[Macuyiko]

> The initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff. There is also a working theory that initial compromise may have come from SMB shares exposed to the public internet. Results from Shodan show over 1.5 million devices with port 445 open – the attacker could have infected those shares directly.

I think this is an important take-away. I found it strange that so many media outlets and IT departments were jumping on the "do not open suspicious emails" bandwagon even although there hasn't been a lot of evidence of such phishing emails. That is: screenshots of infected devices have been popping up all across the world, but almost no examples of a particular entry email have been shown.

Of course, it might be easier for an IT dep. to state: "it must have been unleashed by someone clicking on some email they got" rather than "oops, we still had unpatched Windows machines exposed to the public internet". Why go through the trouble of sending out emails when your worm already contains a replication/infection mechanism. Just use a botnet to scan those 1 million IPs and see if SMB is open.

That being said, it does not surprise me to see yet again an issue in SMB. This has been a particularly weak point in Windows for decades now. I remember "hacking tutorials" from 15 years ago where you'd just go out and nmap public IP ranges to see if you could access hidden shares (e.g. like so: http://www.madirish.net/59). Also there was this issue of Windows keeping weak NetBIOS password hashes around which could be trivially unhashed (https://vuldb.com/?id.13824), years ago.

[tomlong]

A fair amount of ransomware is distributed via email, so it's not such a bad idea when this issue is front and centre and all over the news to reinforce good behaviour amongst users.

It's not like 'stop clicking random shit in emails' is bad advice.

[Piskvorrr]

I do remember when ILOVEYOU was making the rounds...and to paraphrase, it's not like 'stop clicking random shit in emails' is useful advice.

Yes, it would help - but do you see fewer people clicking random shit? Me neither: "Ugg click attachment for dancing hampsters, now Ugg virus, halp!" is still the prevalent vector, two decades later.

[paulddraper]

Why the hell can't I click shit in random emails?

It's a friggin email and data transfer for crying out loud.

Stop blaming users.

[Piskvorrr]

Oh, you can. Just like you can inject any random substance given to you by a stranger.

Being aware that both are high risk activities is the point, methinks.

[sp332]

There's absolutely no reason that sending a link to someone should be able to pwn their box. There's no reason to make such fragile email systems.

[ihattendorf]

What if they click the link, run the downloaded invoice.EXE, and enter their password when prompted? At a certain point, the user needs to be educated enough to avoid this.

PDF/Office macros are a whole other topic though.

[sp332]

There's a really big gap there. Look at chromeOS - you can click a lot more email links on that OS without getting ransomware'd.

[drzaiusapelord]

Because when your run content in executables, in the case of Ransomware its usually Word macros or js files, those programs run with your user rights, which have read/write permissions for your files. Now you lose your files and you expect the IT department to fix everything for you, instead of doing what the IT department says or using common sense.

Funny how that works. You want all the power but none of the responsibility. This is like saying "Why can't I drink bleach, stop criticizing me doctors!"

>It's a friggin email and data transfer

and guns are just tubes which throw lead around, but I certainly don't want to be on the receiving end of one. What's your point? Its incredible to me how many people refuse to believe we live in a world of risk when it comes to information technology and its not all fun and games.

[sp332]

Word disabled macros by default. You can set JS and MHT files to open with something harmless (like notepad) instead of being executed too. We don't have to let "executable" files execute if we don't want them to. There's no reason to take the decision away from the user by default.

[ballenf]

Agreed. We took the name "e-mail" from regular mail. There has only been one case in history of everyone being told to be careful about opening their mail: the anthrax threat. Still remember a bunch of mail arriving with very brittle paper and burnt edges...

So, the big mistake was to use a real world analog in naming e-mail. We should have called it:

"Russian roulette with packages* anonymously tossed by strangers in your direction".

The analogy is broken and creates cognitive dissonance in users.

* Re: data vs. executable: the analogy could be for letter vs. package. A box is big enough to contain a mechanism for action unlike most letters.

(Apologies to the Russians for that idiom.)

[saurik]

One of the things that I personally think is "data" is "software", and I believe that all data should be something that is able to be transferred via e-mail. A sufficient set of random clicks from an e-mail currently can--and in my world view absolutely should be able to--lead to arbitrary code execution without any form of security vulnerability.

[Piskvorrr]

The sets Arbitrary code execution and Security vulnerability have a significant overlap; and much of the decision "do I want the program to do what it's about to do?" is in the eye of the user (e.g. the excellent tools by Nir Sofer could be used for Good or for Evil: "Does the user actually want to list their WiFi network passwords, or is this an evil code the user was tricked into running?" The code has no way of deciding.).

However, I see some hope in https://www.qubes-os.org/ - alas, setting it up is not quite as convenient as "meh, open everything everywhere to everyone."