Hacker News new | past | comments | ask | show | jobs | submit login

How does 'Patient A' get wcry2? Phishing? Via internet facing open 445/3389?



From what I've read, initial attack vector is still not known for sure. Spear phishing seems to be the current best hypothesis. I don't think anyone's seen a mass phishing campaign.

See: https://arstechnica.com/security/2017/05/an-nsa-derived-rans...


The initial attack vector is via an email attachment.

Once it's infected a host, the SMB scanning for vulnerable hosts is launched and secondary infections begin with no further user action required.


> The initial attack vector is via an email attachment.

So far it seems an hypothesis and nobody has shown such an email attachment, which is strange considering all the systems out there which save and archive attachments. Especially hospitals and gov't sites saves it all.


The Jaff waves and the massive amount of threats make it really hard to identify. Wannacrytor may not be found directly attached in the mail, only a downloader for it (like office docs/pdfs/js) might be.


We quarantine a few hundred attachments a day containing Word macros. I don't know if any are WannaCry, but nearly all are some form of ransomware.

It continues to be a very common attack method and I'd be surprised if it wasn't leveraged again.


Given that the primary targets seem to be running unpatched Windows (at least to latest), I'd guess there's a substantial amount of internet-accessible SMB ports.

If so, you wouldn't need a very high phish:total infected hosts ratio to explain the numbers. And given that whoever was originally phished didn't know it was an illegitimate email... not betting we'll see many examples of the initial vector.


This might help:

http://researchcenter.paloaltonetworks.com/2017/05/palo-alto...


Why isn't the internet alive with the email subject line then? The email would be multi-lingual too?


Spear phishing is now a lot more effective.


My guess is this is why we're seeing multiple bitcoin addresses:

The original authors first released it with their own bitcoin address. It then spreads p2p around the world wherever it can to front-facing PCs.

Then 3rd-party spearfishers are sending it to corporate networks with their own bitcoin address so they can get the credit for getting past/through firewalls.


If the payment goes to them instead of the original authors, how could the new hijackers of the virus offer to decrypt the data? I'd assume only the original authors have access to the private keys needed for that.

If someone was really clever they could change the Tor addresses it talks to for command & control and write their own complete replacement backend, but at that point it seems like you'd be looking at people capable enough to just write their own malware from scratch anyway...


It could be one back-end, with the malware authors paying a cut to the spearfishers. The spearfishers could monitor the bitcoin address to ensure they get the right cut.

Some level of trust would be involved.

I think the spearfishing industry and the malware writing industry aren't one and the same. The former is the marketing department, the latter is the tech department.


They can offer, they can accept payment. Doesn't mean they will actually decrypt the files.


That's possible but wouldn't there be evidence of this kind of arrangement? Authors need to document how to do it, I think.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: