Thanks Khalid, a quick note to add: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is currently up and is sinkholed, but this is a temporary fix and the domain(s) will most likely switch quickly.
Regards, Arash Naderpour On Thu, May 25, 2017 at 1:12 AM, KHALID SAMARA <[email protected]> wrote: > Dears, > > > > Following on the below discussion below ; I would like to add some > related information about this ransomware attack in several emails ; > > > > first , as many of you may be know that WCry or WannaCry > maleware exploits a Windows SMB vulnerability to enable propagation after > having established a foothold in an environment or also even through > malicious links in spam messages. > > This propagation mechanism can distribute the malware both within the > compromised network & over the public internet ; and the exploit used here > codenamed “EternalBlue”; however this exploited vulnerability, was > patched in Microsoft MS17-010. > > > > The malware usually add an encrypted data files with the WCRY extension; > also it used to drop & execute a decryptor, then demands $300 that should > be paid in Bitcoins to decrypt the data; If the user doesn’t pay the > ransom within three days, the amount doubles to $600; after seven days > without payment, WannaCry will delete all of the encrypted files and all > data will be lost! > > > Below some of the filetypes that are targeted and encrypted by WannaCry: > > 3g2.3gp.accdb.aes.ai.asc.asf.asm.asp.avi.backup.bak.at.bmp. > brd.bz2.cgm.class.cmd.cpp.crt.cs.csr.csv.db.dbf.dch.dif.dip. > djvu.doc.docb.docm.docx.dot.dotm.dotx.dwg.edb.eml.fla.flv. > frm.gif.gpg.gz.hwp.ibd.iso.jar.java.jpeg.jpg.js.jsp.key.lay.lay6. > > mdb.mdf.mid.mkv.mml.mov.mp3.mp4.mpeg.mpg.msg.myd.myi.nef. > odb.pas.pdf.pem.pfx.php.pl.png.pot.potm.potx.ppam.pps. > ppsm.ppsx.ppt.pptm.pptx.ps1.psd.pst.rar.raw.rb.rtf.sch.sh. > sldm.sldx.slk.sln..swf.sxc.sxd.sxi.sxm.sxw.tar.tbk.tgz. > tif.tiff.txt.uot.vb.vbs.vcd.vdi.vmdk.vmx.vob.vsd.wav.wb2.wk1.zip > > > > This malware uses encrypted Tor channels for command and control > communications; trying to query for :- > > ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com > > And sometimes to (www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test.) > etc.. > > If it cannot contact this domain files or if it cannot make a HTTP > request to the resolution of the mentioned domain then the malware will > start to encrypt files. > > > > However and as workaround to this issue; network administrators can > locally sinkhole this domains or other domains by adding A-record to their > DNS server and then translate this domain to any of the existing sinkhole > IPs. > > > > This malware enumerates the network adapters and determines which subnets > the system is on. then malware then generates a thread for each IP on the > subnet. Each of these threads attempt to connect to the IP on TCP port 445 > and, if successful, attempt exploitation of the system using the > EternalBlue SMB exploit. > > > > However; below some of indicators of compromise could be used to identify > potentially WnnCry activity :- > > *MD5s related samples:* > > 29365f675b69ffa0ec17ad00649ce026 > > 2b4e8612d9f8cdcf520a8b2e42779ffa > > 2ca9ea7966269b22b5257f7a41817e1f > > *Related URLs:* > > iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com > > ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com > > iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com > > *Related Tor Sites:* > > cwwnhwhlz52maqm7[.]onion; gx7ekbenv2riucmf[.]onion ; > sqjolphimrr7jqw6[.]onion > > *Related Executables:* > > C:\Windows\mssecsvc.exe ; C:\Windows\tasksche.exe > > *Related Processes Started:* > > cscript.exe //nologo m.vbs > > > > > > There is no confirmed fix for WannaCry available at this time. > Antimalware companies and antivirus companies are trying to find a way to > decrypt files on infected computers, but currently still now no way > available now to do that . > > > Regards, > > > khalid > > > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 20 May 2017 17:32:52 +0300 > From: Harith Dawood <[email protected]> > Subject: Re: [menog] WannaCry Ransomware > To: Hisham Ibrahim <[email protected]> > Cc: MENOG <[email protected]> > Message-ID: > <CAH3nW1+xmhpqGEz2Cn_ivs_ro2Ynz+wrzugqo=0eLd82+PXUUA@ > mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Dear Mr. Hisham Ibrahim > > Thank you very much for your important information. > > Best regards; > Harith > > On Mon, May 15, 2017 at 12:42 