The return of EternalBlue
On June 27th 2017, another RansomWare attack took hold targeting the same eternal blue (SMBv1) vulnerabilities as WannaCry before it. This attack however doesn't reach out to the internet like WannaCry did, it's an internal network attack.
However, this attack seems to have deliberately targeted businesses in Ukraine, and as the email address used for encryption keys was disabled almost immediately, there's no point in anyone paying ransom if their files are encrypted as they'd never get a reply (with the decryption info).
Patch Patch Patch
If you haven't done it already (and if you have not, why not especially after WannaCry), head over to this Technet link and apply the patches, do it.
Stopping the damage
That said, a security researcher found a way of stopping the ransomware from encrypting machines affected by placing a read-only file called Perfc in the Windows directory, eg:
The presence of that file will be enough to stop the contents of the hard disc from being encrypted by this malware, however the reason this malware spread in the first place is down to vulnerabilities (unpatched) in the operating system. Those vulnerabilities include two from the leaked NSA exploits, so if you've patched your operating systems against those known vulnerabilities you should be safe.
Protection against this new ransomware attack
Microsoft have advised the following to keep you protected against this (and similar) RansomWare attacks:
"We recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:
Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as recommended previously
Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445
As the threat targets ports 139 and 445, you customers can block any traffic on those ports to prevent propagation either into or out of machines in the network. You can also disable remote WMI and file sharing. These may have large impacts on the capability of your network, but may be suggested for a very short time period while you assess the impact and apply definition updates.
Windows Defender Antivirus detects this threat as Ransom:Win32/Petya as of the 22.214.171.124 update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.
For enterprises, use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.
Monitor networks with Windows Defender Advanced Threat Protection, which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: Windows Defender Advanced Threat Protection – Ransomware response playbook."
Microsoft issued a “highly unusual” patch for Windows XP last month to help prevent the spread of the massive WannaCry malware. At least 75,000 computers in 99 countries were affected by the malware which encrypts a computer and demands a $300 ransom before unlocking it. Microsoft stopped supporting Windows XP in April 2014, but the software giant is now taking the unprecedented move of including it in the company’s Patch Tuesday round of security updates today.
“In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyberattacks by government organizations, sometimes referred to as nation-state actors, or other copycat organizations,” says Adrienne Hall, general manager of crisis management at Microsoft. “To address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to all customers, including those using older versions of Windows.”
read the story @ TheVerge
Ransomware has been around for a few years now but up until yesterday, it wasn't that well known about. This latest RansomWare called WannaCry has changed that for ever.
Ransomware encrypted data on at least 75,000 systems in 99 countries on Friday. Payments were demanded for access to be restored. European countries, including Russia, were among the worst hit.
Companies around Europe were hit and investigations are underway to see who was responsible. This was such a big attack that Microsoft released patches for unsupported operating systems (such as Windows XP) to allow those businesses still running them, a chance to protect themselves.
In addition to making patches available, Microsoft has published guidance to explain what is necessary in protecting yourself against this Ransomware and any others based on the same vulnerabilities (SMBv1). These vulnerabilities were patched by Microsoft in March of this year, but of course there were no patches (at that time) for unsupported operating systems such as Windows XP.
Download Patches for unsupported Operating Systems
To patch your unsupported operating systems, get over to this url and download the available patches.
WannaCry has multiple vectors, but you should remove one vector, SMBv1. Do as follows
1. Block 445 inbound
2. Install MS17-010
3. Remove SMB1
The USMT release for Windows 10 version 1704 will have full support for migration to Office 2016.
Also the tool seems to have been thoroughly worked through in this release.
There is aditions to AppV and also look into Johan Arwidmarks walkthrough of the new ADK.
You can download the Windows ADK 10 Insider Preview v15021 on the below link - log in with your insider account (create one if need be):
Windows Insider Preview Downloads https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewADK
Hello Windows Insiders!
Today we are excited to be releasing Windows 10 Insider Preview Build 15060 for PC to Windows Insiders in the Fast ring.
NOTE: The builds for Brazil (PT-BR) and Polish (PL-PL) are not yet available so Insiders will see the message “An update is being prepared for your device, but it’s not quite ready yet. We will keep trying or you can try again now.” when checking for updates. Windows 10 Home for 32-bit is also not yet available.
Other changes, improvements, and fixes for PC
We fixed an issue resulting in the Settings icon appearing plating in the taskbar. This issue also resulted in another issue now fixed, where if Settings had been pinned to Start, the tile would become greyed out after the first time it was clicked. Thank you all for your feedback on this.
We fixed an issue resulting in 3rd party IMEs not showing up in Settings after being installed.
We fixed an issue in Microsoft Edge where quickly typing and deleting characters into a website’s search box while using the MS Pinyin IME might result in the IME becoming stuck and the website showing “Not responding”.
Surface Pro 3 and Surface 3 devices should no longer fail to update to new builds if a SD memory card is inserted if you have the latest Surface drivers and firmware installed.
We fixed an issue where taskhost.exe might crash after pressing Tab while quickly typing in UWP app sign in fields, resulting in not being able to type for a few seconds.
We fixed an issue for Insiders where, after a crash, Microsoft Edge might fail to launch again for a few minutes because previous instances were still suspended in the background.
We fixed the issues occurring when exploring pages using the F12 Developer Tools in Microsoft Edge with cross-origin iframes (e.g. the DOM explorer shows only the iframe DOM, the Console frame selector doesn’t list the iframes, etc.).
Known issues for PC
You will be unable to download new (additional) language packs on this build. Currently installed language packs will not be impacted.
If your PC fails to install this build on reboot with the error 8024a112, reboot manually again. If your PC appears to hang during the reboot, power your PC off and back on and the install will proceed.
Some Insiders have reported seeing this error “Some updates were cancelled. We’ll keep trying in case new updates become available” in Windows Update. If you encounter it, please try deleting the following registry key:
See this forum post for more details.
Some apps and games may crash due to a misconfiguration of advertising ID that happened in a prior build. Specifically, this issue affects new user accounts that were created on Build 15031. The misconfiguration can continue to persist after upgrading to later builds. The ACL on the registry key incorrectly denies access to the user and you can delete the following registry key to get out of this state:HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo
There is a bug where if you need to restart your PC due to a pending update like with the latest Surface firmware updates, the restart reminder dialog doesn’t pop up. You should check Settings > Update & security > Windows Update to see if a restart is required.
[GAMING] Certain hardware configurations may cause the broadcast live review window in the Game bar to flash Green while you are Broadcasting. This does not affect the quality of your broadcast and is only visible to the Broadcaster.