I feel like I'm being small-minded, but I legitimately don't understand why ransomware continues to be so damaging. Do these organizations not have backup systems in place? Would would happen if their hard drives failed, as is completely normal?
The Baltimore Sun doesn't like Germany, but an Ars Technica article quotes the mayor:
> In his press conference, Baltimore’s new mayor, Bernard “Jack” Young, said it was uncertain how long the city's systems would be offline. "There is a backup system with the IT department," he said, "but we can't just go and restore because we don’t know how far back the virus goes. So I don’t want people to think that Baltimore doesn’t have a backup."
> Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.
"Utilities like Telnet and remote control programs like Symantec's PC Anywhere let you execute programs on remote systems, but they can be a pain to set up and require that you install client software [%] on the remote systems that you wish to access. PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software [%]."
[%] They probably mean server software.
So, where is the server software itself documented? Is it started by default on each system? It seems to be some kind of poor man's version of SSH ...
The link you posted leads to a more detailed article by the developer, where he mentions some internals:
> PsExec starts an executable on a remote system and controls the input and output streams of the executable's process so that you can interact with the executable from the local system. PsExec does so by extracting from its executable image an embedded Windows service named Psexesvc and copying it to the Admin$ share of the remote system. PsExec then uses the Windows Service Control Manager API, which has a remote interface, to start the Psexesvc service on the remote system.
> The Psexesvc service creates a named pipe, psexecsvc, to which PsExec connects and sends commands that tell the service on the remote system which executable to launch and which options you've specified. If you specify the -d (don't wait) switch, the service exits after starting the executable; otherwise, the service waits for the executable to terminate, then sends the exit code back to PsExec for it to print on the local console.
PsExec will also most likely freak out your security operations team if it’s not part of your expected workflow (well, and if you have a decent SIEM, and it’s actually monitored...)
What stuck out to me was the part that said, "A similar attack affected the city’s phone system last year, shutting down automated dispatches for 911 and 311 calls." Clearly what they had didn't catch it (twice) and that's a problem with SIEMs - usually not configured correctly or to log the right things.
