WannaCrypt Ransomware

hippy

Technical Support
Staff member
Microsoft (KB4012598) have taken the step of releasing a security update for older systems; Windows XP, Windows Vista, Windows 8, Windows Server 2003 and 2008, and Windows XP embedded.

We can't personally vouch for the effectiveness of any update or patch but these should protect against the SMB exploit revealed in the recent NSA code dump which is suspected of being used in the ongoing ransomware attack -

http://www.catalog.update.microsoft.com/search.aspx?q=4012598

As may be imagined, the Microsoft site is currently a little slow to respond. We recommend getting the update direct from an official Microsoft source, avoid others claiming to be mirroring that.

This Microsoft blog post has more details and links and also seems more responsive for downloading the updates from, a little clearer in which patch to actually install for a particular system -

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks

Hopefully none of our PICAXE users have been victims of the latest attack. It is a timely reminder to always keep recoverable backups, especially of source code, license and registration files. We would also recommended taking a backup before installing any update or patch.
 

ZOR

Senior Member
Thanks hippy. I still run Windows 7 on one of my PC's, just did an update with MS, don't know if that included any patches, as someone mentioned during the NHS problems that Windows XP,7, and 8 could be at risk. I stopped getting updates for Windows 7 a while ago as I kept getting the unwanted Windows 10 icon. After updating today it has not returned. Regards
 

rq3

Senior Member
Microsoft (KB4012598) have taken the step of releasing a security update for older systems; Windows XP, Windows Vista, Windows 8, Windows Server 2003 and 2008, and Windows XP embedded.

We can't personally vouch for the effectiveness of any update or patch but these should protect against the SMB exploit revealed in the recent NSA code dump which is suspected of being used in the ongoing ransomware attack -

http://www.catalog.update.microsoft.com/search.aspx?q=4012598

As may be imagined, the Microsoft site is currently a little slow to respond. We recommend getting the update direct from an official Microsoft source, avoid others claiming to be mirroring that.

This Microsoft blog post has more details and links and also seems more responsive for downloading the updates from, a little clearer in which patch to actually install for a particular system -

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks

Hopefully none of our PICAXE users have been victims of the latest attack. It is a timely reminder to always keep recoverable backups, especially of source code, license and registration files. We would also recommended taking a backup before installing any update or patch.
Hippy, I really want to give you kudos. Your post a few days ago on this subject was the first I had heard of it, and I immediately used your links to update my machine, since Microsoft apparently doesn't have the outreach ability that you do, despite the cost of their products. Microsoft has since realized that many systems have not updated to their latest operating systems, and they have provided a patch as you pointed out. Whether the patch "updates" your system so that Microsoft can track as severly as Windows 10 is capable of remains to be seen. My own port sniffers are clean so far.

Most of my machines are multi-boot, some even back to DOS 6.2 for batch processing, and are multi-backed-up across operating systems and hard drives for critical data files. But. If it hadn't been for your alert, I would not have been aware of this threat as early as I did due to your post. Many thanks!

For those who care, the malware under discussion is (currently) limited to port 455, so a do it yourself solution would involve blocking that port. But don't count on it!

On a political note, and completely off topic, it appears that this little gem escaped from the United States NSA (National Security Agency). Thanks guys, I'll sleep better tonight.
sleep-tight-usaf.jpg
 
Last edited:

srnet

Senior Member
Microsoft has since realized that many systems have not updated to their latest operating systems, and they have provided a patch as you pointed out.
Microsoft will have a very good idea that a lot of people will not have updated their operating systems, but there is little they can do to force users to do so.

The only Windows system that previously had no patch for this recent problem was Windows XP. All the rest would have been covered already, had computers been allowed to receive regular updates as the patches were part of the March release.
 

eggdweather

Senior Member
The latest news says this was a targeted attack as no home users have reported (world wide) that they have been affected. Nonetheless worth applying the patches. I noticed that MS issued a Windows 10 patch the next day too.
 

Jeremy Harris

Senior Member
Looking at the exploit it uses, and the self-propagating nature of it, it cannot have been targeted, as such. It just so happens that by utilising the zero day vulnerability in SMB1 this malware is massively more effective when in a large networked environment than in a home PC.

As an example, if a home PC user clicks on a malware link then their machine, plus any vulnerable machine on their home LAN, is very likely to be infected. However, that's where things would stop, as the malware couldn't spread to another machine/network without someone else clicking on a link when they shouldn't have. In a corporate environment, with a large network, then one single user clicking on a malware link will cause their entire LAN to become infected, because of the way this particular malware utilises the flaw in SMB1 to enable it to behave like a worm that can transmit itself across an entire network, infecting every vulnerable machine.
 

srnet

Senior Member
I noticed that MS issued a Windows 10 patch the next day too.
Microsoft did put seperate patches out for this particular issue on one web page so it was easier for people to find them, but the issue had been addressed in March for OSs apart from XP.

Certainly when I went into work on Monday morning the 5000+ PC and 500+ servers we look after did not need any attention. They were a mixture of Windows Vista,7,8,10,server 2003, server 2008 and server 2012. The exeception was the few remaining XP straglers.
 

hippy

Technical Support
Staff member
It is not entirely clear which Windows OS should be getting security updates; unless beyond their end of extended support dates they should be getting those. We are still receiving security patches on Windows 7 Pro on a regular basis but if Windows Update Services have been turned off they may be missed.

It is also not entirely clear how the attack enters a system. The exploit involves SMB and the attack is through a port which is used to provide for file sharing and similar. This port will normally be blocked from the public internet but once malware or ransomware has entered a local network it is easier to spread within it.

This probably explains why large organisations appear to have been mostly affected because there are more potential access points and, once infected, there is a larger local network to attack. It should be noted however, that with respect to some NHS services and similar, wider disruption can be caused through simple inability to access services which have had their plug pulled out of caution rather than being infected or attacked.

The SMB flaw seems to be a bug which was revealed to Microsoft in April, patched soon after, and deployed to those who had Windows Update enabled on systems which are still supported. It appears the NSA had been using this flaw and tools they had developed to exploit the flaw were revealed in a code dump of stolen material. That flaw was then used by the latest ransomware writers for their own purposes.
 

hippy

Technical Support
Staff member
No, not me. My Linux computers didn't even shiver.

[smug emoji goes here]
All systems have as much risk of of infection or being co-opted to spread malware and ransomware as any other system if there is an unpatched flaw which allows that.
 

Jeremy Harris

Senior Member
Except this particular malware utilises a very specific, Microsoft only, vulnerability in their implementation of SMB1. This code does not exist on non-Microsoft operating systems, so the malware cannot propagate.

The flaw is in a very old (around 20 years or so) bit of code that handles an early variant of Microsoft's implementation of the Server Message Block protocol. Non-Microsoft operating systems do not use this bit of code, as it's specific to Microsoft SMB1. There is a Microsoft file system compatibility application, Samba, that simulates SMB (all variants) to allow seamless file transfer, sharing etc over networks, between Linux, Mac OS and Windows systems, but Samba doesn't have the flawed Microsoft code, so will just block automatic propagation of the worm part of this particular malware.

As this malware locks down files, preventing them from being opened or even relocated, then it would be hard for an ordinary user (without admin permissions) to move an infected file manually to another location. It's technically possible for a system administrator to move an infected file to another file storage location, but if that file storage was something like a NAS, or Linux server file store, then the infected file would still be unable to automatically infect other files in that storage location, as it relies on there being an un-patched implementation of Microsoft's SMB1 running on the host system in order to propagate.

From what I've seen, the other part of this malware also relies on Windows in order to deliver its payload, and so wouldn't be able to function on a non-Windows machine.
 

Jeremy Harris

Senior Member
Blocking the SMB port doesn't seem that sensible to me, as file transfer is essential for the majority of networked systems. As this flaw is only in the Microsoft implementation of SMB1, and not present in other SMB variants, or SMB compatible tools, like Samba, it seems better to just patch any flawed version of SMB1 to me.

It's probably worth noting that there are two parts to this malware. There's the conventional file-encrypting ransomware, that is based on something that's been around for some time, then there is the far more serious SMB1 exploit, that allows the ransomware to be propagated around a file system that uses SMB1 via a worm. The two aspects really need to be considered separately. Closing down the SMB1 flaw stops automatic propagation around Microsoft systems, but doesn't remove the ransomware. It's still possible for a Windows PC to become infected with the ransomware, via clicking on a link, for example, but instead of the ransomware being able to use the flaw in SMB1 to propagate to other machines on a network, it will be stuck in the original host machine.

I strongly suspect that virus definitions have been updated now for this particular ransomware variant, but I've no doubt that other versions are in development and will still be around to catch out the unwary.
 

SteveDee

Senior Member
All systems have as much risk of of infection....
Its very difficult to build a safe system that allows the user to interact with "stuff" on the internet. So from that perspective, all systems are potentially vulnerable.

But Windows remains the #1 target because it is so widespread, and because if you can induce a user to open an office file or click on a web link, you have a reasonable chance of getting into their machine.
I have one Win7 laptop which I only use with my scope adaptor. I leave it on from time to time hoping to catch a bug, but so far nothing.
 
Last edited:

hippy

Technical Support
Staff member
Except this particular malware utilises a very specific, Microsoft only, vulnerability in their implementation of SMB1.
That is true. But no system is immune from flaws, including Linux. Critical, exploitable flaws, are found all the time. It all comes down to whether those flaws are patched before malware or ransomware uses them to attack and spread.

What I was really saying is that some may feel smug now, but that is not necessarily going to last. They dodged this bullet but there will be many more on their way.

Linux and other systems may also be used as gateways to infect system on the network
 

erco

Senior Member
But Windows remains the #1 target because it is so widespread, and because if you can induce a user to open an office file or click on a web link, you have a reasonable change of getting into their machine.
Amen SteveDee! I'm not sure what the percentage is (maybe 95% Windows vs Linux 5% Linux?) but that's why most most hackers don't bother with Linux. It's not that Linux is invulnerable.

I have one Win7 laptop which I only use with my scope adaptor. I leave it on from time to time hoping to catch a bug, but so far nothing.
Careful what you wish for. :)
 

Jeremy Harris

Senior Member
I'm not sure what the percentage is (maybe 95% Windows vs Linux 5% Linux?) but that's why most most hackers don't bother with Linux. It's not that Linux is invulnerable.
Probably worth noting that OS X is also Unix-based, like Linux, and there are quite a lot of Apple machines out there. I agree that Microsoft is the number one target, both because of the market share, but also because Windows is inherently far less secure than any Unix-like OS. Security was added to Windows, whereas security is a fundamental low level, built-in function in Unix-like systems.

Microsoft aren't wholly to blame for this, it's just that when they created DOS, then Windows laid on top of DOS, they inherited a base system that was never designed to be secure, it was designed to be easy to use. They are stuck with this legacy, and despite attempts to create far more robust operating systems, they've generally had an uphill struggle. NT was a major milestone in terms of improved security, but even that relied on adding security over an inherently insecure core. Some of the inherent insecurities are now coming home to roost, as I believe the SMB1 flaw dates right back to around Windows NT. I'm sure there are other zero day vulnerabilities around that we don't know about yet, too.

The other big advantage Linux has, apart from using an inherently more secure base architecture, is that being opensource there are thousands of people working on the source code, trying to break it, find flaws that can be fixed and improve it. There's a massive amount of manpower committed to looking at Linux source code, more than Microsoft, given that Microsoft only release their source code to very few people, for commercial confidentiality reasons.
 

srnet

Senior Member
It is not entirely clear which Windows OS should be getting security updates; unless beyond their end of extended support dates they should be getting those.
Extended support (and the appropriate security updates) is genearally only available if you pay Microsoft.

Each month I download a number of Server 2003 updates and apply them to a significant number 2003 servers. However these updates are not openly available to the general public. I have access to them because Microsoft are paid to provide them.
 

PhilHornby

Senior Member
Security was added to Windows, whereas security is a fundamental low level, built-in function in Unix-like systems.

Microsoft aren't wholly to blame for this, it's just that when they created DOS, then Windows laid on top of DOS, they inherited a base system that was never designed to be secure, it was designed to be easy to use... NT was a major milestone in terms of improved security, but even that relied on adding security over an inherently insecure core.

The other big advantage Linux has...
The Windows core design is equally secure at a fundamental low level - it's got nothing in common with DOS, it's ancestry is VAX/VMS and RSX-11M. See: https://en.wikipedia.org/wiki/Windows_NT

Linux is probably immune to Ransomware, because its users would be too mean to pay a ransom :p
 

oracacle

Senior Member
this is just 1 reason to keep your machines up to date and to keep regular secure backups.
when I say secure I mean on a USB hard drive. this will allow a reformat with minimal loss (or risk) of data providing you don't plug that drive in while the malicious software is on your system.

nothing is immune to anything like this, its just weather its worth while or not - just look at stux net attack on siemens PLCs to reduce the output of nuclear enrichment plants in iran. that thing had no bias to OS or an "air gap" between systems to get to its target, it did what was needed to get the job done.

The question is, other than making money, what was the target behind this attack?
 
Top