontario
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/15 23:47:31 (permalink)
Things like this are the reason you have to shut down a bunch of Win10 defaults for sharing and updating your system. I think the initial infections came through systems running XP. Of course that means big business and hospitals.

Regards, John 
 I want to make it clear that I am an Eedjit. I have no direct, or indirect, knowledge of business, the music industry, forum threads or the meaning of life. I know about amps.
WIN 10 Pro X64, I7-3770k 16 gigs, ASUS Z77 pro, AMD 7950 3 gig,  Steinberg UR44, A-Pro 500, Sonar Platinum, KRK Rokit 6 
#7
Fleer
Max Output Level: 0 dBFS
  • Total Posts : 8715
  • Joined: 2014/08/29 10:17:45
  • Location: Boston/Cambridge
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/16 01:47:39 (permalink)
Get a Mac.
Edith: Macallan 1981. Nice.
post edited by Fleer - 2017/05/16 02:57:45

"We're just two lost souls swimming in a fish bowl" (Wish You Were Here)
#8
stevec
Max Output Level: 0 dBFS
  • Total Posts : 11546
  • Joined: 2003/11/04 15:05:54
  • Location: Parkesburg, PA
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/16 13:20:10 (permalink)
Fleer
Edith: Macallan 1981. Nice.



Oooh...   Macallan's 1981?  As in aged 35 years?  Nice.

SteveC
https://soundcloud.com/steve-cocchi
http://www.soundclick.com/bands/pagemusic.cfm?bandID=39163
 
SONAR Platinum x64, Intel Q9300 (2.5Ghz), Asus P5N-D, Win7 x64 SP1, 8GB RAM, 1TB internal + ESATA + USB Backup HDDs, ATI Radeon HD5450 1GB RAM + dual ViewSonic VA2431wm Monitors;
Focusrite 18i6 (ASIO);
Komplete 9, Melodyne Studio 4, Ozone 7 Advanced, Rapture Pro, GPO5, Valhalla Plate, MJUC comp, MDynamic EQ, lots of other freebie VST plugins, synths and Kontakt libraries
 
#9
bitflipper
01100010 01101001 01110100 01100110 01101100 01101
  • Total Posts : 26036
  • Joined: 2006/09/17 11:23:23
  • Location: Everett, WA USA
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/16 16:41:26 (permalink) ☄ Helpfulby RSMCGUITAR 2017/05/16 19:42:25
All you folks in the UK who may have had their surgeries cancelled due to this malware, you can thank our NSA.
 
The NSA identified the exploit years ago that allows this virus to propagate itself quickly over a LAN. But rather than notify Microsoft about it so that a defense could be patched into Windows, they elected to keep this information to themselves and use it for their own purposes.
 
The NSA then wrote software that capitalized on the exploit, presumably in order to infiltrate terrorist networks. Eventually, that software was stolen and released to the world, making it relatively easy for even technically semi-literate criminals to adapt it to their own nefarious schemes.
 
So to all you inconvenienced NHS patients, we American taxpayers say "you're welcome".


All else is in doubt, so this is the truth I cling to. 

My Stuff
#10
ampfixer
Max Output Level: -20 dBFS
  • Total Posts : 5508
  • Joined: 2010/12/12 20:11:50
  • Location: Ontario
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/16 16:52:21 (permalink)
And I thought it was just a Microsoft ploy to force a massive upgrade to Win 10. Paranoia reigns. Thank you America.

Regards, John 
 I want to make it clear that I am an Eedjit. I have no direct, or indirect, knowledge of business, the music industry, forum threads or the meaning of life. I know about amps.
WIN 10 Pro X64, I7-3770k 16 gigs, ASUS Z77 pro, AMD 7950 3 gig,  Steinberg UR44, A-Pro 500, Sonar Platinum, KRK Rokit 6 
#11
abacab
Max Output Level: -30.5 dBFS
  • Total Posts : 4464
  • Joined: 2014/12/31 19:34:07
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/16 22:30:37 (permalink)
Something else that I run on my PC besides my AV, is this anti-exploit, anti-ransomware program.  It is a behavior based tool that intercepts stuff like ransomware.  It is lightweight and works alongside your chosen AV.  It doesn't seem to have any performance hit on the computer.
 
For peace of mind in these tough times!   https://www.hitmanpro.com/en-us/alert.aspx
 
This company was recently acquired by Sophos, who have integrated these tools into their enterprise AV products.  I hear that it was effective in intercepting the recent ransomware attacks.
 
