Latest Ransomware Hackers Didn't Make WannaCry's Mistakes

Not that I expect to be hit by such a virus/malware, I'm not important enough, I do exercise caution. As an example I think I am like many others, I have people in my address book from whom I NEVER EVER get an email. It has happened to me that I would get one out of the blue and purportedly coming from such a person. This I am extremely reluctant to open. But there are ways to ascertain if this is actually from that person and I have found several times that even though the email apparently came from "Joe Blow" the actual address was something quite different. Goes into the SPAM file immediately and also immediately gets deleted permanently out of the SPAM folder !

That's why I send, and receive email in text-only format.

Any file types, email addies, and links are in plain view.

So many other infections it relies on someone to open the initial file/email to start the infection on the local network. It still amazes me to this day that people STILL click on links and open file attachments from unknown sources/persons. Even after you tell them not to, they do so anyway. Its like a Pavlovian response when they see a URL link or file attachment in an email.

It's not as easy/simple as that. What if I tell you the email appears to come from a "known" person or company?

Let me begin by saying that the initial infection might have been from a compromised software update server for an accounting software in Ukraine: http://www.zdnet.com/article/microsoft-petya-ransomware-atta...

However, let's just assume email is (another) method of infection. These days, attackers are becoming more clever. They spend time to learn the vendors, shipping companies and other companies that deal with a particular company they're targeting. They craft an email that looks very real as if they're coming from the vendors the target company normally deals with every single day. I have seen a few myself but I know how to check the validity of an email.

EVERYONE is a target. Some of this is deliberately targeted at the bigger companies, but it spreads randomly. And don't ever think your home is not a likely target. I bought a new home router recently which has many more advanced features than the old one did. This one can be set to save a log about all intrusion attempts. There is not a single day that goes by that I don't have at least 5 or 6 intrusion attempts of one sort or another. These come from all over the world!

Just like the robo-dialers for telemarketers, these hackers run scripts that just try random IP addresses to probe for weaknesses. They have no idea of who the script is targeting.

Going on the techie networking sites to look into this, they tell me that this is entirely normal to see intrusion attempts this often.

5 or 6 attempts a day? I got hundreds of those every single day. I also manage a mail server. There are thousands of login attempts to take over the server everyday.

Same story here. One of my clients has a Linux server I set up for them which operates as their mail server, domain controller, etc. Not only are there CONSTANT attacks against SSH (Fail2ban is your friend here, if you want to stick with [STRONG!] password authentication even though keys are better) but there is the constant onslaught of spam and virus-laden emails.

If there are any available exploits, including Zero-day exploits, to be used against your server and any other reachable computing resources, you can count on them hitting your network. They'll try to use your server to DOS other sites if you have an open DNS-resolver, etc... the list goes on and on.

Chewbacca - I've found ASSP to be a very effective spam-filter, more effective than anything else I've seen (free, paid, etc.) and it's free and open-source software. You can run it on Windows or Linux/Unix. You can use it with ClamAV which pretty much sucks out of the box but when you add the unofficial SaneSecurity signatures it becomes extremely effective for even very new attacks. Sanesecurity has phishing-related signatures as well. ASSP can be configured to handle messages that were tagged by clamav as suspicious differently than messages with actual virus code. The result is a series of checks which, taken together, makes it extremely difficult to get a bad message in without being detected, while generating few, if any, false-positives.

There are no guarantees in the current landscape but there are at least a lot of great tools available to help mitigate the threats. The "good?" news is that users are at least becoming more aware of these attacks and how to minimize their risk now that they are also being targeted directly by ransomware, as opposed to those attacks only creating a headache for corporations and administrators.

- Phil

Thanks for the info. The company I currently work for will be switching over to Microsoft cloud service (Exchange). At this time I don't want to make anymore changes to the setup because the company won't be hosting their own mail server in the near future.