PCs Connected To the Internet Will Get Infected With WanaDecrypt0r In Minutes

An anonymous reader writes: "The Wana Decrypt0r ransomware -- also known as WCry, WannaCry, WannaCrypt, and WanaCrypt0r -- infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow," reports BleepingComputer. "During one of those infections, Wana Decrypt0r infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware's scanning module, which helps it spread to new victims... Three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches."

The article also highlights the fact that the group behind this threat is possibly made of inexperienced coders, who just stumbled upon a way to weaponize an NSA exploit. Their three previous WanaDecrypt0r campaigns were mundane, and one researcher called their code "utter [expletive]." This is because WanaDecrypt0r is actually made of two main modules, the ransomware itself, and the SMB worm (based on the NSA exploit). While the SMB worm is top-shelf code, the ransomware itself is quite unsophisticated, making a lot of operational errors, including using only 3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.

Re:TFA slightly overblown

[knorthern+knight]

> ... although .. after we've all finally moved onto IPv6 networking, and
> all our home systems (not just well-run geek systems but also all Joe Public's
> PCs running Windows 17) are sitting on publically routable real addresses and
> *not* behind NATs, the situation won't be as comfortable any more.

That effing stupid setup is the brainchild of some braindead internet hippies...

1) If your ISP goes down for maintenace or a "backhoe incident", two machines at home won't be able to communicate.

2) I may have a fast router at home, and 2 PC's, all with gigabit ethernet. But if it goes over my 7 mbit down / 1 mbit up ADSL connection, copying files over will take forever.

3) Copying over a few hundred gigabytes of data from my old PC to a new replacement PC would destroy my monthly bandwidth quota.

4) I do *NOT* want my ISP to know what data I have on my PCs.

The way to go is to use link-local IPV6 addresses for all machines as per http://www.brocade.com/content... e.g. and I quote

> To override a link-local address that is automatically computed for an
> interface with a manually configured address, enter commands such as the following.
>
> device(config)#interface ethernet 3/1
> device(config-if-e1000-3/1)#ipv6 address
> FE80::240:D0FF:FE48:4672 link-local
>
> These commands explicitly configure the link-local address FE80::240:D0FF:FE48:4672 for Ethernet interface 3/1.

And then use a hosts file to give simple aliases like "mom", "dad", "billy", or "sue" to each machine. Bonus points for a DD/WRT variant, or ip6tables ruleset on a Raspberry Pi that consolidates all the internal link-local addresses into one external IPv6 address as far as the outside world is concerned. Repeat after me... IPv6 NAT.