<div dir="ltr"><div><span style="color:rgb(128,128,128);font-family:"Exo 2",sans-serif;font-size:16px">Thanks Khalid, a quick note to add:</span></div><div><span style="color:rgb(128,128,128);font-family:"Exo 2",sans-serif;font-size:16px"><br></span></div><div><span style="color:rgb(128,128,128);font-family:"Exo 2",sans-serif;font-size:16px"><a href="http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com">www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com</a> is currently up and is sinkholed, but</span><span style="color:rgb(128,128,128);font-family:"Exo 2",sans-serif;font-size:16px"> this is a temporary fix and the domain(s) will most likely switch quickly. </span><br></div><div><span style="color:rgb(128,128,128);font-family:"Exo 2",sans-serif;font-size:16px"><br></span></div><div><span style="color:rgb(128,128,128);font-family:"Exo 2",sans-serif;font-size:16px">Regards,</span></div><div><span style="color:rgb(128,128,128);font-family:"Exo 2",sans-serif;font-size:16px"><br></span></div><div><span style="color:rgb(128,128,128);font-family:"Exo 2",sans-serif;font-size:16px">Arash Naderpour</span></div><div><span style="color:rgb(128,128,128);font-family:"Exo 2",sans-serif;font-size:16px"><br></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 25, 2017 at 1:12 AM, KHALID SAMARA <span dir="ltr"><<a href="mailto:pc-chair@menog.org" target="_blank">pc-chair@menog.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div id="m_-4052423241647481304divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif" dir="ltr">
<p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Times New Roman","serif""></span></p>
<p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dears,</span><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Following on the below discussion below ; I would like to add some related information about</span><span class="m_-4052423241647481304apple-converted-space"> </span><span style="font-size:11.0pt">this ransomware attack in several
emails ;</span><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt">first , as many of you may be know that WCry or WannaCry maleware exploits a Windows SMB vulnerability to enable propagation after having established a foothold in an environment or also even through malicious
links in spam messages.<u></u><u></u></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt">This propagation mechanism can distribute the malware both within the compromised network & over the public internet ; and the exploit used here</span><span class="m_-4052423241647481304apple-converted-space"> </span><span style="font-size:11.0pt">codenamed
“EternalBlue”; however this exploited vulnerability, was patched in Microsoft MS17-010.<u></u><u></u></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The malware usually add an encrypted data files with the WCRY extension; also it used to drop & execute a decryptor, then demands $300 that should be paid in Bitcoins to decrypt the data;</span> <span style="font-size:11.0pt">If
the user doesn’t pay the ransom within three days, the amount doubles to $600; after seven days without payment, WannaCry will delete all of the encrypted files and all data will be lost!<u></u><u></u></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><span style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><br>
</span><u></u><u></u></span></p>
<p class="MsoNormal" style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">
<span style="font-size:11.0pt">Below some of the filetypes that are targeted and encrypted by WannaCry:<u></u><u></u><u></u><u></u></span></p>
<p class="MsoNormal" style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">
<span style="font-size:11.0pt">3g2.3gp.accdb.aes.ai.asc.asf.<wbr>asm.asp.avi.backup.bak.at.bmp.<wbr>brd.bz2.cgm.class.cmd.cpp.crt.<wbr>cs.csr.csv.db.dbf.dch.dif.dip.<wbr>djvu.doc.docb.docm.docx.dot.<wbr>dotm.dotx.dwg.edb.eml.fla.flv.<wbr>frm.gif.gpg.gz.hwp.ibd.iso.<wbr>jar.java.jpeg.jpg.js.jsp.key.<wbr>lay.lay6. <u></u><u></u></span></p>
<p class="MsoNormal" style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">
