There is a thread in the news section about this severe malware/ransom-ware attack:

https://www.thaivisa.com/forum/topic/982861-global-cyberattack-disrupts-shipper-fedex-uk-health-system/

 

I open a thread here for technical details.

 

How to check if my system is patched/protected?

What to do if not?

I am affected. Is there anything I can do?

 

Quote

I don't get it. How it comes that companies, hospitals didn't install the security patch

Some organizations prefer to keep update under manual control to ensure uninterrupted operation and being free from "surprises"/incompatibilities.

They often do their own tests at the IT department before rolling out an update/patch to all their workplaces/devices.

 

In the other hand: if there is professional IT management they will have fairly up-to-date backups which allow them to restore their systems quickly.

Missing backups are the reason why private users are often heavy affected and loose their data.

 

I am currently fighting to find the reference information:

 

How to find out on my Windows system (7 and up) whether the patch is installed and I am safe.

This is one of many Bitcoin wallets from the attackers; https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

 

 

56 minutes ago, KhunBENQ said:

Missing backups are the reason why private users are often heavy affected and loose their data.

 

A good reminder to do a backup. I use the free Microsoft tool SyncToy which works perfect for me.

1 hour ago, KhunBENQ said:

I am currently fighting to find the reference information:

 

How to find out on my Windows system (7 and up) whether the patch is installed and I am safe.

I just looked at my update history.

 

That's for march:

 

It must be this one. KB4012215

 

It was this patch;

 

Microsoft Security Bulletin MS17-010 - Critical

Security Update for Microsoft Windows SMB Server (4013389)

 

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-sqQhNApgA.Smv1cgQL3e5A&tduid=(197031599f8fe50d3b054eacc9bd784b)(256380)(2459594)(TnL5HPStwNw-sqQhNApgA.Smv1cgQL3e5A)()

 

But I can't find this update in my update history.

 

Edit: This patch was for my System. Windows 7 x64.

 

It's  the patch i marked on the previous post.

Does this SMB server come installed on all version of windows ?

 

I can't find it on any of mine and the commands I tested with yesterday did not exist on the server and my home pc's.

 

I suspect it's an enterprise function that's not enabled in Win 7 Pro.

There appears to be instructions to disable all versions of SMB for older versions of Windows on this page :

 

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

 

I ran the disable commands on my Win 7 Pro installation and they seemed to work.

I guess it's not necessary to disable SMB if your OS is patched.

Just now, alocacoc said:

I guess it's not necessary to disable SMB if your OS is patched.

Looks that way, however for various reasons some of us will be running older versions which have not been updated for years.

The attack is stopped for now. I guess the attackers will come back soon.

 

This guy predicted it weeks ago;

 

 

2 hours ago, alocacoc said:

The attack is stopped for now. I guess the attackers will come back soon.

 

This guy predicted it weeks ago;

 

 

A new variant has been detected already and this one doesn't have the sandbox detection killswitch inside it so everything's going to go nuts now.

A new variant has been detected already and this one doesn't have the sandbox detection killswitch inside it so everything's going to go nuts now.

I just searched for a source. Found only this.

This guy seems to have a deep insight into this.

He also said, the worm is still spreading since the killswitch doesn't work on proxy and several ISP. He expect a big shock at Monday.

That's all quite scarry.

Sent from my SM-G900F using Tapatalk

https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/

I don't know if this is visible. On Tapatalk it's not.

Sent from my SM-G900F using Tapatalk

Below webpage says MS has also just released an emergency security update patch even for no longer supported OS's such as XP and a few others.  Plus, Win 10 computer are not affected.  Apparently the malware focuses most of its attention/hunting on unpatached Win 7 computers.  See below link for more details.

 

http://thehackernews.com/2017/05/wannacry-ransomware-windows.html

 

This guy said he found it without the 'killswitch' which is like 2 lines of code so it would take a couple of minutes to rebuild it after the small modification, then start it all over again.

 

https://twitter.com/JR0driguezB

 

Specifically this tweet :

 

After reading today's newspaper reports it sounds that indeed mostly Windows XP (!) systems have been hit and probably some unpatched Windows 7 systems.

