Retracted! Wcry ransomware is reborn without its killswitch, starts spreading anew

That’s not entirely correct, it’s not vulnerable to spreading the worm via the SMB bug, but if you open an Emailed zip containing the virus and run it you’re still screwed (no matter what version you’re running). AFAIK that’s the most common vector for ransomware infections.

Once it’s on your network, then it could spread to other unpatched computers via the SMB bug, but even without the SMB exploit these ransomwares can still encrypt network data via standard network shares. If you got infected via an SMB port open to the public internet then your IT department deserves to be fired, that kind of thing needs to be behind a VPN.

I’ve had a couple of clients fall victim to Zepto - which is similar to Wcry (despite having fully up to date virus scanners, these worms do a good job of keeping ahead of most of them), and they got infected via email attachments (the son of one client had his laptop wiped, taking out his entire business, all accounts, invoices, etc, he had no backups). Thankfully we had backups of everything (and by coincidence I happened to be remoted into one system as the encryptor process was running so was able to manually remove it), so it was a fairly minor inconvenience, there’s little guarantee paying them off will actually work.


“Nobody “runs” Bitcoin. It’s decentralized and distributed by design.”

Really? So Bitcoin accounts appear by magic as do the servers they run on? I am very impressed. Not one person handles any aspect of Bitcoin anywhere?

There is no control mechanism to verify accounts and their value? I am past impressed now and on into “gobsmacked”. I presume this means I can just start one and put any amount of money I want as its value and then extract that from those Bitcoin machines one sees in some parts of the world?

You sure you are not confusing Bitcoins and Qualloos?

1 Like

sloppy, but not in the obvious way

I’d already read it, and I hear you, and I wish we knew for sure. I’ll agree it’s sloppy if the hackers didn’t know the killswitch was in there, or if they didn’t pay attention to it having been formulated for sandboxing. But we don’t know that, and even the researcher didn’t. A couple of paragraphs above that he gets all freaked out that he’s just ransomwared everyone!

Equally likely, perhaps much more likely, is a determined malefactor mid-attack. And as we have seen, hours later the second pulse is upon us. What stops this one?

I’m rather impressed by how well-organized and professional they sound.

They even have a “Contact Us” link? They appear more responsive than many companies I’ve dealt with.


No it doesn’t. The only way to get bitcoin is by mining it or buying it from someone who has already mined it (the mining process is a cryptographically secure way of generating the currency in a verifiable manner), the entire currency represents a distributed database of all transactions that have occurred, there is no one person in control of the system, and there is no way to create money that doesn’t leave a trail in that distributed database, if you claim to have bitcoin and it’s not in the database then you don’t have it. You shouldn’t take my word for it, just read the wikipedia.

It’s not impossible to detect where someone might end up withdrawing cash from bitcoin, so you could find them that way, but you can’t shut down any ‘accounts’, the only way to catch these guys is through old-fashioned police work, surveillance, intercepting communications, etc., something that’s obviously pretty hard to do if they’re operating out of a failed state like Russia.


This one isn’t a stupidity tax (like the Nigerian princes), it’s a panic tax. So it is a nicely written, reassuring, professional-looking shakedown. After all, they want it to be easy to pay.


Yeah, doubling the fee after a few days and having a time limit of a week is a good trick to panic the victim into action. Offering to decrypt part of it for free is a nice trick as well, “see you can trust us”.


Yes, really, nobody has control over Bitcoin. The whole system is a mathematical consensus between all of the computers that mine and exchange bitcoins. They all work together to verify the amounts are correct. But no person, no company, no government, has the power to control or shut down someone else’s wallet. The only possible way to do so is to change the software running on at least 50% of the bitcoin network. Good luck getting that to happen.


I think I trust them better than I’d trust Comcast.


Huh? I’ve got updates waiting to happen on my iphone . I’m not being forced to update, and haven’t been on OS X either. I’m going to be backing up and upgrading today or tomorrow though.

I don’t let auto update happen because I tend towards not doing anything until everyone else has done it and worked out bugs. I’m also paranoid that someday someone will figure out how to redirect your autoupdate to install their malware (maybe y’all can educate me as to how possible and likely this is).

