
WannaCry – The largest ransom-ware infection in history - remx
https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58
======
sowbug
These are the three Bitcoin addresses referenced in the article:

[https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNX...](https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn)
[https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8is...](https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw)
[https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6N...](https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94)

As of now, the three addresses have received a total of about 20 BTC, or about
$36,000 at current exchange rates. The most typical transaction sends about
$300 to the addresses. No funds have left the addresses yet.

~~~
Scoundreller
What's with the people sending 0.0001 BTC (~17 cents), and paying a .0004
transaction fee (~82 cents) all about?

~~~
pmorici
This is pretty common whenever there is a Bitcoin theft people sent small
amounts of Bitcoin to the suspected theft address. I believe they do it as a
means to tracking what happens to the stolen funds. It keeps them from having
to keep track of every address instead they just send a small amount of BTC to
it and then they just need to remember their wallet address in the future to
track to all the addresses they "marked".

~~~
Scoundreller
Another theory is that it's Law Enforcement. In order to get a conviction,
their case is improved if they can show a trail of money just in case they
can't get a witness that paid the ransom to testify with proper documentation.

------
zokier
I don't quite understand how WannaCry became such a big deal. Ransomware is
already old thing, SMB worms even older. WannaCry didn't even use a 0day ffs,
the patch for this was already published few months ago (and not particularly
quietly I might add). There is very little novel about WannaCry as far as I
can tell. Additionally W10 apparently was not vulnerable in the first place.

All this, and still WannaCry hit the main evening news, which at least around
here is somewhat high bar. Not sure what to think about that.

~~~
syshum
>>the patch for this was already published few months ago

2 months ago, March 17th, and many organizations do not patch as often as they
should, Many have even started delaying longer since MS patches of late have
been causing more problems for people breaking Office, Breaking WiFi and
breaking other critical systems with MS normal response of "opps our bad, well
fix it in another month until then get fucked"

> Additionally W10

Win10 has about a 12% Market share, about the same as Windows XP still does.

Win10 has not been widely adopted outside the consumer market.

>All this, and still WannaCry hit the main evening news,

Made the news because of the numbers of systems, and number of high profile
systems like Hostipols that were infected not because it was a Technical
marvel of malware engineering

It also made the news because the NSA is indirectly responsible for not
disclosing these vulnerabilities when they were discovered until they
weaponized them for their own gain. While I do not blame the NSA for this
infaction, I believe they should be forced, today, to disclose to all software
vendors any other vulnerabilities they want to play Hacker with....

~~~
RubyPinch
you can postpone general updates while still having critical/security updates
go through at the normal pace

And, shouldn't a workplace be setup for re-imaging if updates go wrong? I know
its easy to just store files in C:\user\name\documents, but then it makes it
just as easy to be forced to pay $300 for each computer in the network

~~~
syshum
Many of these systems infected are server systems, not End User Desktops.

That said, yes in a perfect world everyone would have perfect backups, and
perfect imaging systems that makes ransomeware a non-event, we do not live in
a perfect world and it is easy to monday morning QB the IT Staff.

Most IT depts are understaffed and corners are cut because you have to keep
your head above water, business do not want to pay for proper staff or proper
infrastructure,

IT is a "cost center" that should be cut every year in perpetuity, after all
everything is working so why do I need to pay you to sit there all day

------
xenadu02
One day someone is going to write a filesystem filter driver that does this
and build in a much longer delay, which will allow the malware to spread for a
lot longer before dumping the keys and demanding ransom.

The filter driver would ensure access to the files continues transparently
even though the underlying data is encrypted.

Things will get much worse.

------
firewalkwithme
I don't understand how a machine becomes infected, it is perhaps not very
clear yet? this article explains receiving an email containing a link OR a PDF
with a link to a .hta file ? what a strange sentence. Can one get infected
without user interaction, or even with a passive client ?

~~~
remx
This is what I want to know[0] too.

To mitigate, you can disable SMB1.0 with the following command. Make sure to
run as administrator:

    
    
        dism /online /norestart /disable-feature /featurename:SMB1Protocol
    
    

[0]:
[https://news.ycombinator.com/item?id=14335845](https://news.ycombinator.com/item?id=14335845)

~~~
syshum
To mitigate, Install Security Patches in a Timely manner.

Also note that only works on windows 7 and later, dism is not a tool for XP or
Windows 2003 which seem to be the largest numbers hit by this since there
is/was no patches for them

------
tbrock
I wish they hadn't patched XP so we can collectively put that one to rest.

------
tristanho
Does anyone have an estimate of how much money WannaCry has made in total?

Incentives matter, and if the ransomeware developers are actually getting paid
a lot, they will continue exploiting these vulnerabilities. On the other hand,
if it turns out people don't actually bother paying despite being locked out
of their computers, would the hackers even bother continuing this line of
attack?

~~~
jonursenbach
Some numbers I saw going around yesterday that were looking at the discovered
Bitcoin addresses totaled around $18,000.