<span style="font-size:11.0pt">mdb.mdf.mid.mkv.mml.mov.mp3.<wbr>mp4.mpeg.mpg.msg.myd.myi.nef.<wbr><a href="http://odb.pas.pdf.pem.pfx.php.pl">odb.pas.pdf.pem.pfx.php.pl</a>.<wbr>png.pot.potm.potx.ppam.pps.<wbr>ppsm.ppsx.ppt.pptm.pptx.ps1.<wbr><a href="http://psd.pst.rar.raw.rb.rtf.sch.sh">psd.pst.rar.raw.rb.rtf.sch.sh</a>.<wbr>sldm.sldx.slk.sln..swf.sxc.<wbr>sxd.sxi.sxm.sxw.tar.tbk.tgz.<wbr>tif.tiff.txt.uot.vb.vbs.vcd.<wbr>vdi.vmdk.vmx.vob.vsd.wav.wb2.<wbr>wk1.zip<u></u><u></u><u></u><u></u></span></p>
<p class="MsoNormal" style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">
<span style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">This malware uses encrypted Tor channels for command and control communications; trying to query for :-<u></u><u></u><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">ayylmaotjhsstasdfasdfasdfasdfa<wbr>sdfasdfasdf[.]com<u></u><u></u></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt">And sometimes to (<a>www.<wbr>ifferfsodp9ifjaposdfjhgosurijf<wbr>aewrwergwea[.]test</a>.) etc..<u></u><u></u></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt">If it cannot contact this domain files or if it cannot make a</span><span class="m_-4052423241647481304apple-converted-space"> </span><span style="font-size:11.0pt"> HTTP request to the resolution of the mentioned domain then the
malware will start to encrypt files.<u></u><u></u></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt">However and as workaround to this issue; network administrators can locally sinkhole this domains or other domains by adding A-record to their DNS server and then translate this domain to any of the existing
sinkhole IPs.<u></u><u></u></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt">This malware enumerates the network adapters and determines which subnets the system is on. then malware then generates a thread for each IP on the subnet. Each of these threads attempt to connect to the
IP on TCP port 445 and, if successful, attempt exploitation of the system using the EternalBlue SMB exploit.<u></u><u></u></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt">However; below some of indicators of compromise could be used to identify potentially WnnCry activity :-<u></u><u></u></span><u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><b><i><span style="font-size:11.0pt">MD5s related samples:</span></i></b><u></u><u></u></p>
<u></u><u></u>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt">29365f675b69ffa0ec17ad00649ce0<wbr>26<u></u><u></u></span><u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt">2b4e8612d9f8cdcf520a8b2e42779f<wbr>fa<u></u><u></u></span><u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt">2ca9ea7966269b22b5257f7a41817e<wbr>1f<u></u><u></u></span><u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><b><i><span style="font-size:11.0pt">Related URLs:</span></i></b><u></u><u></u></p>
<u></u><u></u>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt">iuqssfsodp9ifjaposdfjhgosurijf<wbr>aewrwergwea[.]com<u></u><u></u></span><u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt">ifferfsodp9ifjaposdfjhgosurijf<wbr>aewrwergwea[.]com<u></u><u></u></span><u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt">iuqerfsodp9ifjaposdfjhgosurijf<wbr>aewrwergwea[.]com<u></u><u></u></span><u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><b><i><span style="font-size:11.0pt">Related Tor Sites:</span></i></b><u></u><u></u></p>
<u></u><u></u>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt">cwwnhwhlz52maqm7[.]onion; gx7ekbenv2riucmf[.]onion ; sqjolphimrr7jqw6[.]onion<u></u><u></u></span><u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><b><i><span style="font-size:11.0pt">Related Executables:</span></i></b><u></u><u></u></p>
<u></u><u></u>
<p style="margin:0in;margin-bottom:.0001pt"><span style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><span style="font-size:11.0pt;color:#313333">C:\Windows\mssecsvc.exe
; C:\Windows\tasksche.exe<u></u><u></u></span></span><u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><b><i><span style="font-size:11.0pt">Related Processes Started:</span></i></b><u></u><u></u></p>
<u></u><u></u>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt">cscript.exe //nologo m.vbs<u></u><u></u></span><u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><u></u> <u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><u></u> <u></u></p>
<p class="MsoNormal"><span style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><span style="font-size:11.0pt"> There
is no confirmed fix for WannaCry available at this time. Antimalware companies and antivirus companies are trying to find a way to decrypt files on infected computers, but currently still now no way available now to do that . </span></span></p>
<p class="MsoNormal"><span style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><span style="font-size:11.0pt"><br>
</span></span></p>
<p class="MsoNormal"><span style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><span style="font-size:11.0pt">Regards,</span></span></p>
<p class="MsoNormal"><span style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><span style="font-size:11.0pt"><br>
</span></span></p>
<p class="MsoNormal"><span style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><span style="font-size:11.0pt">khalid </span></span></p>
<p class="MsoNormal"><br>
</p>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u><u></u></span></p>
<div style="color:rgb(0,0,0)"><font size="2"><span style="font-size:10pt">
<div class="m_-4052423241647481304PlainText"><br>
<br>
------------------------------<wbr>------------------------------<wbr>----------<br>
<br>
Message: 1<br>
Date: Sat, 20 May 2017 17:32:52 +0300<br>
From: Harith Dawood <<a href="mailto:alwathiq2007@gmail.com" target="_blank">alwathiq2007@gmail.com</a>><br>
Subject: Re: [menog] WannaCry Ransomware<br>
To: Hisham Ibrahim <<a href="mailto:hmi@ripe.net" target="_blank">hmi@ripe.net</a>><br>
Cc: MENOG <<a href="mailto:menog@menog.org" target="_blank">menog@menog.org</a>><br>
Message-ID:<br>
<CAH3nW1+xmhpqGEz2Cn_ivs_<wbr>ro2Ynz+wrzugqo=<a href="mailto:0eLd82%2BPXUUA@mail.gmail.com" target="_blank">0eLd82+PXUUA@<wbr>mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<span class=""><br>
<br>
Dear Mr. Hisham Ibrahim<br>
<br>
Thank you very much for your important information.<br>
<br>
Best regards;<br>
Harith<br>
<br>
On Mon, May 15, 2017 at 12:42 AM, Hisham Ibrahim <<a href="mailto:hmi@ripe.net" target="_blank">hmi@ripe.net</a>> wrote:<br>
<br>
> Dear All,<br>
> As you are no doubt aware, we are currently experiencing an unprecedented<br>
> ransomware attack at a global scale. The malware was detected on 12 May<br>
> 2017 and has the capability to spread across networks taking advantage of a<br>
> critical exploit in a popular communication protocol used by Windows<br>
> systems.<br>
> Many of you have already reached out and are actively involved in<br>
> containing this threat. It is believed that the infection and propagation<br>
> rate may go up on Monday when people return to their workplaces.<br>
> Below is the Europol warning / update about the current ransomware threat.<br>
> If you think this would be useful to anyone in our community, please<br>
> forward it on.<br>
> A list of tips and advice on how to prevent ransomware from infecting your<br>
> electronic devices can be found at:<br>
> <a href="https://www.europol.europa.eu/sites/default/files/images/" id="m_-4052423241647481304LPlnk712857" target="_blank">
https://www.europol.europa.eu/<wbr>sites/default/files/images/</a><br>
> editor/ransomware-01.jpg<br>
> Regards,<br>
> Hisham<br>
><br>
> Begin forwarded message:<br>
><br></span>
> *If you are a victim or have reason to believe that you could be a victim*<span class=""><br>
><br>
> This is link provides some practical advice on how to contain the<br>
> propagation of this type of ransomware:<br></span>
> *<a href="https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance*" target="_blank">https://www.ncsc.gov.uk/<wbr>guidance/ransomware-latest-<wbr>ncsc-guidance*</a><span class=""><br>
