A few notes about this new ransomware worm

– it’s not petya, it just steals some of it’s components, as often happens.

– email as infection vector? Unsubstantiated claims. Until now not a single sample. All the samples that have been submitted and analyzed are about some other ransomware, not this one.

– there is no remote killswitch like for wannacry, there is a local one: you can create a file on your computer to stop it should you get infected. But why bother? Just install the security patches and you will prevent the infection.

– most of the news sources just copy from some other sources the same unverified claims and incorrect information. Being fast in publishing anything seems to pay more than providing accurate information. Choose your sources carefully.

– most of the infected computers, if not all, are unpatched. Patches for these vulnerabilities are available since March. We are talking about companies who rely on their IT infrastructure for their business.

– the exploits are once again the ones developed by NSA and made public by the shadow brokers. Offensive exploits are offensive indeed and once leaked can be used by anyone for any purpose and apparently for a long time after patches have been made available.

– the worm seems to be of much higher quality than wannacry and spreads a little differently but … a single email address and a single Bitcoin wallet for payments. This really makes little sense from a ransomware point of view. Ransomware usually provides one bitcoin wallet per transaction in order to make it hard to track down the money flow and multiple contact points in order to ensure operations. Here the malware authors didn’t seem to pay much attention to this part which should be important if your objective is to make money. Pair this with the fact that the worm wipes the first sectors of the disk making the computers unusable and the hypotesis of a state actor deployed a digital wiper masquerading it as a ransomware makes some sense.

– this single email address has been shut down so even if you pay the ransom you have no way to communicate with the authors in order to get the decryption key. Don’t pay and while you wait to see how the situation evolves, take some time to rethink your backup strategy. You need to do it only once.

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *