WannaCry ransomware attack

johnymd

Club Member
Just to add. Make sure you back drive is only connect while doing a backup or it will also become encrypted. Your antivirus software is totally ineffective again crypto malware. Had a few companies been hit already.
 

johnymd

Club Member
Most antivirus software will find it after the event but the malware will usually disable the antivirus first.
 

jonbills

Membership Secretary
Site Administrator
No, it's just software, the same as everything. It'll be scanned before its loaded and if it matches a known signature it won't be run.
 

johnymd

Club Member
The majority of these attacks are through an RDP connection or external access through a security volnerability. They do also come in via email attachments but these are mostly stopped by your AV software as you say. The attacks you see in the press at the moment are mostly through remote access to the servers that hold the data and well protected with the latest virus definitions but as I say, they are ineffective against this type of attack.
 

Rob Gaskin

Treasurer
Staff member
Site Administrator
Right, I'm running Windows 7 and using McAfee, how vulnerable am I?

What about my Android devices (Samsung)?

I am out of my depth with this stuff as you will have realised.
 

STEVE BURNS

Club Member
Right, I'm running Windows 7 and using McAfee, how vulnerable am I?

What about my Android devices (Samsung)?

I am out of my depth with this stuff as you will have realised.

Me too Rob you are not alone
Only difference with me is I am Running Windows 10 and using McAfee and also have Tablet as well
Maybe need a guide line in idiot talk from someone on what to check
 

jonbills

Membership Secretary
Site Administrator
If you have autoupdate on Rob, and up to date antivirus, you're not vulnerable to this one. It's windows only so other devices not vulnerable to this.
However there are always more. Don't click on things in email or websites that you're not very sure of.

John, it's SMB not RDP. SMB is a LAN filesharing protocol, on by default in Windows. The windows implementation had a vulnerability that allows code running on a primary machine running smb to pass itself to another machine via smb, and for the code to then run on the other machine as part of the trusted smb server.
Microsoft patched it back in march, but not XP of course.

What this means is that it has two means of propagating: 1) through email / weblinks, which I've been referring to and 2) machine to machine in a LAN/intranet through the SMB server running by default on all windows in, that is much harder for AV to detect.
This propagation mode is why it was so effective in the NHS. They have large LANs running SMB with unpatched (xp, and prob others) windows.

The actual file encryption /ransomming is standard stuff. The smb propagation was the clever bit.
 

johnymd

Club Member
On the 2 servers I have witnessed this ransomeware they were both accessed through the Internet via a domain admin account with low password security. Access to both companies 2012r2 servers was through an RDP connection. Both servers were up to date with security updates and had Eset server file security installed. None of the pc's or other servers on the networks were effected (other than losing access to server data and exchange emails) and the antivirus software removed the virus after all the files on the servers were encrypted. Both attacks were from the wallet virus. One was quite a few months ago and the other at the beginning of last month. These may differ from the current round of attacks.
 
Top