57 comments

[ 0.50 ms ] story [ 120 ms ] thread
The pregnancy test tho.

Good stuff.

this one is actually a really bad photoshop, they could have skipped those
I think all the last ones are meant as a joke.
Ah yes and the Gameboy clearly wasn't a bad Photoshop.

He prefaced it saying "and for those of you sick of wannacry"

I have to ask again, why are machines that are not even desktop computers running windows?
Never heard of Windows Server, Windows IoT, Windows Mobile?
Computers need an OS to be useful and windows is an OS.
How much "usefulness" does a microwave require? Or a airport terminal that displays flights?
If you want to do that from scratch on a general purpose MCU and expect it work reliably 24/7/365 -- the answer is hell lots. Disclaimer: I'm an embedded system engineer.
Well...even then (especially then!) Windows is not the right platform for this, I would say. Too many moving parts and stuff - one would have thunk that the GWX popups were enough of an disincentive.
(comment deleted)
The microwave picture was a joke.

As for airport/train station displays, I think early displays were LED matrices running on custom hardware + OS. I suppose just hooking up an LCD flatscreen to an embedded windows computer displaying a webpage allowed for easier maintenance and richer content.

I missed that part, sort of just scanned through the images. I'm actually chuckling a little right now.
How much support do you want to do for an airport terminal? How much do you want to pay for it?

You can either pay for a Windows license, or you can hire someone to write an OS from scratch. (You can also use a different OS, but then - again - you have to pay for someone to support and maintain it.)

My point is they have to then pay $300 per terminal now.

You don't avoid the cost you thought you saved on in the long run. I am not making the point that anyone should write their own OS, that would be worse from a security perspective. I think though that there is a market for a stripped down OS that has less moving parts.

Nope. Just nuke it from orbit and repave with a clean image: cheaper, faster and safer. Those things are essentially thin clients, there is zero valuable data on them.
Not much. I've seen the same thing (transit departures) provided by a locked down, CD-booting, ramdisk-only Puppy Linux (of all the possible distros! Found out from its distinctive boot sequence messages). Since the functionality was essentially "bring up the display and network, then point a kiosk browser to an auto-refreshing URL", there was no need for the other five million extra features that come mandatory with Windows (which probably would have been XP or XP Embedded).

That's not something you'd need a Linux hacker for - just configure the distro _once_, all the remaining work is webdesign.

Old Server versions of Windows were also affected. Could be what a lot of these service companies were running on.
One of the pictures from the blogpost does show a bsod'ed airport terminal running Windows NT4.
Windows (I assume non Mobile or CE) is a general purposes OS that's easy to configure and (mostly) runs out-of-a-box. Linux (even more so RTOS or some obscure, niche OS), on the other hand, requires more knowledge to be configured, launched and administrated what leads to increase cost. Nobody wants to hire Linux hacker to administer vending machines when it can be done by anyone with minimal technical skills using mouse, keyboard and a phone to call tech support center. Most of ATM's and cash registers still use Windows XP for the same reason.
Because a lot of "developers" only know one OS. I've seen places trying to run a fuel cell power station controllers on Windows.. Fortunately it was fairly easy to explain to them why this is a bad idea :)
Lots of printers and printer controllers run embedded Windows. I was just experimenting with a Ricoh 8100s controller last week.

People tend to forget that Microsoft was founded as a systems software company. For a long time, that's all they did. Then, later came office apps, Internet Explorer, Hotmail, etc.

> Figure 14 Bank of China ATMs

That's not an ATM, it's a machine to top up petrol card.

Seeing ATMs with a warning like that is a total nope.
yep, 'total nope' is the ransomware's business model.
It was localized into Chinese? How many languages was it localized into?
I a bit disturbingly impressed. Thank you.
Eh...a few minutes with Google Translate, and voila. Most recent ransomware tends to be "translated" (sometimes even localized!), as English message would elicit a tech support response, whereas a local one could have the normal user accepting the demands.
> Russian Railways center

Wow. We're so lucky that terrorists are not very creative.

What ever happened to the 2nd wave that security experts were warning about, without the kill-switch code? Haven't heard any reports of this being found in the wild yet. Anyone else?
I imagine anyone paying attention grabbed the Microsoft patches and now there are fewer computers for it to spread to.
It would be "funny" if Microsoft would be blocked to release updates, because, you know, they'd have locked machines.
From what I understand they didn't say it was going to happen, they just said it's a likely possibility.
>The biggest cyberattack in history infected more than 200,000

Is that all? The media is blowing this up, I would have though there would be more prolific worms that this. Nimda? Sasser? Blaster? Storm Worm?

They're journalists. You can't expect them to Google something before printing it.
I heard it referred to a couple times as "the biggest ransomware attack". Perhaps the writer heard this too and lost the nuance.
Another couple of big ones I remember:

Sobig, 2003. In particular I recall that media was talking about Sobig.F - https://en.wikipedia.org/wiki/Sobig

Mydoom, 2004. https://en.wikipedia.org/wiki/Mydoom

From my memory bank:

Melissa - https://en.wikipedia.org/wiki/Melissa_(computer_virus)

ILOVEYOU - https://en.wikipedia.org/wiki/ILOVEYOU

Anna Kournikova - https://en.wikipedia.org/wiki/Anna_Kournikova_(computer_viru...

Slammer - https://en.wikipedia.org/wiki/SQL_Slammer

And of course, the fastest spreading virus of all time, Sammy (which only effected Myspace profiles but still meets the definition of a computer worm) https://en.wikipedia.org/wiki/Samy_(computer_worm)

I don't think the media covers malware/viruses like the used to around the turn of the century.

It's strange, many news organizations report this as "200,000 organizations", but others as "200,000 computers". Which are very different. Some of the bigger universities alone probably have hundreds to thousands of infected computers. I'd bet it's closer to 200k organizations, but I don't know how that would be measured or tracked.
Cryptowall had an estimated 625,000 infections and that's August 2014 numbers[1]. I believe it had many other campaigns since.

Then you have Teslacrypt and Locky which I believe to be just as large if not larger.

I don't think anyone has any good data on how big these attacks are. I suspect they actually number in the tens of millions. I think Brian Krebs had an article or two about these malware authors walking away with literally millions of dollars of bitcoin. That's a lot of infections.

One of the problems is that most ransomware will run, encrypt the files, then delete themselves to avoid detection. That means AV doesn't get a chance to catch it later after updated definitions arrive. So AV reporting is useless and AV reporting is how we used to know how big infections were. I also think the AV industry is incentivized to not make a big fuss about ransomware because the infection numbers are embarrassing to them. So far they can't stop it with traditional means. A lot of shops run things like RansomFree, InterceptX, CarbonBlack, etc on top of now near useless traditional AV.

https://www.scmagazine.com/cryptowall-surpasses-cryptolocker...

>Maximum concurrent requests for this endpoint reached. Please try again shortly.

Anyone have another link? I'd be interested to see how many people actually paid.

I just realized there is more than one address, entering them all in
Looking at those ammounts, some people seem to be donating BTC just for fun. 0.0001337 BTC won't decrypt anything :D
Looks to have infected Windows 7 machines based on some of the screenshots : https://4.bp.blogspot.com/--Tzl_0ABu-Y/WRs-KUrQWzI/AAAAAAAAB...

Thought it was only an XP thing?

Patches were released for everything from XP onwards, up to WinX (which is apparently not vulnerable to the SMB exploit).
Many of those photos show real time connections / schedules for trains of the Deutsche Bahn.

I'm wondering ... does this mean they have a dedicated OS installation (virtual or not) for each set of displays showing different schedules? That would be so rediculously inefficient ...

... but then again - it's the DB - basically a synonym in Germany for incompetence :D

Yes, they have. How would you do it otherwise? At some point you need to render all those different tables. Using off-the-shelf comments is probably the most efficient system imaginable.

If you think DB is utterly incompetent you should take some trains in most other countries. I know it's a popular sport to bitch and moan about them (I do it as well) but seriously, the system works surprisingly well. Those displays are also some secondary info screens that were added later and are not part of the core system and thus probably don't receive the same attention as other more important things.

> Yes, they have. How would you do it otherwise?

How about a thin client based on Linux receiving the raw data wireless and then simply displaying it formatted as a table?

And if that doesn't exist yet then have Siemens design a solution of that kind.