Dear Colleagues, The European cybercrime centre at Europol have asked us to circulate the below. I hope you find it useful and please forward it on to anyone who you may think will benefit from it. Kind regards Richard Leaning External Relations RIPE NCC
Begin forwarded message:
From: "O3 - European Cybercrime Centre (EC3)" <o3@europol.europa.eu> Subject: @EXT: WannaCry Ransomware Date: 14 May 2017 at 19:06:20 BST Cc: "Amann, Philipp" <Philipp.Amann@europol.europa.eu>, Mounier, Grégory <gregory.mounier@europol.europa.eu>, "Sanchez, Maria" <maria.sanchez@europol.europa.eu>, "O372 Advisory Groups Support" <O372@europol.europa.eu>
Dear AG members,
As you are no doubt aware, we are currently experiencing an unprecedented ransomware attack at a global scale. The malware was detected on 12 May 2017 and has the capability to spread across networks taking advantage of a critical exploit in a popular communication protocol used by Windows systems.
Many of you have already reached out and are actively involved in containing this threat. However, since we believe that the infection and propagation rate may go up on Monday when people return to their workplaces, we would like to ask you to please help us distribute information that can help contain this threat. To this end, we have compiled a list of recommendations and also prepared an infographic (see attachment). Please feel free to use this information for reaching out to your network and to complement your advice, if and where useful.
Also, the No More Ransom (NMR) initiative, actively supported by many of you already, remains an essential source of information. Together with you and other partners, we will continue to update the information available via the NMR portal, so it is important to watch this space as well.
If you want to share any other prevention, protection or awareness information with us, please do not hesitate to contact us.
Thank you again for your continued support.
Kind regards, EC3 Outreach & Support
--------------------------------
If you are a victim or have reason to believe that you could be a victim
This is link provides some practical advice on how to contain the propagation of this type of ransomware: https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance <https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance>
The most important step involves patching the Microsoft vulnerability (MS17-010): https://technet.microsoft.com/en-us/library/security/ms17-010.aspx <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>
A patch for legacy platforms is available here: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wa... <https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks>
In instances where it is not possible to install the patch, manage the vulnerability becomes key. One way of doing this would be to disable the SMBv1 (Server Message Block) protocol: https://support.microsoft.com/en-us/help/2696547 <https://support.microsoft.com/en-us/help/2696547> and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139, 445].
Another step would be to update endpoint security and AV solutions with the relevant hashes of the ransomware (e.g. via VirusTotal).
If these steps are not possible, not starting up and/or shutting down vulnerable systems can also prevent the propagation of this threat.
How to prevent a ransomware attack?
Back-up! Back-up! Back-up! Have a backup and recovery system in place so a ransomware infection can’t destroy your personal data forever. It’s best to create at least two back-up copies on a regular basis: one to be stored in the cloud (remember to use a service that makes an automatic backup of your files) and one stored locally (portable hard drive, thumb drive, etc.). Disconnect these when you are done and store them separately from your computer. Your back-up copies will also come in handy should you accidentally delete a critical file or experience a hard drive failure. Use robust antivirus software to protect your system from ransomware. Always use the latest virus definition/database and do not switch off the ‘heuristic’ functions as these help the solution to catch samples of ransomware (and other type of malware) that have not yet been formally detected. Keep all the software on your computer up to date. When your operating system (OS) or applications release a new version, install it. If the software you use offers the option of automatic updating, enable it. Trust no one. Literally. Any account can be compromised and malicious links can be sent from the accounts of friends on social media, colleagues or an online gaming <https://blog.kaspersky.com/teslacrypt-20-ransomware/9314/> partner. Never open attachments in emails from someone you don’t know. Similarly, don’t open attachments in emails from somebody you know but from whom you would not expect to receive such as message. Cybercriminals often distribute fake email messages that look very much like email notifications from an online store, a bank, the police, a court or a tax collection agency, luring recipients into clicking on a malicious link and releasing the malware into their system. If in doubt, call the sender at a trusted phone number to confirm the legitimacy of the message received. Enable the ‘Show file extensions’ option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions like ‘.exe’, ‘.com’, ‘.vbs’ or ‘.scr’. Cybercriminals can use several extensions to disguise a malicious file as a video, photo, or document (like hot-chics.avi.exe or report.doc.scr). If you discover a rogue or unknown process on your machine, disconnect it immediately from the internet or other network connections (such as home Wi-Fi) — this will prevent the infection from spreading.
