Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Straight answers to your questions about WannaCrypt

    Posted on May 15th, 2017 at 10:02 woody Comment on the AskWoody Lounge

    I try to cut through all the bafflegab in this new post on InfoWorld.

    If you need instructions for protecting yourself against WannaCrypt, see this new InfoWorld post, which expands upon the list posted here on Saturday.

    If the site’s going up and down for you — sorry about that. We’ve seen a huge surge in traffic, from people looking for straight talk about WannaCrypt.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Straight answers to your questions about WannaCrypt

    This topic contains 20 replies, has 8 voices, and was last updated by  woody 1 year, 5 months ago.

    • Author
    • #115426 Reply

      Da Boss

      I try to cut through all the bafflegab in this new post on InfoWorld. If you need instructions for protecting yourself against WannaCrypt, see the nex
      [See the full post at: Straight answers to your questions about WannaCrypt]

      6 users thanked author for this post.
    • #115434 Reply

      AskWoody MVP

      WannaCry FAQ: What you need to know today

      3 users thanked author for this post.
      • #115435 Reply

        Da Boss

        Good stuff.

        I’m still not clear on (1) the initial attack vector and (2) whether WannaCrypt uses and/or leaves behind a copy of DarkPulsar.

        Strange that so many systems could be hit, and so many security researchers could be looking at it – and we still don’t know the basics.

        • #115452 Reply

          AskWoody Lounger

          I imagine they want to put as little in the public domain as possible, beyond how people should protect themselves, and in particular they don’t want the malware fraternity to know how much and what exactly the experts know about this attack given that such information can only be useful to those seeking to exploit it in any rehash of the attack.

        • #115555 Reply


          @ woody

          Candid Wüest, a threat researcher at Symantec, said the company was carefully monitoring emails over the weekend for any evidence of phishing causing the attack but had not found it.

          He said the most likely way the malware spread was through the Windows Server Message Block SMB protocol, a system used to share files between computers. While SMB is typically used for inter-office communications, some connect to the public internet, making them vulnerable to hackers.

          “If it’s exposed to the internet then just having a computer online is enough,” Wüest said. The hackers exploited the EternalBlue Microsoft vulnerability stolen from the National Security Agency and dumped online a month ago. Wüest said in that month the cyber criminals behind would have been able to scan internet networks for vulnerable servers.

          Once on a computer, the SMB “worm” would have been able to spread through other computers on the network, such as NHS trusts, and to other internet-connected computers.

          http://www.telegraph.co.uk/technology/2017/05/15/suspicious-emails-unlikely-cause-global-cyber-attack/ (dated Noon 15 May 2017)

          • #115581 Reply


            … seems, the WannaCry hackers purposely targeted corporations/companies for better monetary/bitcoins return because their computers often store important business/customer data and some of them would have enabled their port 445 to be open to the Internet, eg to use MS Remote Desktop Service.
            In comparison, Home-users do not typically open their port 445 to the Internet.

    • #115439 Reply

      AskWoody Lounger

      Very interesting that you say that Windows XP systems were not infected.

      The popular press seems to be under the impression that Windows XP systems were the most likely to have been infected. Here in the UK the news media and radio phone-in shows are all bashing the NHS (Hospitals Trusts and Health Department managers) for allowing this large scale attack by still using a significant percentage of Windows XP computers. Which if your information is correct is a complete red herring (as they say). Do you have a source for the claim that XP systems were not attacked?

      • #115454 Reply

        AskWoody Lounger

        I agree.

        Moreover, I hope we have a lot more independent an authority than Microsoft’s marketing department for the claim that Windows 10 cannot be affected by this kind of attack.

        Edit for content

        • This reply was modified 1 year, 5 months ago by  PKCano.
        • #115482 Reply

          Da Boss

          Win10 wasn’t infected by WannaCrypt because the underlying code – the NSA infection code from EternalBlue – was stolen before Win10 support was added.

      • #115481 Reply

        Da Boss

        Yep. I’ve spoken with two of the foremost researchers on the topic, and both of them say that WannaCrypt does NOT infect Windows XP machines.

        WinXP machines are vulnerable to SMBv1 infection, for sure. The EternalBlue code from NSA will infect WinXP machines. But WannaCrypt specifically does NOT infect WinXP.

        They aren’t sure why. But they’re very sure that it doesn’t.

    • #115459 Reply

      AskWoody Lounger

      The NHS(UK) provided an updated statement (May 13), regarding their use of WIN/XP…

      While the vast majority are running contemporary systems, we can confirm that the number of devices within the NHS that reportedly use XP has fallen to 4.7 per cent, with this figure continuing to decrease.


      I am not finding too many XP systems showing up as being hit by this worm, re: security sites. Those monitoring the situation (and those with honeypots) are still seeing it as a W7 directed attack. It is difficult to get info out of China on this, but it is likely that their XP systems would be more vulnerable (as most are pirated) to the newer variants coming out today and in the future (SMB related).

      The Shadow Brokers stole a lot of stuff from the NSA, so there is more to come.

      Secondly, Windows 10 does use SMB, e.g if you map networking drives to another W10 device.

      • #115483 Reply

        Da Boss

        Yes, in fact, by default, Win10 has SMBv1 enabled.

        I still haven’t heard of a single verified report that WinXP was infected – not by WannaCrypt, nor by any of the copycat variations.

