Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation

On May 12, there was a major outbreak of WannaCrypt ransomware. WannaCrypt directly borrowed exploit code from the ETERNALBLUE exploit and the DoublePulsar backdoor module leaked in April by a group calling itself Shadow Brokers. Using ETERNALBLUE, WannaCrypt propagated as a worm on older platforms, particularly Windows 7 and Windows Server 2008 systems that haven’t…


Windows 10 platform resilience against the Petya ransomware attack

The Petya ransomware attack on June 27, 2017 (which we analyzed in-depth in this blog) may have been perceived as an outbreak worse than last month’s WannaCrypt (also known as WannaCry) attack. After all, it uses the same SMB exploit used by WannaCrypt and adds a second exploit and other lateral movement methods. However, our…

3

Actualización sobre los ataques del malware Petya

Como sucedió de manera reciente con WannaCrypt, nos enfrentamos de nuevo con un malicioso ataque en forma de ransomware, Petya. Hubo demasiada información conflictiva reportada sobre los ataques, que incluían varias confusiones acerca de piezas de datos no relacionados y engañosos, por lo que los equipos de Microsoft se movilizaron a investigar y analizar, lo…


Nuevo ransomware con viejas técnicas: Petya agrega capacidades de gusano

El 27 de junio de 2017, informes sobre una infección de ransomware comenzaron a circular por toda Europa. Las primeras infecciones se detectaron en Ucrania, donde más de 12,500 máquinas enfrentaron la amenaza. Luego se observaron infecciones en otros 64 países, incluyendo Alemania, Bélgica, Brasil, Estados Unidos y Rusia. El nuevo ransomware posee capacidades de…


Update on Petya malware attacks

As happened recently with WannaCrypt, we again face a malicious attack in the form of ransomware, Petya. In early reports, there was a lot of conflicting information reported on the attacks, including conflation of unrelated and misleading pieces of data, so Microsoft teams mobilized to investigate and analyze, enabling our Malware Protection team to release…


Windows 10 Creators Update provides next-gen ransomware protection

Multiple high-profile incidents have demonstrated that ransomware can have catastrophic effects on all of us. From personally losing access to your own digital property, to being impacted because critical infrastructure or health care services are unexpectedly unavailable for extended periods of time, destructive attacks have grown in severity and scale on all platforms – including…


Join us for the May 2017 CAAB Webinar

The May 2017 Cloud Adoption Advisory Board (CAAB) webinar was a Skype meeting that opened at 7:45 AM Pacific Daylight Time (PDT) on Wednesday, May 31. It began promptly at 8:00 AM and ran to 9:00 AM. There was time for discussion during the session, and the speakers were available for a few minutes after the session for additional questions….


Disable SMB v1 in Managed Environments with Group Policy

The following is a brief summary recent SMB v1 vulnerabilities, ransomware and an enterprise approach to disabling SMB v1 via Group Policy. Why SMB v1 Isn’t Safe (September 16, 2016) Ned Pyle wrote a blog post in September of 2016 on why SMBv1 isn’t safe where he stated that if your clients use SMB1, then…

31

Webinar Informativo: O Ataque do Ransomware WannaCrypt

Webinar Informativo: O Ataque do Ransomware WannaCrypt Gostaríamos de convidá-lo para participar de um novo webinar informativo sobre o recente ataque cibernético conhecido como WannaCrypt (também chamado de WannaCry, WannaCryptor ou Wcry). Por favor, reserve a data abaixo em seu calendário e junte-se à nós para ouvir Teresa Ghiorzoe, André Toledo, Bruno Cruz, Daniel Mauser,…