![]() | This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page. |
Archive 1 | Archive 2 | Archive 3 |
I have created a stub for the virus itself (this article is about the attack itself), and encourage others here to help expand that article (not my area of expertise, nor do I have the time at present). Thanks! — Insert CleverPhrase Here 23:15, 15 May 2017 (UTC)
I propose that WannaCry be merged into WannaCry ransomware attack. I think that the content in the WannaCry article can easily be explained in the context of WannaCry ransomware attack, and the WannaCry ransomware attack article is of a reasonable size that the merging of WannaCry will not cause any problems as far as article size or undue weight is concerned. GliderMaven ( talk) 01:39, 16 May 2017 (UTC)
Are we ready to close this and move forward? The sooner we get rid of the {{ main}} the better. Anna Frodesiak ( talk) 22:06, 18 May 2017 (UTC)
Oh, rats. Now we have Wikipedia:Articles for deletion/WannaCry. I guess User:ViperSnake151 did not notice the merger template at the top of WannaCry and this discussion.
I strongly suggest the following:
Let's get this cleaned up! Does this sound good? Anna Frodesiak ( talk) 22:13, 18 May 2017 (UTC)
The result of the move request was: Not moved.( non-admin closure) Per WP:SNOW. There seems to be no chance of this RM going anywhere, the original proposal was flawed in offering multiple options without any clear rationale why any of them would be better than the current one, and more importantly, the article and title situation have evolved considerably since the RM was opened (so much so that a new RM could easily be justified). The article is no longer just about the attack (the source of most early Oppose votes), as a section on the software itself has been added as part of the merger discussion below. — Insert CleverPhrase Here 22:54, 18 May 2017 (UTC)
WannaCry ransomware attack → ? – This has been discussed in a few different sections above, though it'd be better to have one centralised discussion. So far, the following names have been brought up:
I lean towards either the current name or
WannaCry, though I don't mind (somewhat neutral on the matter, simply opening this to have a centralised discussion, instead of multiple different sections). Pinging all participants of other discussions: @
Gestrid,
ViperSnake151,
Fgnievinski, and
Uncle Roy:
Anarchyte (
work |
talk)
03:06, 15 May 2017 (UTC)
It is now a subsection called "WannaCry" within the "Background" section.
Should we make "WannaCry" a main section equal to the section "The cyberattack"? Should we call it "The virus" with the first words in the section "WannaCry is the name of the actual virus..." to make things perfectly clear?
Should we split "EternalBlue and DoublePulsar" into subsections "EternalBlue" and "DoublePulsar" within "The virus"? Why? Because DoublePulsar isn't mentioned until the end of that part. Visitors want to know what it is, and right away.
Should we start the "DoublePulsar" subsection with "DoublePulsar is a backdoor installed..."?
I think that arrangement would make things clear to visitors.
Anna Frodesiak ( talk) 22:24, 18 May 2017 (UTC)
I boldly did it. If not an improvement, please revert and trout me back to the stone age. :) Anna Frodesiak ( talk) 23:24, 18 May 2017 (UTC)
My understanding of why registering the gobbledegook domain killed the attack, from reading the original source among others, is that seeking that domain was a trick used by the malware to detect whether it was being run in a test environment—which apparently would generate a false positive to see what happened—or on a real computer—which would obviously fail—so when the domain was registered, all currently-active infections suddenly gained the impression that they were being scrutinised and went into hiding. However this does not seem to be described in the current article: is there a particular reason? TIA HAND — Phil | Talk 10:57, 19 May 2017 (UTC)
I placed a {{ Recentism}} tag to the reactions section.
Honestly, I think most of the article should belong to wikinews. I know it talks about the attack, but we should focus to the wider effects of the event, and avoid day-to-day updates, more fitting to a news article. Titore ( talk) 00:30, 19 May 2017 (UTC)
I think we need a section on file recovery options in the article. The article currently does not give any indication of actions to be taken after infection, just ways to prevent infection. Are there ways of recovering files other than forking over the cash? Does paying the ransom actually release the files? These questions are not answered in the article (that I can see) and is a major oversight, given that the first port of call for many infected by the virus might be this article. — Insert CleverPhrase Here 23:33, 17 May 2017 (UTC)
We have some advice like [4] which says not to pay them because it 'encourages them', but for users that have files encrypted who's value far outweighs 300-600, this might not carry much weight (and the article gives no indication whether paying the ransome works or not).
[5] apparently europol recommends not to pay, "Europol warns that paying up doesn't guarantee that you'll get everything back. And giving the hackers what they want proves the worm is effective, the agency said." again not great advice to those weighing up their options.
The BBC is more helpful in this article saying that a manual human operator would have to activate decryption directly and that "because of the way in which WannaCry has been designed, the sad fact is that people are very unlikely to regain access to their files, even if they do pay." linking to this post which says that not a single case has been reported of someone getting thier files back dispite $30,000 (another source says $50,000) having been gathered by the hackers. "Unlike its competitors in the ransomware market, WannaCry doesn’t seem to have a way of associating a payment to the person making it. Most ransomware, such as Cerber, generate a unique ID and bitcoin wallet for each victim and thus know who to send the decryption keys to. WannaCry, on the other hand, only asks you to make a payment, and then… Wait... Most A-list ransomware pride themselves on customer support, and are usually very easy to contact. Again, not the case with WannaCry. The only way of contacting the malware creators is through the “Contact Us” option on the ransom note screen. Despite our best efforts, we have yet to receive a reply."
