WannaCry ransomware attack | The Z Club of Great Britain

WannaCry ransomware attack

Discussion in 'Anything and everything' started by Paul_S, May 13, 2017.

  1. Paul_S

    Z Club Member

  2. johnymd

    johnymd Active Forum User

    Just to add. Make sure you back drive is only connect while doing a backup or it will also become encrypted. Your antivirus software is totally ineffective again crypto malware. Had a few companies been hit already.
  3. jonbills

    Z Club Member

  4. johnymd

    johnymd Active Forum User

    Most antivirus software will find it after the event but the malware will usually disable the antivirus first.
  5. jonbills

    Z Club Member

    No, it's just software, the same as everything. It'll be scanned before its loaded and if it matches a known signature it won't be run.
  6. johnymd

    johnymd Active Forum User

    The majority of these attacks are through an RDP connection or external access through a security volnerability. They do also come in via email attachments but these are mostly stopped by your AV software as you say. The attacks you see in the press at the moment are mostly through remote access to the servers that hold the data and well protected with the latest virus definitions but as I say, they are ineffective against this type of attack.
  7. Rob Gaskin

    Rob Gaskin Membership Secretary

    Right, I'm running Windows 7 and using McAfee, how vulnerable am I?

    What about my Android devices (Samsung)?

    I am out of my depth with this stuff as you will have realised.


    Me too Rob you are not alone
    Only difference with me is I am Running Windows 10 and using McAfee and also have Tablet as well
    Maybe need a guide line in idiot talk from someone on what to check
  9. jonbills

    Z Club Member

    If you have autoupdate on Rob, and up to date antivirus, you're not vulnerable to this one. It's windows only so other devices not vulnerable to this.
    However there are always more. Don't click on things in email or websites that you're not very sure of.

    John, it's SMB not RDP. SMB is a LAN filesharing protocol, on by default in Windows. The windows implementation had a vulnerability that allows code running on a primary machine running smb to pass itself to another machine via smb, and for the code to then run on the other machine as part of the trusted smb server.
    Microsoft patched it back in march, but not XP of course.

    What this means is that it has two means of propagating: 1) through email / weblinks, which I've been referring to and 2) machine to machine in a LAN/intranet through the SMB server running by default on all windows in, that is much harder for AV to detect.
    This propagation mode is why it was so effective in the NHS. They have large LANs running SMB with unpatched (xp, and prob others) windows.

    The actual file encryption /ransomming is standard stuff. The smb propagation was the clever bit.
  10. johnymd

    johnymd Active Forum User

    On the 2 servers I have witnessed this ransomeware they were both accessed through the Internet via a domain admin account with low password security. Access to both companies 2012r2 servers was through an RDP connection. Both servers were up to date with security updates and had Eset server file security installed. None of the pc's or other servers on the networks were effected (other than losing access to server data and exchange emails) and the antivirus software removed the virus after all the files on the servers were encrypted. Both attacks were from the wallet virus. One was quite a few months ago and the other at the beginning of last month. These may differ from the current round of attacks.
  11. Paul_S

    Z Club Member

Share This Page