1 Like

Ya know, you’re being rather aggressive in trying to win an argument over something you know absolutely nothing about.


From my understanding no, at least for this version.

From what I’ve read it spreads primarily by direct network connection to one of the ports used for Windows SMB service (network file sharing) without any user action required, so to get infected your computer would usually need to be either in a private/internal network with an infected machine, or on a public IP address with no firewall (or with a firewall that accepts incoming connections on the ports used for Windows network file service, which might as well be no firewall.)

This is why it spreads like wildfire once it gets inside a corporate or office network, but it’s hitting relatively fewer home users.

However… we’ve just seen proof that it’s easily updated by the creators. So maybe the next version will have code added for taking over webservers without encrypting them and inserting itself as a “drive-by download”, and the next version after that emails itself to everyone in the infected machine’s contact list before starting the ransomware phase… etc. So, yeah, still be careful about clicking on stuff.

And for all that updating with the latest patches is important, it doesn’t make you safe. Zero-day exploits exist, and we can expect some ransomware using one or more of them to come along, and there’s very little you can do about that.

Expect this all to get worse and worse for years to come.


There is an excellent editorial in yesterday’s NYT which discusses the question of who deserves the blame for systems not having been updated with the security patch:
One thing she points out that I agree with 100% is that MS should stop forcing you to change your user interface in order to get security patches:

Further, upgrades almost always bring unwanted features. When I was
finally forced to upgrade my Outlook mail program. it took me months to
get used to the new color scheme and spacing somebody in Seattle had
decided was the new look. There was no option to keep things as is. Users
hate this, and often are righfully reluctant to upgrade.

I’m still running W7 on my office desktop because when I upgraded to 10 during the free upgrade period, it wouldn’t support my monitor, which is an ancient but wonderful CRT. The drivers wouldn’t support my desired refresh rate. Possibly that has changed, but the upgrade is no longer free.


Yes, but it’s still “free.”

Do you want new features or patches for old versions? That’s the choice. There’s no way they are going to keep supporting all the older versions because “someone liked” one of then.

If you upgraded to Windows 10 and then downgraded again your machine is fully licensed for Windows 10. Upgrade away.

but what about all the people who just literally don't understand what all this means in the first place?

In practice, they should just use a Mac. Honestly, despite the fact that every couple of months there’s a hysterical article about the possibility of Mac malware (with some proof of concept attack being demonstrated), it just never turns out to be a problem the way that every few months it is for Windows. I stick to Linux and Mac myself, and my Mac-user relatives certainly have fewer problems needing me to fix.

1 Like

That’s only because nobody uses Macs, if everyone started using them then malware writers would start targetting them. There’s nothing intrinsically more secure about iOS compared to Windows.


As the webmaster for the Indiana University Qualitative Econometrics Research Forum, Special Operations Division, Precinct 9, International Finance Journal And Proceedings Of the Special Directorate For Financial Justice, Human Governance Over Special Undertakings Related to Inter-Jurisdictional Federal Ancillary Events With Real-World Externalities Regarding Global Water Easement Activities, this couldn’t have come at a worse time for me.


[quote=“agies, post:35, topic:100956, full:true”]
Do you want new features or patches for old versions? That’s the choice.[/quote]
That’s the point; if you bundle the security patch with unnecessary onerous changes in look and feel, people won’t do it. If (as discussed in the article) your changes also mean that you’ll have to spend millions of dollars in new software, as was the case with many hospitals using XP machines to operate hardware, that’s an issue too. By making this “the choice”, MS helped create a situation where important systems were/are unnecessarily vulnerable.

I might try that this summer, to see if they’ve fixed the CRT driver issue, but I’m not holding my breath.


Windows is basically a series of patches upon patches with no clear design. MacOS is based on a combination of the Mach microkernel and BSD Unix, both of which have considerably more thought put into their design (as well as having been tested for decades). While the lesser popularity of Macs may play a small role in their security, that isn’t really the main thing.