> <<a href="https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance" target="_blank">https://www.ncsc.gov.uk/<wbr>guidance/ransomware-latest-<wbr>ncsc-guidance</a>><br>
><br>
> The most important step involves patching the Microsoft vulnerability<br>
> (MS17-010):<br></span>
> *<a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx*" target="_blank">https://technet.microsoft.<wbr>com/en-us/library/security/<wbr>ms17-010.aspx*</a><span class=""><br>
> <<a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx" target="_blank">https://technet.microsoft.<wbr>com/en-us/library/security/<wbr>ms17-010.aspx</a>><br>
><br>
> A patch for legacy platforms is available here:<br>
><br></span>
> *<a href="https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks*" target="_blank">https://blogs.technet.<wbr>microsoft.com/msrc/2017/05/12/<wbr>customer-guidance-for-<wbr>wannacrypt-attacks*</a><span class=""><br>
> <<a href="https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks" target="_blank">https://blogs.technet.<wbr>microsoft.com/msrc/2017/05/12/<wbr>customer-guidance-for-<wbr>wannacrypt-attacks</a>><br>
><br>
> In instances where it is not possible to install the patch, manage the<br>
> vulnerability becomes key. One way of doing this would be to disable the<br>
> SMBv1 (Server Message Block) protocol:<br></span>
> *<a href="https://support.microsoft.com/en-us/help/2696547*" target="_blank">https://support.microsoft.<wbr>com/en-us/help/2696547*</a><span class=""><br>
> <<a href="https://support.microsoft.com/en-us/help/2696547" target="_blank">https://support.microsoft.<wbr>com/en-us/help/2696547</a>><br>
> and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139,<br>
> 445].<br>
><br>
> Another step would be to update endpoint security and AV solutions with<br>
> the relevant hashes of the ransomware (e.g. via VirusTotal).<br>
><br>
> If these steps are not possible, not starting up and/or shutting down<br>
> vulnerable systems can also prevent the propagation of this threat.<br>
><br></span>
> *How to prevent a ransomware attack?*<br>
><br>
><br>
> 1. *Back-up! Back-up! Back-up!* Have a backup and recovery system in<br>
> place so a ransomware infection can?t destroy your personal data forever.<br>
> It?s best to create at least two back-up copies on a regular basis: one to<span class=""><br>
> be stored in the cloud (remember to use a service that makes an automatic<br>
> backup of your files) and one stored locally (portable hard drive, thumb<br>
> drive, etc.). Disconnect these when you are done and store them separately<br>
> from your computer. Your back-up copies will also come in handy should you<br>
> accidentally delete a critical file or experience a hard drive failure.<br></span>
> 2. *Use robust antivirus software* to protect your system from<span class=""><br>
> ransomware. Always use the latest virus definition/database and do not<br></span>
> switch off the ?heuristic? functions as these help the solution to catch<span class=""><br>
> samples of ransomware (and other type of malware) that have not yet been<br>
> formally detected.<br></span>
> 3. *Keep all the software on your computer up to date.* When your<span class=""><br>
> operating system (OS) or applications release a new version, install it. If<br>
> the software you use offers the option of automatic updating, enable it.<br></span>
> 4. *Trust no one. Literally.* Any account can be compromised and<span class=""><br>
> malicious links can be sent from the accounts of friends on social media,<br></span>
> colleagues or an *online gaming*<br>
> <<a href="https://blog.kaspersky.com/teslacrypt-20-ransomware/9314/" target="_blank">https://blog.kaspersky.com/<wbr>teslacrypt-20-ransomware/9314/</a><wbr>> partner.<br>
> Never open attachments in emails from someone you don?t know. Similarly,<br>
> don?t open attachments in emails from somebody you know but from whom you<span class=""><br>
> would not expect to receive such as message. Cybercriminals often<br>
> distribute fake email messages that look very much like email notifications<br>
