did ye draw straws in the mod room for who would apply it
They didn't have any straws left, Rawsy's shitting through them roud:
did ye draw straws in the mod room for who would apply it
I would have thought the main nhs data is held on backend servers (with backups) so worst case all this would do is stop the local PC from working unless it had got itself onto backend server as well?I've seen news articles saying patient records might have been encrypted (not mine, I didn't let them upload it) but are these not in databases on servers, as oppose to local machines? I thought most of the PCs were pretty much acting as thin clients and smartcard access is needed for anything important. How would the malware have gotten to the databases?
Let's have a look:
Whois malwaretech.co.uk
Registration Date:
2017-05-13
Expiration Date:
2018-05-13
Updated Date:
2017-05-13
Whois malwaretech.com
Registration Date:
2013-11-14
Expiration Date:
2017-11-14
Updated Date:
2017-03-06
Why did the .co.uk address stop the malware?
I'm curious about the propagation speed of his domain, it seemed very quick.
I don't know @IANB but there are a few iffy things.So has poacher turned gamekeeper do you think?
I always thought propagating DNS servers throughout the world with all the ISPs can take days, depending on how long an ISP syncs their DNS servers.He registered a domain name which seemed to propagate in a very short space of time through DNS in order to stop the malware. It was visible in many countries in a matter of hours?
Not likely as would need to be executed in a wide variety of OSs. You can recover URL from code via reverse engineering.Was the executable not encrypted? How could he recover the URL?
Not sure what you mean?Was the memory image not encrypted?
The idea behind the encrypted tunnel is it can't be read from anyone on outside. Likes of NHS networks may pick up an abnormal amount of traffic and flag this but I can imagine this was coded using very little traffic so as not to be immediately obvious until it's too late.It is possible that the malware used an encrypted tunnel (I use one for some of my browsing when not at home) but that traffic should have been noticed.
I can imagine this is because they work from a list of known dodgy websites and apply filtering for non known dodgy websites (similar to antivirus) to determine if website is potentially dodgy. As mentioned above, if traffic is very little then this may not immediately be alerted to network administrators.Why did the proxy servers not see unsolicited traffic?
That's not the killswitch URL that the ransomware was checking for; it was using an unchanging alphanumeric string:Let's have a look:
Whois malwaretech.co.uk
Registration Date:
2017-05-13
Expiration Date:
2018-05-13
Updated Date:
2017-05-13
Whois malwaretech.com
Registration Date:
2013-11-14
Expiration Date:
2017-11-14
Updated Date:
2017-03-06
Why did the .co.uk address stop the malware?
I'm curious about the propagation speed of his domain, it seemed very quick.
http://blog.talosintelligence.com/2017/05/wannacry.html said:Code:You don't have permission to view the code content. Log in or register now.
We use essential cookies to make this site work, and optional cookies to enhance your experience.