AM, Hisham Ibrahim <[email protected]> wrote: > > > Dear All, > > As you are no doubt aware, we are currently experiencing an unprecedented > > ransomware attack at a global scale. The malware was detected on 12 May > > 2017 and has the capability to spread across networks taking advantage > of a > > critical exploit in a popular communication protocol used by Windows > > systems. > > Many of you have already reached out and are actively involved in > > containing this threat. It is believed that the infection and propagation > > rate may go up on Monday when people return to their workplaces. > > Below is the Europol warning / update about the current ransomware > threat. > > If you think this would be useful to anyone in our community, please > > forward it on. > > A list of tips and advice on how to prevent ransomware from infecting > your > > electronic devices can be found at: > > https://www.europol.europa.eu/sites/default/files/images/ > > editor/ransomware-01.jpg > > Regards, > > Hisham > > > > Begin forwarded message: > > > > *If you are a victim or have reason to believe that you could be a > victim* > > > > This is link provides some practical advice on how to contain the > > propagation of this type of ransomware: > > *https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance* > > <https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance> > > > > The most important step involves patching the Microsoft vulnerability > > (MS17-010): > > *https://technet.microsoft.com/en-us/library/security/ms17-010.aspx* > > <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> > > > > A patch for legacy platforms is available here: > > > > *https://blogs.technet.microsoft.com/msrc/2017/05/12/ > customer-guidance-for-wannacrypt-attacks* > > <https://blogs.technet.microsoft.com/msrc/2017/05/12/ > customer-guidance-for-wannacrypt-attacks> > > > > In instances where it is not possible to install the patch, manage the > > vulnerability becomes key. One way of doing this would be to disable the > > SMBv1 (Server Message Block) protocol: > > *https://support.microsoft.com/en-us/help/2696547* > > <https://support.microsoft.com/en-us/help/2696547> > > and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139, > > 445]. > > > > Another step would be to update endpoint security and AV solutions with > > the relevant hashes of the ransomware (e.g. via VirusTotal). > > > > If these steps are not possible, not starting up and/or shutting down > > vulnerable systems can also prevent the propagation of this threat. > > > > *How to prevent a ransomware attack?* > > > > > > 1. *Back-up! Back-up! Back-up!* Have a backup and recovery system in > > place so a ransomware infection can?t destroy your personal data > forever. > > It?s best to create at least two back-up copies on a regular basis: > one to > > be stored in the cloud (remember to use a service that makes an > automatic > > backup of your files) and one stored locally (portable hard drive, > thumb > > drive, etc.). Disconnect these when you are done and store them > separately > > from your computer. Your back-up copies will also come in handy > should you > > accidentally delete a critical file or experience a hard drive > failure. > > 2. *Use robust antivirus software* to protect your system from > > ransomware. Always use the latest virus definition/database and do not > > switch off the ?heuristic? functions as these help the solution to > catch > > samples of ransomware (and other type of malware) that have not yet > been > > formally detected. > > 3. *Keep all the software on your computer up to date.* When your > > operating system (OS) or applications release a new version, install > it. If > > the software you use offers the option of automatic updating, enable > it. > > 4. *Trust no one. Literally.* Any account can be compromised and > > malicious links can be sent from the accounts of friends on social > media, > > colleagues or an *online gaming* > > <https://blog.kaspersky.com/teslacrypt-20-ransomware/9314/> partner. > > Never open attachments in emails from someone you don?t know. > Similarly, > > don?t open attachments in emails from somebody you know but from whom > you > > would not expect to receive such as message. Cybercriminals often > > distribute fake email messages that look very much like email > notifications > > from an online store, a bank, the police, a court or a tax collection > > agency, luring recipients into clicking on a malicious link and > releasing > > the malware into their system. If in doubt, call the sender at a > trusted > > phone number to confirm the legitimacy of the message received. > > 5. *Enable the ?Show file extensions? option in the Windows settings > > on your computer.