> from an online store, a bank, the police, a court or a tax collection<br>
> agency, luring recipients into clicking on a malicious link and releasing<br>
> the malware into their system. If in doubt, call the sender at a trusted<br>
> phone number to confirm the legitimacy of the message received.<br></span>
> 5. *Enable the ?Show file extensions? option in the Windows settings<br>
> on your computer.* This will make it much easier to spot potentially<br>
> malicious files. Stay away from file extensions like ?.exe?, ?.com?, ?.vbs?<br>
> or ?.scr?. Cybercriminals can use several extensions to disguise a<span class=""><br>
> malicious file as a video, photo, or document (like hot-chics.avi.exe or<br>
> report.doc.scr).<br></span>
> 6. If you discover a rogue or unknown process on your machine, *disconnect<span class=""><br>
> it immediately from the internet or other network connections (such as home<br></span>
> Wi-Fi)* ? this will prevent the infection from spreading.<span class=""><br>
><br>
><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Menog mailing list<br>
> <a href="mailto:Menog@lists.menog.org" target="_blank">Menog@lists.menog.org</a><br>
> <a href="http://lists.menog.org/mailman/listinfo/menog" target="_blank">http://lists.menog.org/<wbr>mailman/listinfo/menog</a><br>
><br>
><br></span>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.menog.org/pipermail/menog/attachments/20170520/7fd1fc56/attachment-0001.html" target="_blank">
http://lists.menog.org/<wbr>pipermail/menog/attachments/<wbr>20170520/7fd1fc56/attachment-<wbr>0001.html</a>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Sat, 20 May 2017 20:26:33 +0400<br>
From: Luqman Kondeth <<a href="mailto:luqman.kondeth@nyu.edu" target="_blank">luqman.kondeth@nyu.edu</a>><br>
Subject: Re: [menog] WannaCry Ransomware<br>
To: Harith Dawood <<a href="mailto:alwathiq2007@gmail.com" target="_blank">alwathiq2007@gmail.com</a>><br>
Cc: Hisham Ibrahim <<a href="mailto:hmi@ripe.net" target="_blank">hmi@ripe.net</a>>, MENOG <<a href="mailto:menog@menog.org" target="_blank">menog@menog.org</a>><br>
Message-ID:<br>
<<a href="mailto:CAP32F_zAK5shpB4Dx6ptS3OREtUX-UwnVPtf4paaRsNSgH_-iw@mail.gmail.com" target="_blank">CAP32F_<wbr>zAK5shpB4Dx6ptS3OREtUX-<wbr>UwnVPtf4paaRsNSgH_-iw@mail.<wbr>gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<div><div class="h5"><br>
<br>
Has anyone been able to observe the malware network behavoiur in action ?<br>
I ask this because we noticed large amounts of tcp port scans on 445 from<br>
the 12th which is when the malware was reported.<br>
What is interesting however is that the machines that were doing this in<br>
our network were Apple Macs. Is it possible that the Macs are a carrier<br>
for the worm ? Anyone seen anything similar?<br>
<br>
We also noticed the following<br>
<br>
<br>
There is increased amount of traffic on port 445 and 139 from the 12th of<br>
this month.<br>
We also see certain IP addresses being constantly probed on port 445<br>
The below are the IP addresses<br>
<br>
192.168.0.2<br>
100.100.129.90<br>
149.236.99.1<br>
172.18.4.200<br>
<br>
The pattern we see is usually a connection attempt on port 445 to one of<br>
the above ports followed by a large number of 445 traffic to random IPs.<br>
<br>
Thanks<br>
<br>
On 20 May 2017 6:33 p.m., "Harith Dawood" <<a href="mailto:alwathiq2007@gmail.com" target="_blank">alwathiq2007@gmail.com</a>> wrote:<br>
<br>
> Dear Mr. Hisham Ibrahim<br>
><br>
> Thank you very much for your important information.<br>
><br>
> Best regards;<br>
> Harith<br>
><br>
> On Mon, May 15, 2017 at 12:42 AM, Hisham Ibrahim <<a href="mailto:hmi@ripe.net" target="_blank">hmi@ripe.net</a>> wrote:<br>
><br>
>> Dear All,<br>
>> As you are no doubt aware, we are currently experiencing an unprecedented<br>
>> ransomware attack at a global scale. The malware was detected on 12 May<br>
>> 2017 and has the capability to spread across networks taking advantage of a<br>
>> critical exploit in a popular communication protocol used by Windows<br>
>> systems.<br>
>> Many of you have already reached out and are actively involved in<br>
>> containing this threat. It is believed that the infection and propagation<br>
>> rate may go up on Monday when people return to their workplaces.<br>
>> Below is the Europol warning / update about the current ransomware<br>
>> threat. If you think this would be useful to anyone in our community,<br>
>> please forward it on.<br>
>> A list of tips and advice on how to prevent ransomware from infecting<br>
>> your electronic devices can be found at:<br>
>> <a href="https://www.europol.europa.eu/sites/default/files/images/edi" target="_blank">https://www.europol.europa.eu/<wbr>sites/default/files/images/edi</a><br>
>> tor/ransomware-01.jpg<br>
>> Regards,<br>
>> Hisham<br>
>><br>
>> Begin forwarded message:<br>
>><br></div></div>
>> *If you are a victim or have reason to believe that you could be a victim*<span class=""><br>
>><br>
>> This is link provides some practical advice on how to contain the<br>
>> propagation of this type of ransomware:<br></span>
>> *<a href="https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance*" target="_blank">https://www.ncsc.gov.uk/<wbr>guidance/ransomware-latest-<wbr>ncsc-guidance*</a><span class=""><br>
>> <<a href="https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance" target="_blank">https://www.ncsc.gov.uk/<wbr>guidance/ransomware-latest-<wbr>ncsc-guidance</a>><br>
>><br>
>> The most important step involves patching the Microsoft vulnerability<br>
>> (MS17-010):<br></span>
>> *<a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx*" target="_blank">https://technet.microsoft.<wbr>com/en-us/library/security/<wbr>ms17-010.aspx*</a><span class=""><br>
>> <<a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx" target="_blank">https://technet.microsoft.<wbr>com/en-us/library/security/<wbr>ms17-010.aspx</a>><br>
>><br>
>> A patch for legacy platforms is available here:<br>
>><br></span>
>> *<a href="https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks*" target="_blank">https://blogs.technet.<wbr>microsoft.com/msrc/2017/05/12/<wbr>customer-guidance-for-<wbr>wannacrypt-attacks*</a><span class=""><br>
>> <<a href="https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks" target="_blank">https://blogs.technet.<wbr>microsoft.com/msrc/2017/05/12/<wbr>customer-guidance-for-<wbr>wannacrypt-attacks</a>><br>
>><br>
>> In instances where it is not possible to install the patch, manage the<br>
>> vulnerability becomes key. One way of doing this would be to disable the<br>
>> SMBv1 (Server Message Block) protocol:<br></span>
>> *<a href="https://support.microsoft.com/en-us/help/2696547*" target="_blank">https://support.microsoft.<wbr>com/en-us/help/2696547*</a><span class=""><br>
>> <<a href="https://support.microsoft.com/en-us/help/2696547" target="_blank">https://support.microsoft.<wbr>com/en-us/help/2696547</a>><br>
>> and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139,<br>
>> 445].<br>
>><br>
>> Another step would be to update endpoint security and AV solutions with<br>
>> the relevant hashes of the ransomware (e.g. via VirusTotal).<br>
>><br>
>> If these steps are not possible, not starting up and/or shutting down<br>
>> vulnerable systems can also prevent the propagation of this threat.<br>
>><br></span>
>> *How to prevent a ransomware attack?*<br>
>><br>
>><br>
>> 1. *Back-up! Back-up! Back-up!* Have a backup and recovery system in<br>
>> place so a ransomware infection can?t destroy your personal data forever.<br>
>> It?s best to create at least two back-up copies on a regular basis: one to<span class=""><br>
>> be stored in the cloud (remember to use a service that makes an automatic<br>
>> backup of your files) and one stored locally (portable hard drive, thumb<br>
>> drive, etc.). Disconnect these when you are done and store them separately<br>
>> from your computer. Your back-up copies will also come in handy should you<br>
>> accidentally delete a critical file or experience a hard drive failure.<br></span>
>> 2. *Use robust antivirus software* to protect your system from<span class=""><br>
>> ransomware. Always use the latest virus definition/database and do not<br></span>
>> switch off the ?heuristic? functions as these help the solution to catch<span class=""><br>
>> samples of ransomware (and other type of malware) that have not yet been<br>
>> formally detected.<br></span>
>> 3. *Keep all the software on your computer up to date.* When your<span class=""><br>
>> operating system (OS) or applications release a new version, install it. If<br>
>> the software you use offers the option of automatic updating, enable it.<br></span>
>> 4. *Trust no one. Literally.* Any account can be compromised and<span class=""><br>
>> malicious links can be sent from the accounts of friends on social media,<br></span>
>> colleagues or an *online gaming*<br>
>> <<a href="https://blog.kaspersky.com/teslacrypt-20-ransomware/9314/" target="_blank">https://blog.kaspersky.com/<wbr>teslacrypt-20-ransomware/9314/</a><wbr>> partner.<br>
>> Never open attachments in emails from someone you don?t know. Similarly,<br>
>> don?t open attachments in emails from somebody you know but from whom you<span class=""><br>
>> would not expect to receive such as message. Cybercriminals often<br>
>> distribute fake email messages that look very much like email notifications<br>
>> from an online store, a bank, the police, a court or a tax collection<br>
>> agency, luring recipients into clicking on a malicious link and releasing<br>
>> the malware into their system. If in doubt, call the sender at a trusted<br>
>> phone number to confirm the legitimacy of the message received.<br></span>
>> 5. *Enable the ?Show file extensions? option in the Windows settings<br>
>> on your computer.* This will make it much easier to spot potentially<br>
>> malicious files. Stay away from file extensions like ?.exe?, ?.com?, ?.vbs?<br>
>> or ?.scr?. Cybercriminals can use several extensions to disguise a<span class=""><br>
>> malicious file as a video, photo, or document (like hot-chics.avi.exe or<br>
>> report.doc.scr).<br></span>
>> 6. If you discover a rogue or unknown process on your machine, *disconnect<span class=""><br>
>> it immediately from the internet or other network connections (such as home<br></span>
>> Wi-Fi)* ? this will prevent the infection from spreading.<span class=""><br>
>><br>
>><br>
>><br>
>><br>
>> ______________________________<wbr>_________________<br>
>> Menog mailing list<br>
>> <a href="mailto:Menog@lists.menog.org" target="_blank">Menog@lists.menog.org</a><br>
>> <a href="http://lists.menog.org/mailman/listinfo/menog" target="_blank">http://lists.menog.org/<wbr>mailman/listinfo/menog</a><br>
>><br>
>><br>
><br>
> ______________________________<wbr>_________________<br>
> Menog mailing list<br>
> <a href="mailto:Menog@lists.menog.org" target="_blank">Menog@lists.menog.org</a><br>
> <a href="http://lists.menog.org/mailman/listinfo/menog" target="_blank">http://lists.menog.org/<wbr>mailman/listinfo/menog</a><br>
><br>
><br></span>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.menog.org/pipermail/menog/attachments/20170520/98fc73a2/attachment.html" target="_blank">
http://lists.menog.org/<wbr>pipermail/menog/attachments/<wbr>20170520/98fc73a2/attachment.<wbr>html</a>
<br>
<br>
------------------------------<span class=""><br>
<br>
______________________________<wbr>_________________<br>
Menog mailing list<br>
<a href="mailto:Menog@lists.menog.org" target="_blank">Menog@lists.menog.org</a><br>
<a href="http://lists.menog.org/mailman/listinfo/menog" target="_blank">http://lists.menog.org/<wbr>mailman/listinfo/menog</a><br>
<br>
<br></span>
End of Menog Digest, Vol 107, Issue 15<br>
******************************<wbr>********<br>
</div>
</span></font></div>
</div>
</div>
<br>______________________________<wbr>_________________<br>
Menog mailing list<br>
<a href="mailto:Menog@lists.menog.org">Menog@lists.menog.org</a><br>
<a href="http://lists.menog.org/mailman/listinfo/menog" rel="noreferrer" target="_blank">http://lists.menog.org/<wbr>mailman/listinfo/menog</a><br>
<br></blockquote></div><br></div>