Retracted! Wcry ransomware is reborn without its killswitch, starts spreading anew

Originally published at: http://boingboing.net/2017/05/14/as-predicted.html

…

Someone has to say it; PATCH AND UPDATE YOUR FUCKING SOFTWARE. There was a patch for all supported versions of Windows months ago. If for some asinine reason you insist on running an unsupported version, Microsoft went out of their way to issue patches a couple of days ago. If you get hit by this tomorrow it’s on you (or your admin.)

Seriously. Even if you thought you had legitimate reasons for running under-protected systems, as of yesterday those reasons became invalid. You had a full day to get your shit fixed, or at least walled off from the public internet. Anyone infected by round two should fire their IT people.

The glow of smug satisfaction I get from using Linux at home now bright as a supernova.

But SRLY, I have a Windows 10 system I turn on once or twice a month. Next time I boot it up I guess I will:

1. Disconnect from NAS
2. Run Windows update
3. Update Norton
4. Scan

Is enough?

Windows 10 is not vulnerable to Wcry.

Thats pretty much my situation as well. For all the headlines, though, Im still not clear how my machine will get infected. Will it be an infected web site I visit that would get me?

I dunno, I heard that patch causes autism.

Windows isn’t so bad. Ever since having my machine crippled once out of nowhere (by one of those malware removal programs that got turned into malware) I’ve been more careful and have been fortunate to avoid any of the big troubles. I hope that remains the case, but the targets seem to be the computer illiterate more than anything. Even when I got crippled I found out it was another PC on the network that got hit and spread to mine before it was quarantined at the office. As most small offices, I had to help our IT person figure out how to fix the damn thing and it took a few days and a lot of reading.

Still not even close to an expert, just my experience based on working with a wide variety of ages and tech levels.

Although I appreciate running linux and understand the value of doing so, despite not being a tech savvy person, what about all the other people who are not tech savvy? I mean, should we really act like we’re so much better than grandma and grandpa, because we understand a bit better than them how the internet works?

And going forward, this is something we can fix through education. Younger people still in school can be taught to keep their machines up to date with the latest necessary patches, because, let’s face it - the world isn’t going to turn into a linux-driven world as long as Microsoft and Apple are around with their software.

But it’s not something we can really fix for the people who are well past schooling age and still find an internet connection necessary for navigating daily life. And there are certainly people who SHOULD know better, who are still running unsecured machines, but what about all the people who just literally don’t understand what all this means in the first place?

I must wonder if not posting what the kill switch in the code was might not have bought folks at least another day’s respite to work on this issue? Seems to me that telling the people exactly how the ransomware was stopped was a bit foolish.

Embedded Win XP devices (e.g. MRIs, nuclear submarines*) that can’t be altered. National Health Services that weren’t given the budget to upgrade Win Xp computers that formed the basis of critical services. Etc. Having no choice is not an “asinine reason.”

*Yes, seriously.

This time the targets seem to heavily be institutions that couldn’t upgrade - or relied heavily on older systems that were too expensive/disruptive to upgrade.

@Cory - Do you really think the first round was “sloppy”? Or was it a test balloon to see if people would pay attention?

Considering the screaming front page headlines on NYT, BBC and everywhere else, and an un-killswitched one the next day, I’d say it was fully intentional and evil-genius-crafted.

The only question I have is why it took so long. Nobody say CRISPR.

We have a Windows environment at work that is professionally managed and carefully monitored. It runs really well. The IT folks are good about keeping abreast at threats.

I resent the overhead required for my home Win10 system. Running Norton, downloading updates, etc. Also having the damn thing turn itself on in the wee hours to process updates freaked my out something awful.

If they are on any remotely recent computing device, it auto updates and patches itself. This is built in. Unless they intentionally disable or interfere with that update mechanism, “it just works”.

The big exceptions are old versions of Windows (XP, Vista) and Android devices. As far as I know unless you got your Android device literally from Google, it may not get automatic security updates.

And yet, this ransomware was still able to get ahold of a ton of computers, apparently? Wasn’t there a problem with MS not supporting older OS with patches any more and this is a major reason why this spread as much as it did? And I’m going to assume that not all android devices are in the possession of folks who understand the importance of security updates, yeah? I think that expecting people to be up to date is missing the reality of how computers are used in daily life for the rest of the humanity that isn’t either proficient in how this stuff works or doesn’t have someone who is clued in taking care of their stuff.

My point is that although this is all suppose to be easy to understand and streamlined, the reality is much messier. I think it’s important to recognize the realities of how most of humanity interacts with their connected devices. If I weren’t married to a guy who writes software and has been familiar with this stuff from a very young age, I’d be totally at sea on all of this.

I know lots of people here understand what’s happening here, but lots of people don’t even understand the basic infrastructure of the internet. To many people, yeah, it really is just a series of tubes.

99% of this is solved by “don’t use ancient versions of X”. That’s all I’m pointing out. And it’s correct, because Windows 10 (any version!) and fully patched Windows 7/8 are not vulnerable to Wcry.

The vulnerable places were mostly using Windows XP which was released 16 years ago and hasn’t been supported by anyone for 3 years.

To be clear Wcry is absolutely about Windows so mobile is a bit less on topic, but…

On the mobile side, if you use iOS, as I recommend you should, you’re absolutely unquestionably covered because Apple is meticulous about driving out updates to folks and forcing them to upgrade. They also have secure enclave on the hardware side so literally nobody, not even nation states, can crack their stuff. Unlike Android.

It is truly a shame about Android security though, on so many levels, direction, software, hardware… (cough @Medievalist) https://gist.github.com/anonymous/9f789aabd7e8681dec0cf5781aecf664

And why hasn’t Bitcoin shut down this account? And failing or refusing to shut it down why isn’t whoever runs bitcoin being arrested for abetting what is an act of financial terrorism?

Nobody “runs” Bitcoin. It’s decentralized and distributed by design.

I do hate the subscription model of antivirus programs, but I’ve been using my lifetime Malwarebytes premium for a long time now with no issues.

@kaibeezytentroy The first version appears to have been sloppy, but not in the obvious way. “MalwareTech” (the researcher who registered the kill domain) thinks that it was looking up the domain to see if it was running in a test sandbox (i.e. being studied by a researcher), since some of those will resolve & respond to all domains. If it thought it was in a test sandbox, it shut itself off to make it harder to study. Thus, when MalwareTech registered the domain in the real world, Wcry thought the entire Internet was a sandbox, and shut itself off everywhere.

You can read MalwareTech’s description here.