* This will make it much easier to spot potentially > > malicious files. Stay away from file extensions like ?.exe?, ?.com?, > ?.vbs? > > or ?.scr?. Cybercriminals can use several extensions to disguise a > > malicious file as a video, photo, or document (like hot-chics.avi.exe > or > > report.doc.scr). > > 6. If you discover a rogue or unknown process on your machine, > *disconnect > > it immediately from the internet or other network connections (such > as home > > Wi-Fi)* ? this will prevent the infection from spreading. > > > > > > > > > > _______________________________________________ > > Menog mailing list > > [email protected] > > http://lists.menog.org/mailman/listinfo/menog > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://lists.menog.org/pipermail/menog/attachments/ > 20170520/7fd1fc56/attachment-0001.html > > ------------------------------ > > Message: 2 > Date: Sat, 20 May 2017 20:26:33 +0400 > From: Luqman Kondeth <[email protected]> > Subject: Re: [menog] WannaCry Ransomware > To: Harith Dawood <[email protected]> > Cc: Hisham Ibrahim <[email protected]>, MENOG <[email protected]> > Message-ID: > <CAP32F_zAK5shpB4Dx6ptS3OREtUX-UwnVPtf4paaRsNSgH_-iw@mail. > gmail.com> > Content-Type: text/plain; charset="utf-8" > > > Has anyone been able to observe the malware network behavoiur in action ? > I ask this because we noticed large amounts of tcp port scans on 445 from > the 12th which is when the malware was reported. > What is interesting however is that the machines that were doing this in > our network were Apple Macs. Is it possible that the Macs are a carrier > for the worm ? Anyone seen anything similar? > > We also noticed the following > > > There is increased amount of traffic on port 445 and 139 from the 12th of > this month. > We also see certain IP addresses being constantly probed on port 445 > The below are the IP addresses > > 192.168.0.2 > 100.100.129.90 > 149.236.99.1 > 172.18.4.200 > > The pattern we see is usually a connection attempt on port 445 to one of > the above ports followed by a large number of 445 traffic to random IPs. > > Thanks > > On 20 May 2017 6:33 p.m., "Harith Dawood" <[email protected]> wrote: > > > Dear Mr. Hisham Ibrahim > > > > Thank you very much for your important information. > > > > Best regards; > > Harith > > > > On Mon, May 15, 2017 at 12:42 AM, Hisham Ibrahim <[email protected]> wrote: > > > >> Dear All, > >> As you are no doubt aware, we are currently experiencing an > unprecedented > >> ransomware attack at a global scale. The malware was detected on 12 May > >> 2017 and has the capability to spread across networks taking advantage > of a > >> critical exploit in a popular communication protocol used by Windows > >> systems. > >> Many of you have already reached out and are actively involved in > >> containing this threat. It is believed that the infection and > propagation > >> rate may go up on Monday when people return to their workplaces. > >> Below is the Europol warning / update about the current ransomware > >> threat. If you think this would be useful to anyone in our community, > >> please forward it on. > >> A list of tips and advice on how to prevent ransomware from infecting > >> your electronic devices can be found at: > >> https://www.europol.europa.eu/sites/default/files/images/edi > >> tor/ransomware-01.jpg > >> Regards, > >> Hisham > >> > >> Begin forwarded message: > >> > >> *If you are a victim or have reason to believe that you could be a > victim* > >> > >> This is link provides some practical advice on how to contain the > >> propagation of this type of ransomware: > >> *https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance* > >> <https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance> > >> > >> The most important step involves patching the Microsoft vulnerability > >> (MS17-010): > >> *https://technet.microsoft.com/en-us/library/security/ms17-010.aspx* > >> <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> > >> > >> A patch for legacy platforms is available here: > >> > >> *https://blogs.technet.microsoft.com/msrc/2017/05/12/ > customer-guidance-for-wannacrypt-attacks* > >> <https://blogs.technet.microsoft.com/msrc/2017/05/12/ > customer-guidance-for-wannacrypt-attacks> > >> > >> In instances where it is not possible to install the patch, manage the > >> vulnerability becomes key. One way of doing this would be to disable the > >> SMBv1 (Server Message Block) protocol: > >> *https://support.microsoft.com/en-us/help/2696547* > >> <https://support.microsoft.com/en-us/help/2696547> > >> and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139, > >> 445]. > >> > >> Another step would be to update endpoint security and AV solutions with > >> the relevant hashes of the ransomware (e.g. via VirusTotal). > >> > >> If these steps are not possible, not starting up and/or shutting down > >> vulnerable systems can also prevent the propagation of this threat. > >> > >> *How to prevent a ransomware attack?* > >> > >> > >> 1. *Back-up! Back-up! Back-up!* Have a backup and recovery system in > >> place so a ransomware infection can?t destroy your personal data > forever. > >> It?s best to create at least two back-up copies on a regular basis: > one to > >> be stored in the cloud (remember to use a service that makes an > automatic > >> backup of your files) and one stored locally (portable hard drive, > thumb > >> drive, etc.). Disconnect these when you are done and store them > separately > >> from your computer. Your back-up copies will also come in handy > should you > >> accidentally delete a critical file or experience a hard drive > failure. > >> 2. *Use robust antivirus software* to protect your system from > >> ransomware. Always use the latest virus definition/database and do > not > >> switch off the ?heuristic? functions as these help the solution to > catch > >> samples of ransomware (and other type of malware) that have not yet > been > >> formally detected. > >> 3. *Keep all the software on your computer up to date.* When your > >> operating system (OS) or applications release a new version, install > it. If > >> the software you use offers the option of automatic updating, enable > it. > >> 4. *Trust no one. Literally.* Any account can be compromised and > >> malicious links can be sent from the accounts of friends on social > media, > >> colleagues or an *online gaming* > >> <https://blog.kaspersky.com/teslacrypt-20-ransomware/9314/> partner. > >> Never open attachments in emails from someone you don?t know. > Similarly, > >> don?t open attachments in emails from somebody you know but from > whom you > >> would not expect to receive such as message. Cybercriminals often > >> distribute fake email messages that look very much like email > notifications > >> from an online store, a bank, the police, a court or a tax collection > >> agency, luring recipients into clicking on a malicious link and > releasing > >> the malware into their system. If in doubt, call the sender at a > trusted > >> phone number to confirm the legitimacy of the message received. > >> 5. *Enable the ?Show file extensions? option in the Windows settings > >> on your computer.* This will make it much easier to spot potentially > >> malicious files. Stay away from file extensions like ?.exe?, ?.com?, > ?.vbs? > >> or ?.scr?. Cybercriminals can use several extensions to disguise a > >> malicious file as a video, photo, or document (like > hot-chics.avi.exe or > >> report.doc.scr). > >> 6. If you discover a rogue or unknown process on your machine, > *disconnect > >> it immediately from the internet or other network connections (such > as home > >> Wi-Fi)* ? this will prevent the infection from spreading. > >> > >> > >> > >> > >> _______________________________________________ > >> Menog mailing list > >> [email protected] > >> http://lists.menog.org/mailman/listinfo/menog > >> > >> > > > > _______________________________________________ > > Menog mailing list > > [email protected] > > http://lists.menog.org/mailman/listinfo/menog > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://lists.menog.org/pipermail/menog/attachments/ > 20170520/98fc73a2/attachment.html > > ------------------------------ > > _______________________________________________ > Menog mailing list > [email protected] > http://lists.menog.org/mailman/listinfo/menog > > > End of Menog Digest, Vol 107, Issue 15 > ************************************** > > _______________________________________________ > Menog mailing list > [email protected] > http://lists.menog.org/mailman/listinfo/menog > >
_______________________________________________ Menog mailing list [email protected] http://lists.menog.org/mailman/listinfo/menog
