標題: All about WannaCry and Jaff Ransomware [打印本頁]

---

作者: samiux    時間: 2017-5-14 01:35     標題: All about WannaCry and Jaff Ransomware

本帖最後由 samiux 於 2017-5-16 18:23 編輯

To all sysadmins and Windows users,

Talos conducts a research on WannaCry Ransomware and there are some hints for preventing the attack even your system is infected the malware.

Player 3 Has Entered the Game: Say Hello to 'WannaCry'

Meanwhile, there is another ransomware namely, Jaff which is also in the wild.

Jaff Ransomware: Player 2 Has Entered The Game

Please read the above links carefully if you have Windows boxes in your network.

Hope this may help.

Samiux

Update news about WannaCry on 2017-05-14 :

It's Not Over, WannaCry 2.0 Ransomware Just Arrived With No 'Kill-Switch'

Update about WannaCry Variants on 2017-5-15 :

The latest news about WannaCry in Hong Kong yesterday night advising your systems to disconnect to the internet is in question.

Beware that when your systems are already infected with WannaCry or its variants, you should allow the systems to connect to internet in order to communicate with the kill-switches that are registered by the Infosec Researchers.  When your infected systems can communicate with the kill-switch domains, the malware will be quited and the encryption stopped.

Update about WannaCry on 2017-05-15 Part 2 :

It seems WannaCry and its variants are under control.  Thanks for the 2 outstanding Infosec Researchers to discover the hidden domains and registered the kill-switch domains as well as allows all users in the world to connect to in order to sinkhole it.  Thanks again. :D

When your system or network can access the following 2 domains (at the moment), the malware will quit and do not encrypt your box, they are :

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

or

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

If your system cannot access internet, you can create a website internally and allows port 80 to be accessed on the said domains.

By the way, even if your systems and network do not seem to be affected, make sure to update your systems with Microsoft patches.

Update about WannaCry on 2017-05-16 :

The third sinkhole domain is :

ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com

or

www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com

Make sure the above said 3 domains are not being blocked.

Update Reason :
- Update News of WannaCry

---

作者: mmaurice    時間: 2017-5-14 02:04

回復 1 #samiux

linux 版純講 windows?

乜理由？

epc 另有保安版

via HKEPC Reader for Android

---

作者: volospin    時間: 2017-5-14 08:46



I only see it is talking about ransomware.
And nobody can guarantee it will not happen to Linux.

I think this ransomware is worth spreading the news.

---

作者: twaiho2003    時間: 2017-5-14 09:19

用docm黎觸發, 咁以後淨係開docx, xlsx, 同pptx囉
呢D叫 "橋唔怕舊 最緊要受"

不過lan內散播呢招真係新野

---

作者: mmaurice    時間: 2017-5-14 13:08

回復 3 #volospin

咁 Linux 機，冇火牛唔 work.

講火牛好冇？火牛好重要架。

via HKEPC Reader for Android

---

作者: samiux    時間: 2017-5-14 13:57



@mmaurice,

In general speaking, a Linux sysadmin may maintain a network with a lot of difference kind of operating systems, such as Linux, macOS and Windows as well as *BSD.  Even Android and iOS may be included too.

Therefore, handling malware attacks for macOS and Windows is also a job for Linux sysadmin.  

May be you are a single user of Linux system and do not understand of the job description of a Linux sysadmin.

In my opinion, anyone should know this kind of information for keeping their network/systems safe and health.

Samiux

---

作者: samiux    時間: 2017-5-14 15:27

Update news about WannaCry :

It's Not Over, WannaCry 2.0 Ransomware Just Arrived With No 'Kill-Switch'

Samiux

---

作者: volospin    時間: 2017-5-14 15:44



Sorry, I do not understand what you are talking about.

---

作者: mmaurice    時間: 2017-5-14 16:37




    Anything IMPORTANT, not == it is related to linux.


Linux board should ONLY allow talking of Linux solely.

If any topic is off topic, admin should MOVE to relevant board instead.

WTF did wannacry have to do with LINUX?

