<HTML><HEAD></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>On May 14, 2017 EC3 wrote:</DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV style="FONT: 10pt tahoma"><FONT face=Calibri><FONT
style="FONT-SIZE: 12pt">> If you want to share any other prevention,
protection or awareness information with us, please do not hesitate to contact
us.</FONT></FONT><BR>
<DIV><FONT size=3 face=Calibri></FONT> </DIV>
<DIV><FONT size=3 face=Calibri>Yeah! I do. Thank you.</FONT></DIV>
<DIV><FONT size=3 face=Calibri></FONT> </DIV>
<DIV><FONT size=3 face=Calibri>To prevent, protect and raise awareness, it is
necessary to estimate the damage that this virus will cause and to charge this
amount from the US Government and Microsoft.</FONT></DIV>
<DIV><FONT size=3 face=Calibri></FONT> </DIV>
<DIV><FONT size=3 face=Calibri>Microsoft has created a "flaw", a port for the
NSA to spy on governments and businesses around the world. When the "software",
created by the NSA, to use that port was hacked, the NSA informed Microsoft that
it released a patch to "fix the flaw". And did it quietly, not to arouse
suspicion.</FONT></DIV>
<DIV><FONT size=3 face=Calibri></FONT> </DIV>
<DIV><FONT size=3 face=Calibri>This distinguished company still tried to get
high gains with the misfortune of others by selling patch to OS prior to the W7.
Until a young Englishman created a key to unlock hijacked computers. And this
patch became free.</FONT></DIV>
<DIV><FONT size=3 face=Calibri></FONT> </DIV>
<DIV><FONT size=3 face=Calibri>Do you want to criminalize the hacker who is
hijacking computers? Wrong! Be grateful to him as you should be to
Snowden.</FONT></DIV>
<DIV><FONT size=3 face=Calibri></FONT> </DIV>
<DIV><FONT size=3 face=Calibri>Marilson</FONT></DIV>
<DIV><FONT size=3 face=Calibri>By honest competition and true
capitalism.</FONT></DIV>
<DIV><FONT size=3 face=Calibri></FONT> </DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A
title=anti-abuse-wg-request@ripe.net
href="mailto:anti-abuse-wg-request@ripe.net">anti-abuse-wg-request@ripe.net</A>
</DIV>
<DIV><B>Sent:</B> Monday, May 15, 2017 8:20 AM</DIV>
<DIV><B>To:</B> <A title=anti-abuse-wg@ripe.net
href="mailto:anti-abuse-wg@ripe.net">anti-abuse-wg@ripe.net</A> </DIV>
<DIV><B>Subject:</B> anti-abuse-wg Digest, Vol 66, Issue 2</DIV></DIV></DIV>
<DIV> </DIV></DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>Send
anti-abuse-wg mailing list submissions to<BR>anti-abuse-wg@ripe.net<BR><BR>To
subscribe or unsubscribe via the World Wide Web,
visit<BR>https://mailman.ripe.net/<BR>or, via email,
send a message with subject or body 'help'
to<BR>anti-abuse-wg-request@ripe.net<BR><BR>You can reach the person managing
the list at<BR>anti-abuse-wg-owner@ripe.net<BR><BR>When replying, please edit
your Subject line so it is more specific<BR>than "Re: Contents of anti-abuse-wg
digest..."<BR><BR><BR>Today's Topics:<BR><BR> 1. WannaCry Ransomware
(Richard
Leaning)<BR><BR><BR>----------------------------------------------------------------------<BR><BR>Message:
1<BR>Date: Mon, 15 May 2017 06:57:23 +0100<BR>From: Richard Leaning
<rleaning@ripe.net><BR>To: "cooperation-wg@ripe.net"
<cooperation-wg@ripe.net>,<BR>"anti-abuse-wg@ripe.net"
<anti-abuse-wg@ripe.net><BR>Subject: [anti-abuse-wg] WannaCry
Ransomware<BR>Message-ID:
<5961E790-4494-46F4-A71C-6C34B4DDA8D0@ripe.net><BR>Content-Type:
text/plain; charset="utf-8"<BR><BR>Dear Colleagues,<BR><BR>The European
cybercrime centre at Europol have asked us to circulate the below. I hope you
find it useful and please forward it on to anyone who you may think will benefit
from it.<BR><BR>Kind regards<BR><BR>Richard Leaning<BR>External
Relations<BR>RIPE NCC<BR><BR><BR><BR><BR>> Begin forwarded message:<BR>>
<BR>> From: "O3 - European Cybercrime Centre (EC3)"
<o3@europol.europa.eu><BR>> Subject: @EXT: WannaCry Ransomware<BR>>
Date: 14 May 2017 at 19:06:20 BST<BR>> Cc: "Amann, Philipp"
<Philipp.Amann@europol.europa.eu>, Mounier, Gr?gory
<gregory.mounier@europol.europa.eu>, "Sanchez, Maria"
<maria.sanchez@europol.europa.eu>, "O372 Advisory Groups Support"
<O372@europol.europa.eu><BR>> <BR>> Dear AG members,<BR>>
<BR>> As you are no doubt aware, we are currently experiencing an
unprecedented ransomware attack at a global scale. The malware was detected on
12 May 2017 and has the capability to spread across networks taking advantage of
a critical exploit in a popular communication protocol used by Windows
systems.<BR>> <BR>> Many of you have already reached out and are
actively involved in containing this threat. However, since we believe
that the infection and propagation rate may go up on Monday when people return
to their workplaces, we would like to ask you to please help us distribute
information that can help contain this threat. To this end, we have compiled a
list of recommendations and also prepared an infographic (see attachment).
Please feel free to use this information for reaching out to your network and to
complement your advice, if and where useful. <BR>> <BR>>
Also, the No More Ransom (NMR) initiative, actively supported by many of you
already, remains an essential source of information. Together with you and other
partners, we will continue to update the information available via the NMR
portal, so it is important to watch this space as well.<BR>> <BR>>
If you want to share any other prevention, protection or awareness information
with us, please do not hesitate to contact us.<BR>> <BR>> Thank you
again for your continued support.<BR>> <BR>> Kind regards,<BR>>
EC3 Outreach & Support<BR>> <BR>>
-------------------------------- <BR>> <BR>>
If you are a victim or have reason to believe that you could be a
victim<BR>> <BR>> This is link provides some practical advice on how
to contain the propagation of this type of ransomware:
https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance
<https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance><BR>>
<BR>> The most important step involves patching the Microsoft vulnerability
(MS17-010):<BR>>
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx><BR>>
<BR>> A patch for legacy platforms is available here:<BR>>
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks
<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks><BR>>
<BR>> In instances where it is not possible to install the patch, manage the
vulnerability becomes key. One way of doing this would be to disable the SMBv1
(Server Message Block) protocol:<BR>>
https://support.microsoft.com/en-us/help/2696547
<https://support.microsoft.com/en-us/help/2696547><BR>> and/or block
SMBv1 ports on network devices [UDP 137, 138 and TCP 139, 445].<BR>>
<BR>> Another step would be to update endpoint security and AV solutions with
the relevant hashes of the ransomware (e.g. via VirusTotal).<BR>>
<BR>> If these steps are not possible, not starting up and/or shutting down
vulnerable systems can also prevent the propagation of this
threat.<BR>> <BR>> How to prevent a ransomware attack?<BR>>
<BR>> Back-up! Back-up! Back-up! Have a backup and recovery system in place
so a ransomware infection can?t destroy your personal data forever. It?s best to
create at least two back-up copies on a regular basis: one to be stored in the
cloud (remember to use a service that makes an automatic backup of your files)
and one stored locally (portable hard drive, thumb drive, etc.). Disconnect
these when you are done and store them separately from your computer. Your
back-up copies will also come in handy should you accidentally delete a critical
file or experience a hard drive failure.<BR>> Use robust antivirus software
to protect your system from ransomware. Always use the latest virus
definition/database and do not switch off the ?heuristic? functions as these
help the solution to catch samples of ransomware (and other type of malware)
that have not yet been formally detected.<BR>> Keep all the software on your
computer up to date. When your operating system (OS) or applications release a
new version, install it. If the software you use offers the option of automatic
updating, enable it.<BR>> Trust no one. Literally. Any account can be
compromised and malicious links can be sent from the accounts of friends on
social media, colleagues or an online gaming
<https://blog.kaspersky.com/teslacrypt-20-ransomware/9314/> partner. Never
open attachments in emails from someone you don?t know. Similarly, don?t open
attachments in emails from somebody you know but from whom you would not expect
to receive such as message. Cybercriminals often distribute fake email messages
that look very much like email notifications from an online store, a bank, the
police, a court or a tax collection agency, luring recipients into clicking on a
malicious link and releasing the malware into their system. If in doubt, call
the sender at a trusted phone number to confirm the legitimacy of the message
received.<BR>> Enable the ?Show file extensions? option in the Windows
settings on your computer. This will make it much easier to spot potentially
malicious files. Stay away from file extensions like ?.exe?, ?.com?, ?.vbs? or
?.scr?. Cybercriminals can use several extensions to disguise a malicious file
as a video, photo, or document (like hot-chics.avi.exe or
report.doc.scr).<BR>> If you discover a rogue or unknown process on your
machine, disconnect it immediately from the internet or other network
connections (such as home Wi-Fi) ? this will prevent the infection from
spreading.<BR>> <BR>> <BR>> <BR>> <BR>>
*******************<BR>> <BR>> DISCLAIMER : This message is sent in
confidence and is only intended for the named recipient. If you receive this
message by mistake, you may not use, copy, distribute or forward this message,
or any part of its contents or rely upon the information contained in
it.<BR>> Please notify the sender immediately by e-mail and delete the
relevant e-mails from any computer. This message does not constitute a
commitment by Europol unless otherwise indicated.<BR>> <BR>>
******************* <BR>-------------- next part --------------<BR>An HTML
attachment was scrubbed...<BR>URL:
</ripe/mail/archives/anti-abuse-wg/attachments/20170515/23f01bda/attachment.html><BR>--------------
next part --------------<BR>A non-text attachment was scrubbed...<BR>Name:
NEW_Infographic - Ransomware_Final.pdf<BR>Type: application/pdf<BR>Size: 1307117
bytes<BR>Desc: not available<BR>URL:
</ripe/mail/archives/anti-abuse-wg/attachments/20170515/23f01bda/attachment.pdf><BR>--------------
next part --------------<BR>An HTML attachment was scrubbed...<BR>URL:
</ripe/mail/archives/anti-abuse-wg/attachments/20170515/23f01bda/attachment-0001.html><BR>--------------
next part --------------<BR>A non-text attachment was scrubbed...<BR>Name:
smime.p7s<BR>Type: application/pkcs7-signature<BR>Size: 2611 bytes<BR>Desc: not
available<BR>URL:
</ripe/mail/archives/anti-abuse-wg/attachments/20170515/23f01bda/attachment.p7s><BR><BR>End
of anti-abuse-wg Digest, Vol 66, Issue
2<BR>********************************************<BR></DIV></DIV></DIV></BODY></HTML>