*******************
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
*******************
Thanks Richard for distributing this. However I am sure everybody else on this list had already checked their favourite sources of information well before this was sent out. Europol has to be much faster. “a critical exploit in a popular communication protocol used by Windows systems”? OK again people here know what was going on: it was not the protocol but the implementation. If Europol is going to address the wider public then they have to use simpler, cleaner language. Anyway what Europol omits to even hint at is that this bit of poor programming from Microsoft was known to certain government agencies from way back. And they tried to kept secret so they could use it themselves? We need a better discussion about this. Access providers are being asked to carry out user surveillance / logging on behalf of LEAs. Meanwhile the IETF is encouraging encryption while government ministers are trying to discourage encryption. Meanwhile governments know where common systems are vulnerable and yet neither tell the public nor protect the public. Gordon
On 15 May 2017, at 07:57, Richard Leaning <rleaning@ripe.net> wrote:
Dear Colleagues,
The European cybercrime centre at Europol have asked us to circulate the below. I hope you find it useful and please forward it on to anyone who you may think will benefit from it.
Kind regards
Richard Leaning External Relations RIPE NCC
///snip
The main route of attack is by SPAM. Why is noone doing something effective against SPAM ? On Monday 15 May 2017 13.59, Gordon Lennox wrote:
Thanks Richard for distributing this.
However I am sure everybody else on this list had already checked their favourite sources of information well before this was sent out. Europol has to be much faster.
“a critical exploit in a popular communication protocol used by Windows systems”? OK again people here know what was going on: it was not the protocol but the implementation. If Europol is going to address the wider public then they have to use simpler, cleaner language.
Anyway what Europol omits to even hint at is that this bit of poor programming from Microsoft was known to certain government agencies from way back. And they tried to kept secret so they could use it themselves?
We need a better discussion about this. Access providers are being asked to carry out user surveillance / logging on behalf of LEAs. Meanwhile the IETF is encouraging encryption while government ministers are trying to discourage encryption. Meanwhile governments know where common systems are vulnerable and yet neither tell the public nor protect the public.
Gordon
On 15 May 2017, at 07:57, Richard Leaning <rleaning@ripe.net> wrote:
Dear Colleagues,
The European cybercrime centre at Europol have asked us to circulate the below. I hope you find it useful and please forward it on to anyone who you may think will benefit from it.
Kind regards
Richard Leaning External Relations RIPE NCC
///snip
-- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
On 15/05/17, 6:38 PM, "anti-abuse-wg on behalf of peter h" <anti-abuse-wg-bounces@ripe.net on behalf of peter@hk.ipsec.se> wrote:
The main route of attack is by SPAM. Why is noone doing something effective against SPAM ?
I thought the fine people here weren’t the internet police? :) Or so quite a few folks get assured when anything effective against spam gets discussed. More seriously, spam isn’t more than an initial vector. It then appears to spread via open windows shares, to other unpatched machines. There are a wide variety of takedown and mitigation actions possible here – sinkholing c2 domains, cleaning up infected machines on people’s networks, locking down firewall ACLs to prevent this from spreading unchecked etc. --srs
On Mon, May 15, 2017 at 2:08 PM, peter h <peter@hk.ipsec.se> wrote:
The main route of attack is by SPAM.
Why is noone doing something effective against SPAM ?
To date there has been no evidence that email was the vector. https://twitter.com/GossiTheDog/status/864175313319809027
On Mon, 15 May 2017 18:52:18 +0100 Gareth Llewellyn <gareth@networksaremadeofstring.co.uk> wrote:
On Mon, May 15, 2017 at 2:08 PM, peter h <peter@hk.ipsec.se> wrote:
The main route of attack is by SPAM. Why is noone doing something effective against SPAM ?
To date there has been no evidence that email was the vector.
exactly. WannaCry: Advice to consumers should place a lot more focus on Web Browsers (than on email - although email transports links, sometimes the payload, etc as well - this is well known...- What is not known is that the consumers favorite PORN website also installs 'monitor ware'...) Regarding Spam: Spam is becoming much more professional. Spammers now have; * registered companies, * advanced "policies" (claims of opt-in marketing only) * far greater technical focus on compliance ("standards" which they set and enforce themselves * "professional organizations" and associations/bodies providing "legitimacy" and group harassment of victims (or spamtraps or block lists) * when applying for removal from block lists, always claims shared hosting and issues have been resolved, over and over and over. * the sending of bulk (UBE) from the same IP number as legit user emails or allowing hosting users to send bulk (like mailchannels.com) * and a lot more... ********************************************************************************** Spammers have DKIM and SPF and in fact advanced email headers, so much so that legit email is not even as legit as SPAM! (in a technical sense) ********************************************************************************** The simple and salient fact is that email is a communications tool and not a marketing tool. Yes, email can be used for communicating marketing but not for marketing communication. Until that becomes firmly entrenched there will always be a spam problem. On a side note: Since the focus on sender reputation and not on spam itself, actual spam levels and user complaints are much lower. But, using a single source for reputation is still a unicorn, closest is SORBS, if you are listed on SORBS it means that you have sent spam and you are non responsive to complaints and/or are a habitual spammer sender. Simple. some thoughts... Andre
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message , ox <andre@ox.co.za> writes
WannaCry: Advice to consumers should place a lot more focus on Web Browsers (than on email - although email transports links, sometimes the payload, etc as well - this is well known...- What is not known is that the consumers favorite PORN website also installs 'monitor ware'...)