I'm not saying everyone should run out and get this, but they do offer a free trial. So if you are concerned about ransomware, or drive by malware attacks, it may be worth a look.  I use it, and now I'm a believer!

DAW: CbB; Sonar Platinum, and others ... 
#12
Fleer
Max Output Level: 0 dBFS
  • Total Posts : 8715
  • Joined: 2014/08/29 10:17:45
  • Location: Boston/Cambridge
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/17 00:35:21 (permalink)
stevec
Fleer
Edith: Macallan 1981. Nice.



Oooh...   Macallan's 1981?  As in aged 35 years?  Nice.

Sadly, no. It's an 18 years bought around 2000, but since 1981 is the year I met the wife, I'm hanging on until 2031 before it'll fill the quaich.

"We're just two lost souls swimming in a fish bowl" (Wish You Were Here)
#13
bitflipper
01100010 01101001 01110100 01100110 01101100 01101
  • Total Posts : 26036
  • Joined: 2006/09/17 11:23:23
  • Location: Everett, WA USA
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/17 13:29:48 (permalink)
abacab: have you looked at system overhead with HitmanPro? My concern is that anything that hooks into low-level system calls is going to necessarily degrade system performance. Not a concern for most day-to-day computing, but paramount for a DAW that needs every CPU cycle it can get for the task at hand.
 
I see nothing at all on their website that explains how HitmanPro actually works. This is a red flag for me. Obfuscation is never necessary for a security product to be effective; it serves only one purpose: it allows marketers to make unchallenged claims.


All else is in doubt, so this is the truth I cling to. 

My Stuff
#14
abacab
Max Output Level: -30.5 dBFS
  • Total Posts : 4464
  • Joined: 2014/12/31 19:34:07
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/17 14:11:39 (permalink)
bitflipper
abacab: have you looked at system overhead with HitmanPro? My concern is that anything that hooks into low-level system calls is going to necessarily degrade system performance. Not a concern for most day-to-day computing, but paramount for a DAW that needs every CPU cycle it can get for the task at hand.

 
I can run this on my DAW and still pass LatencyMon with flying colors.
 

I see nothing at all on their website that explains how HitmanPro actually works. This is a red flag for me. Obfuscation is never necessary for a security product to be effective; it serves only one purpose: it allows marketers to make unchallenged claims.



That is a shame, apparently since the original SurfRight website that described it in detail, has been shuttered and brought under the umbrella of Sophos, which remains rather opaque.  Probably just due to the transition period for bringing the products into the parent portfolio.  The two devs that developed this were paid handsomely to be acquired, and are still very active in it's development. 
 
Sophos is marketing this technology now as part of it's endpoint security for enterprise customers. They call it InterceptX and explain it here.  https://www.sophos.com/en-us/products/intercept-x.aspx
 
HitmanPro products remain a consumer only product line, but the original tech came from HitmanPro.Alert.  HitmanPro is actually two products that com bundled together with one license.  HitmanPro.Alert is the exploit interceptor, and HitmanPro is an on-demand scanner/cleaner.
 
If you have ever heard of Microsoft's EMET, this begins with a similar concept, but goes way beyond.
 
There are two main parts, Exploit Mitigations, and Risk Reduction, for protection against unknown, 0-day, or patient zero exploits.
 
As far as impact to running applications, the Exploit Mitigations are only designed to protect internet facing applications, such as browsers, email programs, media players, office applications, browser plugins, etc.  So it's not really going to affect any other local stuff running that is not explicitly protected.
 
The second part, Risk Reduction, provides some additional system hardening protection.  These can be individually toggled on and off just by clicking a button on the GUI.  A few examples are:
Cryptoguard - detects encryption of files and stops the attack
Keystroke Encryption - protects against keyloggers when filling out web forms
Process Protection - prevents process hollowing
BadUSB - Stops malicious USB devices
Network Lockdown - stops backdoor traffic
 
Bottom line is I can see no additional performance impact from this, running alongside my AV.

DAW: CbB; Sonar Platinum, and others ... 
#15
bitflipper
01100010 01101001 01110100 01100110 01101100 01101
  • Total Posts : 26036
  • Joined: 2006/09/17 11:23:23
  • Location: Everett, WA USA
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/17 16:04:08 (permalink)
Thanks for the info!
 
