It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Ransomware infections reported worldwide

page: 7
44
<< 4  5  6    8  9 >>

log in

join
share:

posted on May, 13 2017 @ 08:28 PM
link   

originally posted by: ArMaP
a reply to: dianajune

Even Windows can be made more secure, and a good security goes beyond the OS, if anyone has physical access to a computer then the OS means very little.


Yup.. sadly, with a Linux boot CD (or boot USB), with physical access, you can reset passwords on pretty much every Windows OS. I've done it on plenty for work-related reasons.




posted on May, 13 2017 @ 08:34 PM
link   

originally posted by: DiamondA
I work for a company that was hit by this ransomware 400 hundred plus computers are hit. I say every four mins the computer would do a memory dump (lovely blue screen) then restart its self. I tried to quickly to see what the hell was going on in the logs only thing I was getting was a critical errors "kernel Power" not much info (not IT so no access to real info). Lastly the computers are running windows 7 service pack 1


Are these iron or VM guests running on VMWare or MS ?
The error would make more sense if it is the later.



posted on May, 14 2017 @ 04:09 AM
link   
a reply to: mirageman

Windows is inherently insecure, because its source code cannot be audited.
edit on 14-5-2017 by pataatemesosisse because: typo



posted on May, 14 2017 @ 04:09 AM
link   
a reply to: fleabit

It's called a SAM file reset.



posted on May, 14 2017 @ 05:31 AM
link   
a reply to: fleabit

Once you have physical access to a machine there's nothing that prevents you from taking control of it, regardless of the OS used.



posted on May, 14 2017 @ 09:13 AM
link   

originally posted by: Discotech
a reply to: DontTreadOnMe

It's not something an AV can protect and it's not something that will likely hit home users so don't be worried

It's all down to invulnerabilities within Intel's business CPU's



A patch for the vulnerability was released by Microsoft in March, but many systems may not have had the update installed.

www.bbc.co.uk...

It's basically a backdoor in the CPU firmware
Red alert! Intel patches remote execution hole that's been hidden in chips since 2010


An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).


All the IT admins should be fired for not updating such a massive flaw in their systems to be honest, they've had 2 months to update it and quite clearly, nobody has bothered to do a damn thing


i swear to god, some people should just educate themselves and shut the hell up before spreading BS.

first, it has nothing to do with intel cpus.
second, it's as likely to hit home users as it is to hit corporations/organizations.
and third, yes, it doesn't require any interaction from the user - it does require that the system wasn't updated though.

"many systems may not have had the update installed" - that equals to "morons disabled windows update without knowing what they're doing".

1. everyone with updated system is safe.
2. everyone behind a NAT is safe, unless something in his LAN gets infected - but then check point 1.

it was a vulnerability in file sharing in windows, more or less, and it was patched in march. if people/corporations/organizations fail to update their systems and/or are using outdated and unsupported systems like XP (microsoft patched that vulnerability in XP as well, despite it being unsupported for quite some time already - but they've patched it later than the rest, still can't blame them, they didn't have to patch it at all, perhaps then people would learn), they can blame only themselves.

but sure, go ahead, spread FUD along with your agenda, whatever that is.



posted on May, 14 2017 @ 09:54 AM
link   
I work for a Health System in IA, WI & IL. We have not been hit as we are up to date like we should be but we are still spending hours of going thru our vulnerabilities and potential risks on some of our servers.



posted on May, 14 2017 @ 10:09 AM
link   
a reply to: fleabit

Think you can do that even in windows recovery, by opening a notepad going to "open file" and deleting/moving/renaming a specific file from windows.

Unless that was fixed any time recently.

There are even tons of USBs being sold with easy password removers.
edit on 14/5/2017 by Neoony because: (no reason given)



posted on May, 14 2017 @ 11:21 AM
link   

originally posted by: pataatemesosisse
a reply to: mirageman

Windows is inherently insecure, because its source code cannot be audited.


On the kernel level, it is really insecure because the System and User modes use the same address space. Windows uses ACL's to grant permissions. In contrast, Linux uses separate address space for System and User. A buffer overflow in a User process can never leak into System space.
edit on 14-5-2017 by charlyv because: spelling , where caught



posted on May, 14 2017 @ 11:24 AM
link   
a reply to: charlyv

Worried about giving too much info.... But the company who had stated they were hit was not initial hit. It was another company hit first but may have been affect due to remote use. (Would make a lot more sense if I could explain it with out worries)



posted on May, 14 2017 @ 11:36 AM
link   

originally posted by: DiamondA
a reply to: charlyv

Worried about giving too much info.... But the company who had stated they were hit was not initial hit. It was another company hit first but may have been affect due to remote use. (Would make a lot more sense if I could explain it with out worries)


Probably the infection was spread through the API's or socket connections between the systems. Usually the big weakness in Client/Servers is not locking them down. This is an insidious worm, and if people do not run the updates, they risk seeing it again.
edit on 14-5-2017 by charlyv because: spelling , where caught



posted on May, 14 2017 @ 11:46 AM
link   

originally posted by: charlyv
Probably the infection was spread through the API's or socket connections between the systems.

