WannaCry dilemma

CabanSail

Has anyone here been affected?

If so, what have you done?

From what I understand it only affects Windoze systems (Phew!) but once it has encrypted the files you cannot get them decrypted without paying the ransom.

What I am unclear about is does it affect any connected external drives?

There is a moral dilemma here, if all your RAW's are lost do you pay the thugs their money? I know I would have a hard time with that. If it were just the Jpegs then they could go and whistle but to lose the RAW's is harder.

This has reminded me I must update my offline back up again. It was late 2016 when I did it last.

magicbastarder

i work for a large multinational and we've escaped unscathed (it's my job to make sure the patches go out, and we got them out over a month ago). from the reports i've read, they've made remarkably little money from it. you'd have done far better betting on the shares of the main AV vendors, given how well they've done in the last few days.

ValueInIreland

Yes, As far as I am aware it will affect any connected device, so it's not a good idea to leave multiple hard dives connected. Also if you have a backup routine, then don't use just a master one with daily updates, as you will have less than 24 hours to get a clean backup. It's always good to have at least on backup copy in an un-connected remote location (family member's home / cloud etc.).

OSiriS

https://www.theguardian.com/technology/2017/may/15/dont-pay-ransomware-demands-cybersecurity-experts-say-wannacry

I'm pretty sure all attached drives would by affected. Reports are of it spreading through network too.

Best practice is to keep your OS updated and never open any attachments you don't expect or know the origin of. Back up regularly and only connect the backup drives when performing the backups.

él statutorio

If it's like any of the ones that went before it, once it's in, it'll look for network shares and go off and infect those.
But, if there's a decent backup system in place it should be fine, only real inconvenience is the restore process.

magicbastarder

worth noting that the MS patch just seals the hole which allows it to propagate by SMB1. it does not protect you from infection if you open the wrong file.

CabanSail

My system is iOS so is not affected by this one. Still have to take precautions.

Adrian.Sadlier

Machines that got infected had not applied the latest patches (available for weeks) or have up to date AV (signatures available for months) or run operating systems (e.g. XP) no longer supported by the manufacturer. This was not a case of a smart burglar bypassing the security systems and locks in place, it was a case of someone walking in an open door and stealing the cash on the table!

It is accepted now that approx. 50% of exploits can bypass current security infrastructure. Its not a case of if you will be compromised but when. And how you will deal with the event (and the consequences) and mitigate against them.

I would equate people who were caught by Wannacry as equivalent to drivers who don't wear seat belts, drink before driving and use their phones whilst driving. They don't take sensible precautions to avoid crashes. If you take the precautions you reduce the risk of a crash and the injuries received when you crash.

Its the same with computers. Keep them patched. Use AV (Anti Virus) and more if you can understand and afford it (Firewalls, UTM, etc).

And have a backup procedure which includes offsite backup and retention of backups that go back months - ransomware exploits often go "dormant" after initail infection, so they can infect the standard backup procedures. I automatically update my computer OS and applications and Av and have at least two backups of all important data, one once a week at least and the other every odd month. But I don't have offsite storage yet and cloud is too expensive (I have over 6TB of data I need to backup). I still feel nervous.

Get used to it (Wannacry and the like). And get ready. Ransomware has been a reality for a long time now and a lot of Irish companies and organisations have been hit - they just can't afford the reputational damage by going public.

Don't be fooled - this is a serious business! The "hackers" are run like businesses.

Bacchus

CabanSail wrote: »

Has anyone here been affected?

If so, what have you done?

From what I understand it only affects Windoze systems (Phew!) but once it has encrypted the files you cannot get them decrypted without paying the ransom.

What I am unclear about is does it affect any connected external drives?

There is a moral dilemma here, if all your RAW's are lost do you pay the thugs their money? I know I would have a hard time with that. If it were just the Jpegs then they could go and whistle but to lose the RAW's is harder.

This has reminded me I must update my offline back up again. It was late 2016 when I did it last.

First of all, I'd be hesitant to pay. It's quite likely that a) they won't give you the key; b) it won't work; or c) part/all of your data will be corrupted and unusable. By all accounts, despite the scale of the attack, the attackers appear to be quite amateurish when it comes to the ransom side of the attack. If you are paying, I'd treat it as a last ditch effort to get back something very important but without low expectations of it working.