---

作者: mmaurice    時間: 2017-5-14 16:37





There is another board about security,

the wannacry post should normally be moved there.

That's it.

---

作者: mmaurice    時間: 2017-5-14 16:40




    If anything I found relevant,

is that I have buy a new 紅米 note 3 kenzo


running MIUI 8 with update == no NTFS.

running CM13 == NO more update (suck if wannacry happen in android)

running CM14 == NO exposed framework, no xprivacy == suck too.


everything sucks.

would glad if anyone can help.

my current solution is don't trust android.

rely on air-gapped windows/linux




dirt扶唔上wall

---

作者: mmaurice    時間: 2017-5-14 16:43




    a linux admin have to deal with 火牛 failure,

so 火牛failure is discuss-ed here too?

---

作者: samiux    時間: 2017-5-14 16:48



In my opinion, you can open a new thread instead of keeping posting in this thread about power supply.  When a power supply failure is a kind of matter/interest to discuss, you can also discuss broken brain in this sub-forum too.

Samiux

---

作者: samiux    時間: 2017-5-14 16:53



It is interesting that how come an "Linux expert" acting like a mentally retarded?  It should be another topic to discuss in this sub-forum in the near future.

Samiux

---

作者: mmaurice    時間: 2017-5-14 16:56

本帖最後由 mmaurice 於 2017-5-14 17:01 編輯



    who the hell is a linux expert?

I am a social hobby computer user only.

IT is not my professional.





看下邊個係大股東先o拉.

---

作者: samiux    時間: 2017-5-14 16:59



Aha, I think you should stand aside and seeing what we are talking about IT/Infosec.  By the way, I think there is no such "social hobby computer user" in the world.  I think you are talking about a casual computer user or noob?  :)

Samiux

---

作者: mmaurice    時間: 2017-5-14 17:02

本帖最後由 mmaurice 於 2017-5-14 17:03 編輯



    ok, u mean linux is only for IT x......

---

作者: samiux    時間: 2017-5-14 17:10

本帖最後由 samiux 於 2017-5-14 17:12 編輯



Where is the information you quoted from about the Linux users behavior?  Any bais?

By the way, the key rings are very interesting.  I know that it is what the IT guys in Hong Kong called themselves.  I think those called themselves like that are in the lowest rank in the IT field.  In addition, IT field is covering a lot of matter indeed.  Infosec is one of the job titles in IT field.

Samiux

Update reason :
- fix typo

---

作者: gdh    時間: 2017-5-14 17:50

#15
工餘大多數用電腦嘅時間都係上網, linux一啲啲問題都冇
In fact ......

---

作者: bongbong3481    時間: 2017-5-14 20:22

回覆 19# gdh

我都系大部份時間上網(用linux ubuntu)

---

作者: samiux    時間: 2017-5-15 06:59

本帖最後由 samiux 於 2017-5-15 07:00 編輯

The latest news about WannaCry in Hong Kong yesterday night advising your systems to disconnect to the internet is in question.

Beware that when your systems are already infected with WannaCry or its variants, you should allow the systems to connect to internet in order to communicate with the kill-switches that are registered by the Infosec Researchers.  When your infected systems can communicate with the kill-switch domains, the malware will be quited and the encryption stopped.

Update reason :
- fix typo

---

作者: samiux    時間: 2017-5-15 15:22

本帖最後由 samiux 於 2017-5-15 15:33 編輯

It seems WannaCry and its variants are under control.  Thanks for the 2 outstanding Infosec Researchers to discover the hidden domains and registered the kill-switch domains as well as allows all users in the world to connect to in order to sinkhole it.  Thanks again. :D

When your system or network can access the following 2 domains (at the moment), the malware will quit and do not encrypt your box, they are :

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

or

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

If your system cannot access internet, you can create a website internally and allows port 80 to be accessed on the said domains.

By the way, even if your systems and network do not seem to be affected, make sure to update your systems with Microsoft patches.

Samiux

Update reason :
- typo fixes

---

作者: samiux    時間: 2017-5-16 18:23

The third sinkhole domain is :

ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com

or

www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com

Make sure the above said 3 domains are not being blocked.

Samiux