So I gather it prevents cryptolocker-type malware from getting installed in the first place, as opposed to intercepting their subsequent attempts to encrypt files, at which time they are not internet-facing programs. Yes, I know that this latest WannaCry variant does depend on an internet connection, and that's how it was defeated. But viruses in general do not necessarily have an internet connection or even a network component. No anti-malware software can stop them without placing themselves between user applications and O/S calls.
 
I wonder, for example, how HitManPro can differentiate between malware encrypting a file versus me encrypting a file on purpose.


All else is in doubt, so this is the truth I cling to. 

My Stuff
#16
abacab
Max Output Level: -30.5 dBFS
  • Total Posts : 4464
  • Joined: 2014/12/31 19:34:07
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/17 17:12:10 (permalink)
bitflipper
Thanks for the info!
 
So I gather it prevents cryptolocker-type malware from getting installed in the first place, as opposed to intercepting their subsequent attempts to encrypt files, at which time they are not internet-facing programs. Yes, I know that this latest WannaCry variant does depend on an internet connection, and that's how it was defeated. But viruses in general do not necessarily have an internet connection or even a network component. No anti-malware software can stop them without placing themselves between user applications and O/S calls.
 
I wonder, for example, how HitManPro can differentiate between malware encrypting a file versus me encrypting a file on purpose.




The Cryptoguard defense appears to be part of the internal system hardening, for use after the malware is actually downloaded and executed.  I saw a video on YouTube of a guy clicking on various ransomware samples on his test system, and Cryptoguard prevented the encryption of user files.
 
Some exploits were blocked immediately, while others ran, but did not damage the file system. 
 
This whole approach is behavior based, and uses no signatures.  Cryptoguard apparently stays on alert for any file encryption processes, and maintains a backup of the un-encrypted files in a special Cryptoguard folder inside the Windows folder.
 
If it blocks a process, it can roll back any files that got encrypted before if intercepted the attack.  Clever! 

DAW: CbB; Sonar Platinum, and others ... 
#17
Fleer
Max Output Level: 0 dBFS
  • Total Posts : 8715
  • Joined: 2014/08/29 10:17:45
  • Location: Boston/Cambridge
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/17 19:05:26 (permalink)
Sophos (free) user here.

"We're just two lost souls swimming in a fish bowl" (Wish You Were Here)
#18
Mesh
Max Output Level: 0 dBFS
  • Total Posts : 27360
  • Joined: 2009/11/27 14:08:08
  • Location: Online right here!
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/17 19:25:26 (permalink)
Just yesterday, my workplace got hit with this WannaCry virus (AKA Wanna Decryptor & wcry) by someone opening a "phishing" link from their email. So far, IT seems to have got it under control and rightfully so, all personal emails have been blocked. 
Seems to be a nasty thing going worldwide.

Platinum Gaming DAW: AsRock Z77 Overclock Formula
I7 3770k @ 4.5GHz : 16GB RAM G.Skill Ripjaws X
250GB OS SSD : 3TB HDD : 1TB Sample HDD
Win 10 Pro x 64 : NH-D14 CPU Cooler 
HIS IceQ  2GB HD 7870
Focusrite Scarlett 2i4
The_Forum_Monkeys
#19
abacab
Max Output Level: -30.5 dBFS
  • Total Posts : 4464
  • Joined: 2014/12/31 19:34:07
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/17 21:06:06 (permalink)
Fleer
Sophos (free) user here.




Sophos Home Premium (beta) includes the ransomware protection.  The release version of Sophos Home Premium is expected to include this protection.  You can sign up for the beta from your free account.  https://home.sophos.com/register/beta
 
Free =>  https://home.sophos.com/

DAW: CbB; Sonar Platinum, and others ... 
#20
Fleer
Max Output Level: 0 dBFS
  • Total Posts : 8715
  • Joined: 2014/08/29 10:17:45
  • Location: Boston/Cambridge
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/17 21:44:23 (permalink)
Cheers, abacab, but I'm thinking I'm more or less safe on Mac(allan).

"We're just two lost souls swimming in a fish bowl" (Wish You Were Here)
#21
abacab
Max Output Level: -30.5 dBFS
  • Total Posts : 4464
  • Joined: 2014/12/31 19:34:07
  • Status: offline
Re: I Hope No One Here Gets Hit With This New Ransomware! 2017/05/17 21:50:53 (permalink)
Fleer
Cheers, abacab, but I'm thinking I'm more or less safe on Mac(allan).




Cheers to all things Mac ... 
 

DAW: CbB; Sonar Platinum, and others ... 
#22
Jump to:
© 2024 APG vNext Commercial Version 5.1