        That doesn’t mean WinXP CAN’T be infected. Certainly it can, using the same base code as in WannaCrypt. WinXP users definitely need to install the patch Microsoft released. But the reports that say NHS got hit particularly hard by WannaCrypt because they’re using WinXP so much are complete fabrications. Fake news.

    • #115460 Reply

      AskWoody MVP

      Some Microsoft pages now have the banner “A wide-spread ransomware attack, WannaCrypt, targets out-of-date Windows devices. Given the severity of this threat, immediately update your Windows devices. Learn more.”

      1 user thanked author for this post.
    • #115560 Reply


      New ‘WannaCry’ variant surfaces, stopped from harming computers: Check Point

      http://www.reuters.com/article/us-cyber-attack-virus-idUSKCN18B2IT (Mon May 15, 2017 | 5:34pm EDT)

    • #115569 Reply

    • #115619 Reply


      In fact, WannaCry has caused so much damage with such little profit that some security researchers have begun to suspect that it may not be a money-making scheme at all. Instead, they speculate, it might be someone trying to embarrass the NSA by wreaking havoc with its leaked hacking tools—possibly even the same Shadow Brokers hackers who stole those tools in the first place. “I absolutely believe this was sent by someone trying to cause as much destruction as possible,” says Hacker House’s Hickey.


    • #115633 Reply

      AskWoody Lounger

      Just seen this on ibtimes …


      “TheShadowBrokers is launching new monthly subscription model. Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month.”


      • #115668 Reply


        @ No Loki … From your link, this link ….


        Sale is buy or no buy, no bad things happen if no buy. Ransom is buy or bad things happen to you. Yes?

        (Sounds like a hacker in China or NKorea)

        Despite what scumbag Microsoft Lawyer is wanting the peoples to be believing Microsoft is being BFF with theequationgroup. Microsoft and theequationgroup is having very very large enterprise contracts millions or billions of USD each year. TheEquationGroup is having spies inside Microsoft and other U.S. technology companies. Unwitting HUMINT. TheEquationGroup is having former employees working in high up security jobs at U.S. Technology companies. Witting HUMINT. Russian, China, Iran, Israel intelligence all doing same at global tech companies. TheShadowBrokers is thinking Google Project Zero is having some former TheEquationGroup member. Project Zero recently releasing “Wormable Zero-Day” Microsoft patching in record time, knowing it was coming? coincidence?

    • #115719 Reply

      AskWoody Lounger

      Good stuff. I’m still not clear on (1) the initial attack vector and (2) whether WannaCrypt uses and/or leaves behind a copy of DarkPulsar. Strange that so many systems could be hit, and so many security researchers could be looking at it – and we still don’t know the basics.

      I too am no longer certain whether or not WannaCrypt actually installs DoublePulsar. MalwareBytes still reports that WannyCrypt installs DoublePulsar. See:


      Symantec has updated their documentation about how WannaCrypt operates. See:


      Both of the above web pages are worth reading since we are likely to see variants of WannaCrypt in the future and since many people do not understand the difference between Worms (such as WannaCrypt) and computer Viruses. The era of simple computer Viruses is mostly long gone. The era of Worms, Backdoors, and exploitable operating system and program vulnerabilities is far nastier than the olden days of simple computer viruses.

      Some online sources suggest that many computers were already infected with DoublePulsar. It is still unknown if this is correct since we have conflicting information from MalwareBytes and Symantec as to whether or not WannaCrypt actually installs DoublePulsar.

      The following Symantec page has a couple of neat graphs which show when the malware started being seen and blocked by Symantec’s AV products, and how many potential infections were prevented by their AV software. Note that I am not making any endorsement for Symantec since VirusTotal shows that many other AV products were able to detect elements of WannaCrypt, although possibly not until after infection had occurred. The interesting stuff on Symantec’s web page is in Figures 1 through 3. See:


      From Figure 1 in the above link, it appears that the infection started on last Thursday and not on last Friday. Figure 2 is more interesting in that it shows the number of infections prevented per hour.

      Spain’s CERT has twice updated their tools to prevent WannaCrypt infections. They offer two tools. One tool is a script file which creates zero length t.wnry files in several folders, and which then denies access to everyone on the computer. For the time being, this prevents the currently known variants of WannyCrypt from being able to infect a computer. The other tool is an executable which either must be run every time you reboot your computer, or which you could add to either your StartUp folder or run by adding the appropriate entry into your Windows registry. This tool creates three mutexes which also prevent the currently known variants of WannaCrypt from being able to execute. Documentation for these two tools is provided in both English and Spanish. See:


      On the above web page, the link to download the Spain CERT’s ZIP file which contains both tools and related documentation is the Descargar link at the top right of the web page. I would have provided the link for the English version of the above web page, but that link isn’t working.

      Finally and no matter what, PLEASE follow Woody’s instructions for making sure that you have installed, at the very least, the one update needed for your Windows computer which fixes the SMB1 vulnerability which is exploited by WannaCrypt and by any future malware which uses the EternalBlue exploit.

      Best regards,




    • #115974 Reply

      AskWoody Lounger




      ( . . . ) we discovered another very large-scale attack using both EternalBlue and DoublePulsar to install the cryptocurrency miner Adylkuzz. Initial statistics suggest that this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection.

      Sigh . . .

      • This reply was modified 1 year, 5 months ago by  woody.
      • This reply was modified 1 year, 5 months ago by  woody.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Straight answers to your questions about WannaCrypt

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: