Post in evidenza

Recovery - Access, Excel, Word, Office and Photo recovery tools and other blog procedures

During these years I had necessity to recover various files (.doc, mdb, .xls, photos...)  I utilized various free tools (here is an exampl...

Hacker - MS17-010 patch KB4012598 against Wannacry Ramsoware

Before starting reading I proceeding to indicate Microsoft articles, I hope companies will realize to invest more and more on security, IT Infrastructure and high professional IT guys.

Here it is Microsoft patch that was released, as zero days patch, description:


Customer Guidance for WannaCrypt attacks

Consider that WannaCry code use National Security Agency malware used to steal data using Microsoft vulnerabilities. The worst news is that NSA used that vulnerabilities withouth advicing microsoft.

<----------->
Wannacry uses precedent patch Microsoft vulnerabilities to attack windows pc that are exposed through internet with 445 port opened. (at least 1 Millions)

Once worm attach shared folder, it is in LAN and highly speed wormable.

Microsoft took unusual decision providing security patch users and customers with unsupported O.S. versions ( XP/Vista/2008/2003)


Here it is Patch Download link about all O.S. versions :



If you want view actual WannaCry diffustion through map you need to go here:




If you're running a vulnerable system and can't install the patch for some reason, Microsoft has two pieces of advice:

a. Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and this ones.

A quick way to do that is going to this register key:

HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 and setting up it equal to 0


Otherwise you can review this article:

https://www.saotn.org/disable-smbv1-windows-10-windows-server/

b. Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445



[update 2017.05.18]

Some malware versions to be enable "kill Switch" need to have traffic enabled versus following URLs ( that is in some malware versions)
hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
hxxp://www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com


indeed, to verify that pc is infected you need to search files with following extention:


 .wncry

Worm has a kill-switch that block work once domain query is succesfully (www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) and was blocked due to a guy that registered domain name after reverse engineering, we suspect that next software version will no longer have this Kill-Switch command.

https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/

https://www.achab.it//achab.cfm/it/blog/achablog/cryptovirus-wannacry-finalmente-e-arrivato

[update 2017.08.16]

new link:


https://www.microsoft.com/it-it/download/malicious-software-removal-tool-details.aspx  

About some tools I would suggest these:

Malwarebytes and Bitdefender.

Here they are some free MAC Antivirus:

About Wannacry and similar ramsoware you can review this blog article, consider these toos to:

Antivirus - WannaCry Free Decryptor tool

Hacker - MS17-010 patch KB4012598 against Wannacry Ramsoware

Vaccinator
-  immunizer against Petya and other ransomware. 

Some precedently information was taken reviewing this interesting article:

720check