Second, read what Adrian.Sadlier said above

Stay patched, and backup anything important in at least 3 locations... preferably... local or external 'active' drive, external 'archive' drive, and Cloud service. Note if you are considering Droxbox as your Cloud storage service, since the files are also stored locally and sync'd to the Cloud they will be affected. However, you can recover the original files (I think they have a 30 day window).

Bacchus

Adrian.Sadlier wrote: »

But I don't have offsite storage yet and cloud is too expensive (I have over 6TB of data I need to backup). I still feel nervous.

Amazon Glacier storage would work out at €15 a month which isn't bad considering you have 6TB of data!

There are additional "retrieval requests" fee but this would just be a backup if all else fails. The fee tiny too... $0.0275 per 1,000 requests

magicbastarder

Bacchus wrote: »

First of all, I'd be hesitant to pay. It's quite likely that a) they won't give you the key; b) it won't work; or c) part/all of your data will be corrupted and unusable. By all accounts, despite the scale of the attack, the attackers appear to be quite amateurish

i was talking to our main forensics guy who is looking at the code, which he got a sample of. he says it's actually very simple, no obfuscation, no real attempts to cover their tracks.

uck51js9zml2yt

magicbastarder wrote: »

i was talking to our main forensics guy who is looking at the code, which he got a sample of. he says it's actually very simple, no obfuscation, no real attempts to cover their tracks.

This was only a sampler to test resistance of systems.

Just wait for round 2...3...4...5....:eek:

magicbastarder

i wonder are they hiding a 0 day up their sleeves? this was using a known exploit based on the large numbers of unsupported or unpatched systems out there.

Bacchus

magicbastarder wrote: »

i wonder are they hiding a 0 day up their sleeves? this was using a known exploit based on the large numbers of unsupported or unpatched systems out there.

I dunno, I think the media is making more out of this than it really is. I suppose it's a bit of a wake up call to the types of attacks that have been going on for years - this one just achieved some fame because of how far it spread. The reality is, ransomware is NOTHING NEW and I'd be far more concerned about targeted attacks than opportunistic attacks like this (provided you are taking the correct patching and antivirus measures). And that's what this was, an opportunistic attack that took advantage of the leaked exploit from the NSA. Microsoft took action at that time and really those affected by WannaCry are people who didn't patch! Also, I find this narrative that health services were targeted quite misleading and sensationalist. They weren't targeted! It's just that the health service is notoriously slow to change and adopt new IT systems so they were the most vulnerable.

But yes, there will be more attacks just like there always is. WannaCry didn't change that, it just brought it into the public eye which isn't a bad thing.

ED E

Using Crashplan there's no way the backup can be encrypted (more than it already is on my side). The versioning means that even if Ransomeware bit and the backup completed (about 6-10 days) the regular files are still present for six months.

magicbastarder

there's another potential exploit based on SMB1 on the way; fixed in the may patch bulletin, so make sure you're up to date (with the caveat that in the may release, MS have deprecated SHA1 cert support for certs chained to an MS cert authority, but chaos does not seem to have descended as a result of that)

CabanSail

The point I was making in the OP is

If you got caught would you pay the cyber thugs?

Bacchus

CabanSail wrote: »

The point I was making in the OP is

If you got caught would you pay the cyber thugs?

For the reasons I outlined in my first reply, I wouldn't. However, in my case I've everything important backed up anyway. The backup of my website (which I build locally) is a bit out of date so it'd be a pain to have to rebuild that. There's a small time window in which my latest RAW files are not backed up (but are still on the SD card) so that's not really an issue either. Basically it's a moot question for me as I'd be able to recover with relatively little pain.

The only scenario in which I'd consider paying is if a clients photos were at risk but really I'd want to be pretty stupid to let that situation happen. I'd want to be pretty desperate too as there is no guarantee you'll get your data back.

Worst case, wait 10 years for quantum computing to become a practical platform and just break the encryption in no time :pac:

Paulw

Worth a listen.

https://isc.sans.edu/podcastdetail.html

Just the podcast for today, 19/05/2017.

There may be a key available to unencrypt the files. :eek: Only works if you didn't reboot since infection. :mad: