Security News Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage

XhenEd

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Lockdown said:
Click to expand...

Hehehe... I was just looking for this because I had no chance to watch yesterday. Did you delete the video? I couldn't find the one you posted yesterday.

But then boom you just posted the video. So thanks! :D
 
  • Like
Reactions: frogboy
XhenEd

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Lockdown said:
You already knew the end result... you just wanna watch a video for its "entertainment value."
Click to expand...
Yeah, I already expected the result. I just wanted to know how AppGuard handles this ransomware. I expected the User Space block, which is a bit boring because it's just a block, no-frills, no thrills (/s) . :D

What I want to see now is how AppGuard operates if WannaCry is digitally signed. :D
 
  • Like
Reactions: Solarquest, Parsh and frogboy
5

509322

XhenEd said:
What I want to see now is how AppGuard operates if WannaCry is digitally signed. :D
Click to expand...

If it executes, then it will encrypt files in User Space except those in Private Folders.

Guarded protections do not prevent file encryption.

You already know this...
 
  • Like
Reactions: XhenEd
XhenEd

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Lockdown said:
If it executes, then it will encrypt files in User Space except those in Private Folders.

Guarded protections do not prevent file encryption.

You already know this...
Click to expand...
Yes, I know. But I just want to know how exactly AppGuard operates with WannaCry running. I just want to know with my own eyes. :D
 
  • Like
Reactions: frogboy
5

509322

XhenEd said:
Yes, I know. But I just want to know how exactly AppGuard operates with WannaCry running. I just want to know with my own eyes. :D
Click to expand...

Grab a WannaCry sample from Hybrid-Analysis.com and run it Guarded from the desktop...

Inside a VM of course.
 
  • Like
Reactions: XhenEd
XhenEd

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Lockdown said:
Grab a WannaCry sample from Hybrid-Analysis.com and run it Guarded from the desktop...
Click to expand...
hehehe.. I won't. :D

I'll just wait. Maybe someone will test when a WannaCry sample acquires a digital signature. :D

But if WannaCry never acquires a digital sig, then the better for all because it would be easier to detect and block. :D
 
  • Like
Reactions: frogboy
5

509322

XhenEd said:
hehehe.. I won't. :D

I'll just wait. Maybe someone will test when a WannaCry sample acquires a digital signature. :D

But if WannaCry never acquires a digital sig, then the better for all because it would be easier to detect and block. :D
Click to expand...

Why would they even bother to sign WannaCry when they are already in the "chah-ching !"

Besides... most of you dedicated AppGuard users are running it in Locked Down mode, so it doesn't matter if WannaCry is ever digitally signed as it will be blocked whether it is signed or unsigned.
 
  • Like
Reactions: Solarquest, Parsh and XhenEd
brambedkar59

brambedkar59

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,097
"If the domain was not registered, the ransomware would start its encryption process, if it was registered, it would not encrypt any files. To protect victims, the researcher registered the domain, effectively preventing WannaCry from making new victims."
I don't understand how domain affects the working of Ransomware. Can anyone explain this in layman's terms?
 
DarkJoney

DarkJoney

Level 2
Verified
Aug 6, 2014
82
rockstarrocks said:
"If the domain was not registered, the ransomware would start its encryption process, if it was registered, it would not encrypt any files. To protect victims, the researcher registered the domain, effectively preventing WannaCry from making new victims."
I don't understand how domain affects the working of Ransomware. Can anyone explain this in layman's terms?
Click to expand...
It checks if the domain responds to the request.
If not - encrypts files.
If yes - doesn't start at all
 
  • Like
Reactions: brambedkar59
brambedkar59

brambedkar59

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,097
DarkJoney said:
It checks if the domain responds to the request.
If not - encrypts files.
If yes - doesn't start at all
Click to expand...
Thanks for the reply.
Sorry, I am a noob but why it checks with the domain and why not just start encrypting the files on the PCs it gets activated?
Does it have to do with the decryption keys?
 
A

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
rockstarrocks said:
Thanks for the reply.
Sorry, I am a noob but why it checks with the domain and why not just start encrypting the files on the PCs it gets activated?
Does it have to do with the decryption keys?
Click to expand...
As far as anyone can tell the domain was designed to be a killswitch. It would have afforded the author the ability to register the domain and stop the ransomware from continuing to encrypt files on systems that it spread to.
Since then another variant has been released with the domain killswitch removed.
 
  • Like
Reactions: Parsh and brambedkar59
brambedkar59

brambedkar59

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,097
Arequire said:
As far as anyone can tell the domain was designed to be a killswitch. It allowed the author the ability to stop the ransomware from continuing to encrypt files on systems that it spread to.
Since then another variant has been released with the domain killswitch removed.
Click to expand...
Thanks for explaining that. I think I got it.
 
MBYX

MBYX

Level 1
Verified
Jan 19, 2017
40
Is there a sample i can have a look at please?
Preferably kill switch removed version but happy for either. Can just pm me off the side.
 
  • Like
Reactions: MalwareTracker
O

Orion

Level 2
Verified
Apr 8, 2016
83
The only reason this malware is on a rampage because there are computers that are not patched for MS-17-010 even after the patch was released in march this year.

It wouldn't have been so deadly if it wasn't eternalblue being used.Yet again it stresses the importance of doing your windows updates.
 
  • Like
Reactions: StriderHunterX, ElectricSheep and frogboy
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers
Replies
0
Views
807
News Archive
silversurfer
silversurfer
blackice
    • Like
    • Thanks
    • +Reputation
Microsoft is patching a major Windows 10 flaw discovered by the NSA
Replies
41
Views
8,461
News Archive
upnorth
upnorth
upnorth
    • Like
    • Wow
Eternally Blue : Baltimore City Leaders Blame NSA for Ransomware Attack
Replies
11
Views
2,759
News Archive
Burrito
Burrito

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top