WannaCry Factsheet (continuously updated) and Patches for Legacy Windows

This was a "cyber attack" like driving through a minefield is a "suicide bomb."

MS has issued emergency patches for unsupported versions of Windows.

Mitigations for WannaCry

Get your patch here if you need it.

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

MS Security Bulletin Details

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Covers:

  • Windows Server 2003 -> 2008
  • Windows XP -> Windows 8
  • Windows POSReady and WES09

If you have been affected

As of right now there is no way to decrypt your data and the perpetrators are apparently not able to hand out encryption keys even if you pay the ransom due to them not being able to track 'users' as it were and are unable to link keys to specific infection instances.

You will have to restore from backups.

Updated Wiki Gist

You can keep up with the latest developments covering WanaCrypt0r on this wiki gist now.
It's being updated as more developments come in. It's currently still just a fraction of what we expect to see.

Well written summary on WannaCrypt0r by Troy Hunt

Index of public servers affected by WCRY (as of yet ~11'200 results) some are just tips on how to google for affected servers

https://www.google.com/search?q=intitle%3A%E2%80%9CIndex+of%22+%22%2F+.WNCRY%E2%80%9D

14 Likes

I read Kaspersky are currently working on a decryption tool, nothing about when it will be ready though.

Nothing solid so far, I'm not in contact with the Kaspersky guys.

Good thing IT security is on the top of the list of every company everywhere I guess :slight_smile:

8 Likes

Updated with Troy Hunt article.

deleted because of rant that doesnt need to be here.

"The Russian interior ministry says about 1,000 computers have been affected."

Update:

  1. Added google dork search for index of infected servers.
  2. No reports yet of anyone receiving the decryption key and successfully decrypting their files following ransom payment.
    • Strongly suspect the keys are simply thrown away. Only the master private key if recovered may be helpful in recovering the encrypted files.

So everyone is losing their shit on this one now?
-sigh-

Update:

Direct Links to Patches since windows update catalog was struggling with load.

Windows Server 2003 SP2 x64
Windows Server 2003 SP2 x86
Windows XP SP2 x64
Windows XP SP3 x86
Windows XP Embedded SP3 x86
Windows Vista
Windows Vista x64
Windows 8 x86
Windows 8 x64

1 Like

Loosing their shit in terms of 'going nuts' or data?
Because it's both.

But me personally, I'm just enjoying my saturday evening.
Might play some KSP later.

1 Like

Ok - I am asking, before reading all the information floating around, but does this malware connect to SMB? Why on earh is a) smb on the internet and b) soooo much of it.

Even a stupid soho router would stop that right? - I mean my external logs are full with declined requests to

SMB 1 yes

A lot of the spread is due to VPN connected shares and vulnerable servers that bridge networks.
Some of the initial attack also proceeded via standard malware delivery vectors (email,etc) but those details are less well researched.

Here's the diagram of the worm + malware so far.

1 Like

OK, I need to ask, curiosity malware in my brain instructs me to do so: what is exact status of the Windows 7?
I do not see patch for it on the list, and on some lists of affected Windows it is absent. Was it simply patched already?

It was technically patched in March Already

Patches can be found here:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Windows 7 SP1

1 Like

CRINGE WARNING


5:16 is where the cancer begins
9:46 JUST FUCKING INSTALL GENTOO YOU INANE WEASELS

always funny to see what the media thinks especially RT. (since they were blamed in the intelegence report).
1 Like

Jayzus. RT is incompetent.
Around 5:16 is where I couldn't hold in the laughter anymore :joy:
The Ransomware built by the NSA - FML

Ok the CNN video too, so much Cringe.

1 Like

holy fuck those fucking stock photos cringe cringe cringe cringe 00010101PASSWORD010101101 cringe cringe cringe cringecringe cringe cringe cringe

00010101PASSWORD010101101

cringe

Why, oh why -.- that is so Blaster or was it Conficker? some of the old ones .. was likethy is that reachable from the internet too ^^