by all means proffer advice to consumers ... but Wannacry spreads entirely over the network (sending traffic to open tcp/445 ports to exploit CVE-2017-0145) <http://cert.europa.eu/static/SecurityAdvisories/2017/CERT-EU- SA2017-012.pdf> No-one (and a lot of folk have been looking very hard) has found any examples of it being spread by email. Early reports suggested this was the initial vector, but they were just guessing -- and the large amount of Jaff being sent at the end of last week added to the confusion. So linking advice about email or web browsers to Wannacry just invites laughing and pointing :( - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBWRw3WTu8z1Kouez7EQLYbwCgrsBVY3yAlOPO9pnybJehZNGimcUAoPMa LGjtHZdnvqKsq2OJGQ/W/3Mp =MOKd -----END PGP SIGNATURE-----
On Wed, 17 May 2017 12:43:21 +0100 Richard Clayton <richard@highwayman.com> wrote:
WannaCry: Advice to consumers should place a lot more focus on Web Browsers (than on email - although email transports links, sometimes the payload, etc as well - this is well known...- What is not known is that the consumers favorite PORN website also installs 'monitor ware'...) by all means proffer advice to consumers ... but Wannacry spreads entirely over the network (sending traffic to open tcp/445 ports to exploit CVE-2017-0145) <http://cert.europa.eu/static/SecurityAdvisories/2017/CERT-EU- SA2017-012.pdf> No-one (and a lot of folk have been looking very hard) has found any examples of it being spread by email. Early reports suggested this was the initial vector, but they were just guessing -- and the large amount of Jaff being sent at the end of last week added to the confusion. So linking advice about email or web browsers to Wannacry just invites laughing and pointing :(
linking advice about web browsers & email to ransom ware is a good thing, it serves to oppress FUD and it serves to reduce anxiety and as the same advice is usually accompanied by 'install updates' - the media attention span is a few seconds long. Simply saying, the truth: That Microsoft & Apple clients are hostages. means nothing to anyone. Similarly, saying that people are addicted to twitter, facebook, google, snap, etc. also means nothing. I just getting lost. Truth or not. You do know that we are in 'post truth' now? Maybe remind the laughing and pointy peeps that it is a hearts and minds thing and not about what is true or factual. **************************************************************************** In truth the EU should outlaw social media as the body reaction to social media is exactly the same as that of a gambling addict. **************************************************************************** Does the truth and actual facts matter? - No, of course not and there is no way that the public will accept or even think about regulating access to social media websites and apps :) I guess it is a bit like the terminology 'hacker' the media & hollywood simply took the term and did with it as they please. With regards WannaCry - where there is nothing a consumer can actually do when they have been infected and in general people are very ignorant about what actually harms them (like social media for example: One can actually argue that social media is abuse of the Internet?) Best is to do some general education and be opportunistic about getting your own agenda out :) 2c Andre
Gordon 100% agree with you on all points. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 15/05/2017, 12:59, "cooperation-wg on behalf of Gordon Lennox" <cooperation-wg-bounces@ripe.net on behalf of gordon.lennox.13@gmail.com> wrote: Thanks Richard for distributing this. However I am sure everybody else on this list had already checked their favourite sources of information well before this was sent out. Europol has to be much faster. “a critical exploit in a popular communication protocol used by Windows systems”? OK again people here know what was going on: it was not the protocol but the implementation. If Europol is going to address the wider public then they have to use simpler, cleaner language. Anyway what Europol omits to even hint at is that this bit of poor programming from Microsoft was known to certain government agencies from way back. And they tried to kept secret so they could use it themselves? We need a better discussion about this. Access providers are being asked to carry out user surveillance / logging on behalf of LEAs. Meanwhile the IETF is encouraging encryption while government ministers are trying to discourage encryption. Meanwhile governments know where common systems are vulnerable and yet neither tell the public nor protect the public. Gordon > On 15 May 2017, at 07:57, Richard Leaning <rleaning@ripe.net> wrote: > > Dear Colleagues, > > The European cybercrime centre at Europol have asked us to circulate the below. I hope you find it useful and please forward it on to anyone who you may think will benefit from it. > > Kind regards > > Richard Leaning > External Relations > RIPE NCC > > > ///snip
participants (8)
-
Gareth Llewellyn -
Gordon Lennox -
Michele Neylon - Blacknight -
ox -
peter h -
Richard Clayton -
Richard Leaning -
Suresh Ramasubramanian