Results WannaCry: a selection of basic materials on the "Habrahabr" and not only
History shows that it is impossible to exclude repetitions of WannaCry in one or another variation, but you need to understand that operational counteraction against such attacks is a rather difficult task. To prepare, strengthen “protection” and take appropriate preventive measures, it is very important not to lose sight of the most notable (at least) incidents in the field of information security.
To do this, we decided to take the most rated materials that went on Hacker News, and everything that was published on the topic of WannaCry on Habrahabr and Geektimes.ru. We supplemented the final selection with comments from the experts of ITMO University.
Flickr / Michele MF / CC
')
Selection of devices exposed to WannaCry
A year of free pizza and 10 thousand dollars for the white-hat, which “saved the Internet”
All the necessary information about WannaCry, Wcry and WannaCrypt
WannaCry: the most popular extortion virus in history
New variations of WannaCry found
WannaCry: decryption using WanaKiwi + demo
The blackmailer WannaCrypt attacks un-upgraded systems
WannaCry: analysis, indicators of compromise and recommendations for prevention
Attack of the WannaCry cipher family: analysis of the situation and readiness for the next attacks
Wannacry - X-team, at the exit
Analysis of Wana Decrypt0r 2.0 cipher
WannaCry 2.0: visual confirmation that you definitely need backup
The guy accidentally stopped the global spread of cryptographer WannaCrypt
Fake WannaCry, HP has a keylogger on firewood, Chrome downloads extra
Parse vulnerability CVE-2017-0263 for privilege escalation in Windows
Kuzmich Pavel Alekseevich, Director of the Laboratory of Computer Forensic Science at the ITMO University:
Grigory Sablin, virus analyst, expert in the field of information security of ITMO University, winner of international competition for the protection of computer information:
PS We will appreciate the discussion in the comments of additional materials and opinions that you found interesting. Let's put this collection together :)
To do this, we decided to take the most rated materials that went on Hacker News, and everything that was published on the topic of WannaCry on Habrahabr and Geektimes.ru. We supplemented the final selection with comments from the experts of ITMO University.
Flickr / Michele MF / CC')
What they say "they have"
Selection of devices exposed to WannaCry
We decided to start with a good collection of devices that hit the lens of their users' smartphones. The authors managed to collect a variety of examples: from household PCs to service systems and payment acceptance points. For those who are already tired of the hype around WannaCry, there is a special section at the end of the material .
A year of free pizza and 10 thousand dollars for the white-hat, which “saved the Internet”
Immediately after the discovery of the hero’s personality in the media, a number of companies took the initiative and offered their options for rewarding their services to the IT community. Fair reward or self-promotion of "generous" companies - you decide.
All the necessary information about WannaCry, Wcry and WannaCrypt
Troy Hunt, an information security expert with a direct relationship to Microsoft, began collecting data on WannaCry on May 13th. As events unfolded, the material was supplemented with technological details and various analytics (including the financial results of the "work" of the cryptographer-extortionist). Among other things, Troy wrote a separate material about why you should not refuse to update the OS.
WannaCry: the most popular extortion virus in history
One of Microsoft's MVPs gathered his wiki page on everything that the cryptographer-extortionist had managed to do. Here you can find information on how the infection occurs and get recommendations on preventive measures. The material is filled with a huge number of useful links (including the three subsequent parts of the expert's story).
New variations of WannaCry found
A brief note on what the new WannaCry species is. Characteristics and examples with and without kill-switch. In addition to the posts in his blog, the expert gave a brief comment in the thematic article NYtimes and gathered a couple of examples and comparisons confirming the link between WannaCry and Lazarus Group.
WannaCry: decryption using WanaKiwi + demo
A practical guide to decrypt data that has been affected by WannaCry. Tested on versions from Windows XP (x86) to Windows 7 (x86), including Windows 2003 (x86), Vista and 2008 and 2008 R2.
What they say "we"
The blackmailer WannaCrypt attacks un-upgraded systems
There is nothing surprising in the fact that the main expertise on the topic was provided on behalf of the largest companies, one way or another connected either with the vulnerability itself or with information security issues. Microsoft did not become an exception and prepared a translation of an article with an analysis of the situation, which was published on May 12 in the company's official blog.
