Hello everyone, it's really been a long long time I am active on this forum. I think it's a time to make a comeback. It's nice to see all the legends... cats, b_b
Anyway, on May 15th I was the victim of WannaCry attack. Don't know how it happened. I did have Windows 7 64-bit Ultimate unpatched version. I use VPN all the time. Either PureVPN or NordVPN. I have key scrambler, and Comodo firewall. Despite this, I got hit by it. I immediately found some suspicious activity on my computer, and blocked all the connections and everything was sandboxed. Fortunately, I was able to recover all my data. Thanks to b_b for all previous data recovering posts and ideas. But couldn't recover Prison Break series. I had it on BluRay 720p, with English and Russian audio and subs, 225 GB totaling 5 seasons. Also, Jetsons, Samurai Jack, Courage the cowardly dog, Captain Planet, and SwatKats were lost. But all my work files were safe.
My computer was on sharing with 2 other people. I have a strong feeling that it must have entered through their logins as sometime, Comodo and VPN not used to work on their logins.
What could be other reasons?
Any wannacry victims?
- z3r0aCc3Ss
- Fame ! Where are the chicks?!
- Posts: 700
- Joined: 23 Jun 2009, 16:00
- 14
- Contact:
Any wannacry victims?
Beta tester for major RATs, all kinds of stealers and keyloggers.
Learning NMAP
Learning NMAP
Re: Any wannacry victims?
As far as I know the method of spreading was that of a pure worm.
So something on your network must have been open directly towards the Internet at some point.
That would be my guess.
How does the setup look like when it comes to router/firewall in to your network?
Are any ports open there?
So something on your network must have been open directly towards the Internet at some point.
That would be my guess.
How does the setup look like when it comes to router/firewall in to your network?
Are any ports open there?
"The best place to hide a tree, is in a forest"
- z3r0aCc3Ss
- Fame ! Where are the chicks?!
- Posts: 700
- Joined: 23 Jun 2009, 16:00
- 14
- Contact:
Re: Any wannacry victims?
My setup is like this:cats wrote:As far as I know the method of spreading was that of a pure worm.
So something on your network must have been open directly towards the Internet at some point.
That would be my guess.
How does the setup look like when it comes to router/firewall in to your network?
Are any ports open there?
I have my main router + model (wireless) through which I receive broadband. Then there is intermediate router (wireless) on which PureVPN is installed. I had specifically bought this and installed PureVPN on a router itself (I think it's better). Then my computer has a TP-Link WiFi dongle via which I connect to the intermediate router. As far as ports are concerned, all the non-required ports are closed. Only specific ports such as 21, 22, 80, 8080, etc. are open. Even my firewall has "Block All, Allow specific" policy. But I strongly feel that TCP 443 was open.
Beta tester for major RATs, all kinds of stealers and keyloggers.
Learning NMAP
Learning NMAP
Re: Any wannacry victims?
Strange. But my first reaction from this is that your VPN service might have opened the door somehow.
Have you tried scanning the IP range on your VPN to make sure you can't reach other machines in the same network?
That could be a potential way in for wannacry.
Have you tried scanning the IP range on your VPN to make sure you can't reach other machines in the same network?
That could be a potential way in for wannacry.
"The best place to hide a tree, is in a forest"
- z3r0aCc3Ss
- Fame ! Where are the chicks?!
- Posts: 700
- Joined: 23 Jun 2009, 16:00
- 14
- Contact:
Re: Any wannacry victims?
Yea, pretty much. I do IP range scanning frequently, sometimes just for sake of timepass.
Machine access over the network is strictly prohibited.
Machine access over the network is strictly prohibited.
Beta tester for major RATs, all kinds of stealers and keyloggers.
Learning NMAP
Learning NMAP
Re: Any wannacry victims?
Hmm yeah then it's pretty weird.z3r0aCc3Ss wrote:Yea, pretty much. I do IP range scanning frequently, sometimes just for sake of timepass.
Machine access over the network is strictly prohibited.
I would be worried if I were you, at least until you can find a logical explanation to how it got in your system
"The best place to hide a tree, is in a forest"
Re: Any wannacry victims?
I know this is a bit dated, but if i remember correctly, WannaCry spread primarily through an exploit in the Windows SMB protocol. Make sure you either disable those services on your marchine, or firewall ports TCP 445, and UDP 137, 138 and 139. Alternatively, switch to linux
¯\_(ツ)_/¯ It works on my machine...