Collaborate Disseminate
I read the Article of WannaCry on malwaretech.com and as far I understand it works like this:
Try to connect via HTTP to www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
if it got an response then exit.
if not, do the next… Continue reading Is WannaCry Proxy Aware?
While new variants of Wannacry has sprung up, the old variant is still lurking around corners and I am not sure whether the following callback IPs and domains should be blocked as per typical ransomware playbooks/runbooks, since they now double as a kill switch to a sinkhole:
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb.com
iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com
ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com
144.217.254.3
144.217.74.156
184.168.221.43
217.182.141.137
217.182.172.139
52.57.88.48
54.153.0.145
79.137.66.14
Should the above be blocked? Or allowed to communicate to act as kill switch?
(This question is different from How is the “WannaCry” Malware spreading and how should users defend themselves from it? as the typical response is to block all C&C domains/IPs, but in this case, I’m not certain since the flawed C&C acted as a kill switch)
We have a MS Windows Server 2012 installed. After the attacks of last week, I was wondering how we could improve the security of the server against ransomware/cryptoware.
We did install the latest updates from Microsoft.
Wh… Continue reading How can we beef the security of our Windows Server 2012 R2 against ransomware?
Based on answers to the question How is the “WannaCry” Malware spreading (…), I understand it leverages vulnerabilities present in the SMB implementation. Assuming an unpatched and otherwise vulnerable system, would EMET prevent this exploitation?
Continue reading Does EMET prevent WannaCry exploit execution?
I was reading an article today about a Google researcher linking the WannaCry malware to the earlier malware Cantopee.
I had two primary questions based on the contents of the article.
What do the numbers/addresses repre… Continue reading How to reverse engineer WannaCry?
Email doesn’t seem to have been the initial vector for WannaCry, which initially took hold in south-east Asia Continue reading WannaCry: the ransomware worm that didn’t arrive on a phishing hook
At least five U.S. colleges have been affected by the global ransomware virus known as “WannaCry,” CyberScoop has learned. The Massachusetts Institute of Technology, Trinity College, the University of Washington, North Dakota State University and the University of Maine confirmed Tuesday that computers connected to their networks were infected by the virus. “We had a handful of computers that were compromised but it didn’t spread,” University of Washington News Office Director Victor Balta told CyberScoop. “Normal operations were not affected in any way, but obviously we’re paying attention to this.” The five schools are among the first known cases of U.S.-based educational institutions becoming victims of the WannaCry ransomware campaign. CyberScoop obtained a list of IP addresses with WannaCry infections that included more than a dozen machines at U.S. higher education institutions. Not all of the schools responded to requests for comment. MIT reported that approximately 100 computers were affected by the attack […]
The post U.S. universities race to contain WannaCry ransomware, officials say appeared first on Cyberscoop.
Continue reading U.S. universities race to contain WannaCry ransomware, officials say
WannaCry ransomware infected a machine tied to an IP address associated with the Army Research Laboratory, CyberScoop has learned. The information, found on a list of affected IP addresses provided by a security vendor, would mark the first time the ransomware was found on a federal government computer. The security vendor, who provided the data on condition of anonymity to discuss sensitive material, observed communications from the victim IP address to the attackers’ known command and control server on May 12; confirming that the ransomware infection involving the ARL was in fact successful. The IP address is tied to a block parked at a host located at Fort Huachuca, Arizona. The type of machine the IP address is attached to is unknown. While ARL is based in Adelphi, Maryland, the laboratory has multiple outposts, including stations at Fort Huachuca. The Arizona base is also home to the Army’s Network Enterprise Technology Command […]
The post WannaCry hit U.S. Army machine, marking first federal government infection appeared first on Cyberscoop.
Continue reading WannaCry hit U.S. Army machine, marking first federal government infection
I’ve casually googled for explanations on how exactly the EternalBlue exploit works but, I suppose given the media storm about WannaCry, I’ve only been able to find resources that at best say it’s an SMB exploit. I get that there was a bug… Continue reading How does the EternalBlue Exploit Work?
I have read some threads talking about the safety of running malware in a VM. I found out that it may not be safe and there is still a risk. I would like to know specifically if running Wanna Cry, a ransomware, actually mess … Continue reading Will Running MEMZ or Wanna Cry in VirtualBox Harm Host Computer?