WannaCry: analysis, indicators of compromise and recommendations for prevention
The Cisco company shares with habrazhiteli results of research of the program cryptographer. The main material was prepared by a special division of Cisco Talos. His English version can be viewed here .
Attack of the WannaCry cipher family: analysis of the situation and readiness for the next attacks
Panda Security presented its point of view on what happened on May 12 and described what makes WannaCry different from other attacks that we saw earlier. The following criteria are described: the direction of infection, interaction with the vulnerable system, the processes of distribution and encryption. In addition, the company provided useful recommendations and related links.
Wannacry - X-team, at the exit
CROC wrote practical material on how it communicated with clients who asked for help. In addition, the experts gave options for actions that they considered for an on-site response. What came of it and where they stopped Wannacry almost immediately - read the material.
Analysis of Wana Decrypt0r 2.0 cipher
An interesting analysis of the features of the Wana Decrypt0r 2.0 cipher (second version of WannaCry) was prepared by T & T Security and Pentestit. Here is a complete set: statistics, technological nuances and analytical reasoning.
WannaCry 2.0: visual confirmation that you definitely need backup
In addition to a brief acquaintance with WannaCry, its principles of operation and Acronis products that could be useful to readers, the company provided an interesting list of “victims”.
The guy accidentally stopped the global spread of cryptographer WannaCrypt
The editors of Geektimes.ru report on the latest news on the topic. In addition to the story of a random discovery that “saved the Internet”, you can read about how Microsoft accused the NSA of accumulating exploits and new variations of WannaCry , including without a stop crane.
Fake WannaCry, HP has a keylogger on firewood, Chrome downloads extra
"Kaspersky Lab" examines the effects of the hype about malware. As an example, a couple of recent news is presented, which once again reminds us that the most basic and innocuous software functionality is the first thing that attackers are adopting.
Parse vulnerability CVE-2017-0263 for privilege escalation in Windows
The company Positive Technologies decided to follow in the footsteps of news about WannaCry and tell about the context menu vulnerability and exploitation options.
Kuzmich Pavel Alekseevich, Director of the Laboratory of Computer Forensic Science at the ITMO University:
Most likely, the employees of those organizations where they recorded the infection, used computers to receive mail and “surfing” on the Internet and, without being convinced of the security of the letters received and the websites being opened, downloaded malicious software onto them.
It is quite possible that in this way confidential information of their clients could be compromised - in the case of commercial organizations, as well as large amounts of personal data - in the case of government departments. It is hoped that such information was not processed on these computers.
Ransomware is a well-known method of fraud and there are some specific approaches to protect. First of all, you need to be attentive to referring to certain links on the web. Similarly, with e-mail - very often viruses spread in files attached to letters allegedly from your Internet provider or bank. Thirdly, it is important at least sometimes to make backup copies of important documents on separate removable media.
The most common infection and active phase of the virus - data encryption - manifests itself in the form of a significant reduction in computer performance. This is a consequence of the fact that encryption is an extremely resource-intensive process. This can also be noticed when files with an incomprehensible extension appear, but usually at this stage it is too late to take any action.
Grigory Sablin, virus analyst, expert in the field of information security of ITMO University, winner of international competition for the protection of computer information:
Attackers exploit a vulnerability in the SMB protocol MS17_010 - the patch is already on Microsoft servers. Those who are not updated, can fall under the distribution. But one can say these users are to blame themselves - they used pirated software or did not update Windows. I myself am wondering how the situation will develop: a similar story was with MS08_67, it was then used by the Kido worm, and then too many people became infected.
Not the fact that it will be possible to recover all locked files. This virus can penetrate anywhere due to the fact that many computers have not yet been updated. By the way, this exploit was taken from the archive, which was “leaked” from the US National Security Agency (NSA), that is, this is an example of how special services can act in any emergency situation.
PS We will appreciate the discussion in the comments of additional materials and opinions that you found interesting. Let's put this collection together :)
Source: https://habr.com/ru/post/329512/
All Articles