~~~
tristanho
$18,000 (or $36,000 as another comment suggests) seems incredibly low for "The
largest ransom-ware infection in history"... how can this be worth it for the
hackers?

~~~
Freak_NL
> how can this be worth it for the hackers?

Depends on where they live. For most people on Earth this is a very large sum
of money that will go a long way (just not 'here' in the countries where the
virus spread).

~~~
javier2
Just realized we could pay them many times this amount just to not make
ransomware :|

------
edoceo
So big that MS has to release a patch for Windows XP!

~~~
johnnydoe9
XP, 8 and Server 2003. Patches for 3 unsupported versions

edit: 2003* my bad

[https://arstechnica.com/security/2017/05/wcry-is-so-mean-
mic...](https://arstechnica.com/security/2017/05/wcry-is-so-mean-microsoft-
issues-patch-for-3-unsupported-windows-versions/)

~~~
dcip6s
Since when was Windows 8 unsupported?

~~~
nacos
Since January 2016. You have to upgrade to Windows 8.1 to be supported and up
to date.

------
faragon
In the meantime, what are doing the FBI, the NSA, and other agencies that
exist precisely to avoid that?

~~~
MichaelBurge
The ransomware was built from NSA tools, and I think it's illegal for them to
comment on leaked classified information.

The FBI doesn't publicly comment on on-going investigations. You might be able
to ask them if one exists, though.

~~~
faragon
My point was about those agencies catching ransomware authors.

~~~
rl3
Theoretically there's nothing _legally_ stopping a NSA/GCHQ tag team from
mercilessly hunting down and destroying ransomware operations.

NSA only has red tape when it comes to U.S. citizens, but GCHQ doesn't. GCHQ's
mandate also includes _serious organized crime_. Moreover, considering the
damage ransomware can do to critical government infrastructure (for example
NHS), it's not a stretch to imagine that targeting ransomware operations would
fall under legitimate national security grounds.

Personally I'm surprised they don't just completely fuck these people up to
set an example. On the other hand, there's always the possibility WannaCry
could be a mud slinging attempt from a state actor, given the much-publicized
fact it uses leaked NSA vulns.

~~~
Freak_NL
> […] fuck these people up to set an example.

I don't think it would be very effective.

There are three reasons for hunting down and persecuting perpetrators of
crime: vengeance, setting an example, and undoing the damage.

Only the last reason makes any practical sense here.

This attack works, so there will be others in the future, but it will happen
regardless of the threat of punishment. Sure, if you set an example some
people might be deterred, but surely not the bright hacker in a basement in
Yekaterinburg, or the determined gang in Nigeria, or the mobsters in Chengdu
City; i.e., anyone, anywhere without much to lose?

~~~
walshemj
Its also put presure on govemnets that in the past dont coperate with
extrdaitions.

Puting 50% of your diplomats on a plane with 48 hours notice sends a message -
you can also start having the IRS / HMRC invstigate rich expats friedly to the
regime.

------
edem
Everyone talks about how people get infected but is there a guide around
somewhere about how do I protect my computer from such attacks? I install all
updates and I have an antivirus program but I don't know what else can I do.

~~~
SolarNet
Don't open dodgy files (like in emails), or if you must, do it in a VM.

Run adblock and no-script on your web browser, only visit trusted sites. If
you must, use a VM.

Don't download and install software you don't trust. Either it should be a big
company in the news regularly, have good reviews from people you trust, or it
should be open source. If you must use a VM.

Backup your files regularly (and have offline backups, the data is the most
important thing), reinstall your OS regularly (this gets rid of old and
outdated software you don't remember; because I doubt you install all updates,
have you updated Java recently? How about adobe flash or reader? How about the
chipset drivers that likely came with your machine?).

~~~
edem
I'm more interested in the passive infections where I get infected without my
prior actions (some comments say it is possible). Java is not a good example
because I program (sometimes in java) and it is always up to date. I
uninstalled Flash and I have the automatic updates enabled in all software I
use day-to-day. Doing regular re-installs is a good idea though. Thanks for
the tip.

------
jayflux
Could someone explain how this spreads and then executes itself on other
machines? Does it require user interaction?

~~~
YZF
It uses a vulnerability that allows another computer on the same network to
execute arbitrary code on your computer. So you work for a UK hospital, your
co-worker downloads an attachment and executes it, and that can be enough to
get on your machine if it doesn't have up-to-date security patches.

------
Andry8
yes, 'WannaCry Ransomeware Attack' is the largest ransom in history. However,
it's the time to increase windows security and updates. So that anyone can't
do this in future [https://wuinstall.com/](https://wuinstall.com/)

------
peter_retief
Can it attack Linux desktops?

~~~
marsrover
No

~~~
45h34jh53k4j
WannaBet?
[https://twitter.com/hackerfantastic/status/86335937578792550...](https://twitter.com/hackerfantastic/status/863359375787925505)

~~~
javier2
That is magnificent.

------
dafrankenstein2
does this affect the google drive sync folder on windows machines?