Still 7% of Windows systems on the internet are Windows XP.

As already described, MS has decided to supply another patch for old versions (Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008).

 

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

All from May 12 and May 13, 2017.

 

On Saturday, May 13, 2017 at 9:07 PM, Pib said:

Below webpage says MS has also just released an emergency security update patch even for no longer supported OS's such as XP and a few others.  Plus, Win 10 computer are not affected.  Apparently the malware focuses most of its attention/hunting on unpatached Win 7 computers.  See below link for more details.

 

http://thehackernews.com/2017/05/wannacry-ransomware-windows.html

 

 

I just downloaded the XP patch from two different sources:

 

https://www.microsoft.com/en-us/download/details.aspx?id=55245

 

and

 

http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe

 

The first link downloaded "WindowsXP-KB4012598-x86-Embedded-Custom-ENU.exe"

The second downloaded "windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe"

 

The only differences are that the first one is 618,712 bytes and the second is 682,200 bytes.

 

Oh, and the first has a build date of 2017/02/17 and the second of 2017/02/11.

 

Thanks Microsoft. So you had it tucked away but didn't release it. Nice.

 

 

1 minute ago, JetsetBkk said:

 

I just downloaded the XP patch from two different sources:

 

https://www.microsoft.com/en-us/download/details.aspx?id=55245

 

and

 

http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe

 

The first link downloaded "WindowsXP-KB4012598-x86-Embedded-Custom-ENU.exe"

The second downloaded "windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe"

 

The only differences are that the first one is 618,712 bytes and the second is 682,200 bytes.

 

Oh, and the first has a build date of 2017/02/17 and the second of 2017/02/11.

 

Thanks Microsoft. So you had it tucked away but didn't release it. Nice.

 

 

 

They supplied it to customers who paid for extended support beyone the end of life date.

15 minutes ago, ukrules said:

 

They supplied it to customers who paid for extended support beyone the end of life date.

Yes, so it's all about the money. There is no problem in supplying security updates to old systems, they just don't want to encourage people to stay with them and to not pay for Windows 7, 8, 10, etc.

 

Maybe I'll send this info to the press and see what they make of it.

 

Here's Microsoft Customer guidance weblink for description and download of their security patch for systems like XP....apologies if already posted in this tread.

 

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

1 minute ago, JetsetBkk said:

Yes, so it's all about the money. There is no problem in supplying security updates to old systems, they just don't want to encourage people to stay with them and to not pay for Windows 7, 8, 10, etc.

 

Maybe I'll send this info to the press and see what they make of it.

 

 

Haha, they already know.

 

Heck,  XP probably needs a LOT of security patches since lifecycle support ended in early 2014 unless you were some organization that pays for continued support...it's just this wannacry ramsonware has got so much media attention MS is offering up the patch to the masses for free.

5 minutes ago, Pib said:

Heck,  XP probably needs a LOT of security patches since lifecycle support ended in early 2014 unless you were some organization that pays for continued support...it's just this wannacry ramsonware has got so much media attention MS is offering up the patch to the masses for free.

Guilty feelings?

 

My feelings are that they should offer all security patches for all systems. If they want people to "upgrade" to Windows 10 they should make it so good that people would want to upgrade, not because they are scared of security holes.

 

My laptop is Windows 10 and I hate it but am getting used to doing things MS's way. This desktop is XP.

 

I'll install the patch tomorrow after I've done another system image. (I trust no one.)

 

Win 10 is great...gotta have it!!!...Win 8 is great...gotta have it(well, not really)!!!....Win 7 is great.....gotta have it!!!!....Win Visa is great...gotta have(well, not really)!!!....Win XP is great....gotta have!!!...etc...etc....etc.   How do I know this?  Microsoft told me so.

Guys, if you still have not patched your Windows, you should do this now.
The WannaCry ransomware is still active. New variant of WannaCry ransomware is able to infect 3,600 computers per hour -
https://malwareless.com/new-variant-wannacry-ransomware-able-infect-3600-computers-per-hour/. If your computer is infected
with this virus, don't pay the ransom - many people who have paid Bitcoins don't receive the decryptor. All top
security companies are currently working to develop a decryption solution