Protect Against WannaCry
 

IN Case anyone unaware of it-:

The WannaCry ransomware, also known as Wanna Decryptor, leverages a Windows SMB exploit, dubbed EternalBlue, that allows a remote hacker to hijack computers running on unpatched Microsoft Windows operating system.
Once infected, WannaCry also scans for other unpatched PCs connected to the same local network, as well as scans random hosts on the wider Internet, to spread itself quickly.

What Has Happened So Far
Day 1: OutCry — WannaCry targeted over 90,000 computers in 99 countries.
Day 2: The Patch Day — A security researcher successfully found a way to slow down the infection rate, and meanwhile, Microsoft releases emergency patch updates for unsupported versions of Windows.
Day 3: New Variants Arrives — Just yesterday, some new variants of WannaCry, with and without a kill-switch, were detected in the wild would be difficult to stop for at least next few weeks.

Protecton Against it-:

1)Microsoft Issues WanaCrypt Patch for Windows 8, XP
2)Disable SMBv1 On Windows [7, 8 and 10]
Stay safe & cheerz :)

Hello,
These steps are against the exploit code not against the file cryptor it self or cryptocurrency mining malware (another malware using the same exploit code to infect vulnerable machines silently without any notification)...

I'll never understand for what hack is useful, there is nothing divine about it, quite human by the way. If I want money I work, work and work and probabily I'll die working, not stealing, this is a shame, like sell reversed softwares.

Appreciate your thought :)
Yup what will they get by doing such nasty things & hurting people like this!! As hospitals, banks etc got badly affected by this! :( Just harming the public...

Anyway heard that this could be possibly attack by North Korea!

Hi

As far as, i have studied -:
Adylkuzz, is a cryptocurrency miner that leverages MS17-010, also known as EternalBlue, to compromise machines. Adylkuzz attackers scan the internet for vulnerable machines to install their malware. Unlike WannaCry, Adylkuzz does not have the ability to self-propagate. It was WannaCry’s ability to self-replicate that meant it spread very quickly within organizations.

As cryptocurrency miner also uses EternalBlue exploit ,so disabling SMB(as mentioned above) should do the job :)

Also re-searched about recovering encrypted data by ransomware in SOME cases-:
Regards

here is a decryptor for the cryptor: https://github.com/gentilkiwi/wanadecrypt
but you need to give him the priv key :)

Full article here :
If you did not reboot your computer yet after your files got encrypted then you may have a chance (on Win XP and Win 7)...

Some good advice here.

Mainly "Defense Advice" part. There can to see what ports are vulnerable and can to block access via firewall.

As I saw here, they're still releasing patches for Windows 10, or even Windows server 2016:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
So we may immune to WannaCry, but not EternalBlue. Better update'em all.

are they still patching old good Win XP? :)

Best 3 rules to follow, even after patching and evrything :

1. Turn off all listening ports on your PC wherever possible.
2. Run at the lowest privilege level possible for accomplishing a particular task (ie. Don't run as administrator just because the PC belongs to you :) )
3. Don't click on or run unknown or untrusted files !

chuck this in a reg file for updates for xp until april 2019

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
"Installed"=dword:00000001

"Windows Embedded Standard 2009" gets updates until 2019.
"Windows XP embedded" (predecessor of "Windows Embedded Standard 2009") does not get updates any more.
"Windows XP" (desktop OS) does not get any updates, it's a different OS.

If updates don't exist you obviously can't get them no matter what registry keys you set.

well i get updates each month on my xp vm so... it works still :) POSReady is Point of Sale Ready, so this setting enables atm's that still have xp to update.. It's that simple.. It was to give them time to update.... google this stuff to confirm... :) So you can update "the desktop OS".. with a little more hardening it's great ;) Maybe try it first then say it doesn't work after...

Well... you both are correct in your context :)
@Kerlingen is correct in saying that Windows xp does not get any updates BUT Microsoft is continuing to support Windows Embedded Industry for another five years until April 2019...

@cybercoder is very much correct in saying that, one can get updates on xp by "tricking" XP by thinking its Windows Embedded POSReady means one can get updates for the next five years. :cool:

Also as these two systems are so interlinked so updates designed for one system should work on the other.

More can be read at - : #peace :)

As a professional in this field, would like to say that if anyone does use XP anymore, it should be only on computers that are OFFLINE.

We do have a few nodes running XP but they are all stand-alone. It's not advised to even connect them to the LAN if possible. We use them only for testing purposes.

My advice regarding the updates :
Its generally a bad idea to use updates meant for one version of the OS (Embedded here in this case) for a Desktop PC.

The Embedded Version fundamentally is a HIGHLY stripped down version of the full OS and hence would obviously be lacking a number of features that would be available in the full OS.

SO obviously, there would be far fewer patches needed/released for the embedded versions compared to the full versions and once should not rest with a false re-assurance that he has "patched" his OS :D

Thank you to @CyberCoder for the tip :)

Yet what Kerlingen says is right. Using the patches meant for Embedded on a desktop version of the OS would not be sufficient.

Agree.. it make no sense.

XP created, 1999. No reason anyone using (pls not say SoftIce..)

Microsoft decided to provide a patch for Widnows XP

https://blogs.technet.microsoft.com/msrc/2017/06/13/june-2017-security-update-release/

You know it's serious when Microsoft Patches non supported software :P
This ransomware is really beginning to become an issue. Just goes to show that there is something to be said about a good online backup, or changing permissions on shares after you are done!

If you are running Windows (even XP) after any modern router with NAT - it will help you to mitigate cryptor, since router will not accept connections to 139 and 445 ports, even if Windows (without any firewall) will.

If you have a very old ISP contract or are using a mobile modem (SIM card) to access the internet you might be running in an IPv4-only environment behind a NAT. But in pretty much every other situation you have IPv6 without NAT and all your network PCs are accessible directly from the internet.

For many of the home users and even office PCs, NAT is switched on by default in the router through which they access the internet, so this should not be a problem.

At least, for many of the routers in the US, I see that the NAT is already enabled...

NAT is no security feature. You can't just turn it on or off as you like, you either require it or can't use it at all depending on your setup.

NAT for IPv6 doesn't exist, so no, not a single IPv6 router in the US (or elsewhere) has NAT enabled (or an option to turn it on).

If you find some NAT settings in your router configuration these are IPv4 settings.

If your ISP supports IPv6, then all your local network computers are accessible directly by IPv6, no matter what settings you choose for IPv4 connections.

so turning it off would be a good option till you can control settings.. ;) Some registry settings will do it... :)
You can run any os you like and be secure if you configure it right ;)

Its not a security feature I agree, but you can turn it on or off at various levels (the OS level, commercial Cisco Routers level, Hardware Firewall level etc).

I'm sure you know this bro Kerlingen, but for the sake of some of the others who are following this discussion, would like to highlight an important fact :

Many use VPNs etc and stay smug thinking that they are now more or less anonymous on the internet. All the while keeping their IPv6 Address enabled :)

When my team is called for an investigation to identify some [cyber] miscreant(s) and we find that the perpetrator used a VPN but kept the IPv6 address enabled, my team guys go out for a beer :D

Because our job is more or less done and we would have uniquely identified the guy (of course assuming that he didn't spoof it).

SO the take-home lesson from this post :
You cannot assume that you are anonymous online if your IPv6 address is kept enabled !

Cheers :)