That big ransomware attack yesterday

[AUDub 11,147]

Don't know if y'all have been keeping up with this, but a huge cyberattack caught everyone off guard over the last few days. 

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Luckily, we didn't get hit and are hoping to keep it that way. We're shoring up our defenses and emergency patching everything. In spite of the fact that I was in Tuscaloosa yesterday for a soccer invitational (won one, lost one, but Sadiebug scored in both games yay!), I spent practically the whole day in conference calls with our VP of ops, head of IT, various rank and file folks and various vendors like GE, AirStrip and ExcelMedical.

A 22 year old white hat accidently discovered a kill switch to stop its spread, which bought everyone some breathing room.

https://www.ncsc.gov.uk/blog-post/finding-kill-switch-stop-spread-ransomware-0

Microsoft took the highly unusual step of releasing an emergency patch for XP.

http://www.zdnet.com/article/wannacrypt-ransomware-microsoft-issues-patch-for-windows-xp-and-other-old-systems/

Everyone, be on the lookout. Don't click on any email attachments from unfamiliar sources. PATCH PATCH PATCH! Patch everything!

[AUld fAUx@ 2,584]

On 5/14/2017 at 10:52 AM, Bigbens42 said:

Don't know if y'all have been keeping up with this, but a huge cyberattack caught everyone off guard over the last few days. 

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Luckily, we didn't get hit and are hoping to keep it that way. We're shoring up our defenses and emergency patching everything. In spite of the fact that I was in Tuscaloosa yesterday for a soccer invitational (won one, lost one, but Sadiebug scored in both games yay!), I spent practically the whole day in conference calls with our VP of ops, head of IT, various rank and file folks and various vendors like GE, AirStrip and ExcelMedical.

A 22 year old white hat accidently discovered a kill switch to stop its spread, which bought everyone some breathing room.

https://www.ncsc.gov.uk/blog-post/finding-kill-switch-stop-spread-ransomware-0

Microsoft took the highly unusual step of releasing an emergency patch for XP.

http://www.zdnet.com/article/wannacrypt-ransomware-microsoft-issues-patch-for-windows-xp-and-other-old-systems/

Everyone, be on the lookout. Don't click on any email attachments from unfamiliar sources. PATCH PATCH PATCH! Patch everything!

If not explainable to a simpleton like me, please say so.

How does registration of an embedded (and previously unregistered) Domain Name "kill" it? Does it actually stop the code's innate ability to spread to other systems? or does it just give the security apparatus of a targeted system a better definition of what to block?

Your friendly neighborhood Luddite.

[AUDub 11,147]

9 minutes ago, AUld fAUx@ said:

If not explainable to a simpleton like me, please say so.

How does registration of an embedded (and previously unregistered) Domain Name "kill" it? Does it actually stop the code's innate ability to spread to other systems? or does it just give the security apparatus of a targeted system a better definition of what to block?

Your friendly neighborhood Luddite.

The white hat noticed during his forensic examination that the exploit was sending GET calls to that unregistered domain. If it didn't get a response, the exploit would activate. When it did, the exploit would stay dormant. Probably installed as a kill switch by the folks that wrote the bug in case their little beasty got out of hand. Guy dropping ten dollars to register the domain bought us a lot of invaluable time to patch.

[AUld fAUx@ 2,584]

7 minutes ago, Bigbens42 said:

The white hat noticed during his forensic examination that the exploit was sending GET calls to that unregistered domain. If it didn't get a response, the exploit would activate. When it did, the exploit would stay dormant. Probably installed as a kill switch by the folks that wrote the bug in case their little beasty got out of hand. Guy dropping ten dollars to register the domain bought us a lot of invaluable time to patch.

Teach brother!

(seriously - Excellent and focused explanation that wasn't covered in news releases)

Many Thanks!

[WarTiger 3,901]

On 5/16/2017 at 2:29 PM, Bigbens42 said:

The white hat noticed during his forensic examination that the exploit was sending GET calls to that unregistered domain. If it didn't get a response, the exploit would activate. Since the domain wasn't active, it couldn't send a response, which triggered the exploit to run. When it did, the exploit would stay dormant. Probably installed as a kill switch by the folks that wrote the bug in case their little beasty got out of hand. Guy dropping ten dollars to register the domain bought us a lot of invaluable time to patch.

solid explanation.  

[AUDub 11,147]

Things got dramatic with the aforementioned white hat. Glad the judge was reasonable. Guy saved my ass, prevented a ****ton of economic damage and saved many lives, probably numbering in the thousands. 

https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/