That's what I would like to know, how the infection reached the computers I had to "treat" on Friday, as they are not connected to the Internet and only get an Internet connection whenever they need to connect to the Finance Ministry (it's an accounting company) or Banco de Portugal (the Portuguese central bank).



posted on May, 14 2017 @ 11:52 AM
link   

originally posted by: ArMaP

originally posted by: charlyv
Probably the infection was spread through the API's or socket connections between the systems.

That's what I would like to know, how the infection reached the computers I had to "treat" on Friday, as they are not connected to the Internet and only get an Internet connection whenever they need to connect to the Finance Ministry (it's an accounting company) or Banco de Portugal (the Portuguese central bank).


Then I guess one or more of those systems had the worm. All it takes is one connection, and then what ever the CGI or .net invokes to handle the transaction.



posted on May, 14 2017 @ 12:05 PM
link   

originally posted by: charlyv
Then I guess one or more of those systems had the worm.

What I would like to know is how did it get it.

One thing I noticed was that the computers that were not affected have home editions of Windows while the ones affected have professional editions.



posted on May, 14 2017 @ 12:07 PM
link   
This will continue to be re-released in various forms, people -have- to update their systems. They will remove the code that causes it to stop if it can find the registered domain, and then they will continue to tweak and modify it. There will be multiple 0-day versions.. so if not patched, businesses will get crushed by this thing. I had a fun 12 hours yesterday patching our systems.


All the IT admins should be fired for not updating such a massive flaw in their systems to be honest, they've had 2 months to update it and quite clearly, nobody has bothered to do a damn thing


That's fairly naïve. All critical updates are potential "massive flaws" that can be exploited. Do you have any idea how many critical updates MS releases every month? And as I explained in another post, many companies.. MANY.. are well behind because of budgeting in most cases. I know companies that often are about 3 months behind in patches for their servers. Also servers are behind in their OS versions. Many small to medium size businesses don't have the patching systems in place to do this automatically (WSUS hasn't been configured, can't afford SCCM, or whatever).. and patching has to be done after hours, and takes quite a while if done manually.

Example of painful manual patching process: Send out emails to company or groups to let them know certain services will be down between whatever times listed. Start to patch servers. If behind, may take more than one restart to apply patches. Need to consider order of patching - both in regards to databases (and systems that rely on a SQL database on another server), VMs (some must be delayed on their start), physical boxes (which will restart the VMs again), and so on. Must make sure services on servers started.. too often someone hasn't configured a delay in a service startup, and a critical service for DB or whatever won't start, and has to be manually started. Lather, rinse, repeat for additional restarts needed on every server. After all reboots on all servers are complete, but then test -all- systems that any restarted servers hosted.. ERPs that used SQL, websites that hosted from a server, Citrix type environments, apps, cloud connectors to test SSO, etc. etc. etc... it takes a long time.

Of course the above assumes nothing goes awry during the patching process. All physical boxes come back online, nothing breaks, and all patches are applied successfully.

And because most companies are just cheap with their IT staffing, you are asking people who probably already work long hours who have probably not taken a vacation in 3 or more years to keep working entire weekends to keep things up to date. Those folks are almost always salary.. it's just expected they do this. It's easy to say "oh geeze, stupid lazy admins should just be fired!".. but that's not even remotely fair to say.

For some of the servers I was working on yesterday that were previously managed by another company, they were 3 YEARS out of date! Some had not been patched since their creation. The company who knows nothing about IT, had no idea what to even ask this hosting company in regards to patching. You don't know what you don't know.. they just assumed the money they were shelling out was actually getting them the results they were paying for. Many companies are in the same boat.
edit on 14-5-2017 by fleabit because: (no reason given)



posted on May, 14 2017 @ 12:12 PM
link   

originally posted by: ArMaP

originally posted by: charlyv
Then I guess one or more of those systems had the worm.

What I would like to know is how did it get it.

One thing I noticed was that the computers that were not affected have home editions of Windows while the ones affected have professional editions.


That is a good finding. Professional has more network features, including RDP. It also has trusted boot and group policy management. While good features, they expose more for a worm to work with.



posted on May, 14 2017 @ 12:13 PM
link   

originally posted by: pataatemesosisse
a reply to: fleabit

It's called a SAM file reset.


There are multiple ways to do this. You can swap the SAM with a version you have edited, reset it, clear the admin password, brute force change the pw, etc. I've done it multiple ways, it's kind of sad how easy it is. : )



posted on May, 14 2017 @ 01:11 PM
link   
a reply to: fleabit

And Linux works in a similar way.



posted on May, 14 2017 @ 01:28 PM
link   

originally posted by: ArMaP

originally posted by: charlyv
Probably the infection was spread through the API's or socket connections between the systems.

That's what I would like to know, how the infection reached the computers I had to "treat" on Friday, as they are not connected to the Internet and only get an Internet connection whenever they need to connect to the Finance Ministry (it's an accounting company) or Banco de Portugal (the Portuguese central bank).


Was the "Don't allow connections to this computer" toggled in the remote settings?



posted on May, 14 2017 @ 01:47 PM
link   
a reply to: Cauliflower

I don't know, I have to check tomorrow.



new topics

top topics



 
44
<< 4  5  6    8  9 >>

log in

join