Given the above information, I think we can safely put together a section saying that WannaCry, though purporting to be ransomware, does not in fact have the capability for file recovery, and that paying the ransom will not result in the recovery of files without direct intervention or contact with the hackers (which no one has been able to establish). And furthermore that not a single account of someone getting their files unlocked by paying the ransom has been reported. — Insert CleverPhrase Here 23:33, 17 May 2017 (UTC)
They keep getting added and then reverted. [6] [7] [8]
I tried adding them directly to wikidata, but that was reverted too. Unsurprisingly, the problem seems to be the title we use...
See the discussion on wikidata. Titore ( talk) 13:07, 21 May 2017 (UTC)
First, so that I understand, The WannaCry malware contains EternalBlue and DoublePulsar within it? Anna Frodesiak ( talk) 19:47, 19 May 2017 (UTC)
Anyone? Anna Frodesiak ( talk) 21:21, 19 May 2017 (UTC)
EternalBlue is a ++so called little-known manufacturing fault in the window... other may call it carefully crafted mechanism which intentionality may be dismissed by manufacturer. There is a lot of unknowns but the goals and means are heurresticlly probable by long accumulated statistic. Please be semanticllay aware of meanings what may be anti semantic. — Preceding unsigned comment added by 2601:248:4301:5A70:4A5D:60FF:FE32:8309 ( talk) 18:41, 20 May 2017 (UTC)
To editors Nil Einne, Stephan Schulz, Chaheel Riens and MjolnirPants: Okay, I made some changes. Did I get any of it right? :) Anna Frodesiak ( talk) 06:04, 21 May 2017 (UTC)
Initially, a piece of code called EternalBlue exploits a vulnerability..., which I think is still greatly misunderstanding how this works. Unlike DoublePulsar, which is a specific tool, the code would not called "EternalBlue". I'm going to try to give a simple-ish explanation of how WannaCrypt works, using various writeups plus some other unsourceable stuff because I've been reading about this a bit too much. My tech knowledge is hopefully enough to understand broadly what's going on but still somewhat limited (I'm a freshly graduated CS-ish major, see my userpage, but I also kind of suck at it) so the explanation shouldn't be too complicated; also, in the interest of trying to keep it accessible things won't necessarily be 100% accurate; stuff in small parenthesis is usually just notes or supplemental info that may or may not be necessary to understand. If this is completely off the mark please feel free to call me on my BS ;).
with parenthetical notes
|
---|
First, the software enters a Windows system through
Server Message Block, or SMB (more on how exactly that happens below). It does a check (trying to reach the "kill switch" domain) to see if it's on a researcher's environment (by the way, we really need to improve our articles on malware research). If it thinks it is (basically, if it can get a response from a supposedly inactive domain, it's not on a "normal" computer), it shuts down; if not, it continues running. The software then does two things. First, it runs the ransomware. At the same time, it starts scanning over SMB (checking both local networks and random IP addresses) to see if any connected devices are potentially vulnerable to the
EternalBlue exploit (essentially, if the port that SMB uses is open). If it finds any, it will try to transfer a bit of code over SMB to the target computer; if the computer is vulnerable, this code automatically runs without any security checks (this process is what can be called
EternalBlue, as a noun) - the code attempts to install DoublePulsar. If it works, or if DoublePulsar was already installed, it then uses DoublePulsar to download the main malware code to the new computer (via another SMB packet) and then run it, restarting the cycle.
|
without parenthetical notes
|
---|
First, the software enters a Windows system through
Server Message Block, or SMB. It does a check to see if it's on a researcher's environment. If it thinks it is, it shuts down; if not, it continues running. The software then does two things. First, it runs the ransomware. At the same time, it starts scanning over SMB to see if any connected devices are potentially vulnerable to the
EternalBlue exploit. If it finds any, it will try to transfer a bit of code over SMB to the target computer; if the computer is vulnerable, this code automatically runs without any security checks - the code attempts to install DoublePulsar. If it works, or if DoublePulsar was already installed, it then uses DoublePulsar to download the main malware code to the new computer and then run it, restarting the cycle.
|
I am going to leave this to others from here on in. I am out of my depth and will watch what you all do with this. Feel free to revert or anything you wish. Many thanks again for all the help. Best, Anna Frodesiak ( talk) 11:45, 21 May 2017 (UTC)
Fantastique! I can actually read it and understand. Before (May 19), the article really didn't make things clear. Everyone's combined efforts at a description really helped. MjolnirPants's nutshell description and ansh666's copy edits nailed it. Thank you all again! Anna Frodesiak ( talk) 22:08, 21 May 2017 (UTC)
Sorry, but this was more of a personal essay built around two tweets by Snowden. This whole WannaCry event got a fair bit of attention for a day or two, but is not significantly different to 101 other security threats out there. There are good sources such as this one for your argument, but they must link to WannaCry to be appropriate - and should just be another item under "Reaction". Snori ( talk) 21:00, 20 May 2017 (UTC)
![]() | This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page. |
Archive 1 | Archive 2 | Archive 3 |
I have created a stub for the virus itself (this article is about the attack itself), and encourage others here to help expand that article (not my area of expertise, nor do I have the time at present). Thanks! — Insert CleverPhrase Here 23:15, 15 May 2017 (UTC)
I propose that WannaCry be merged into WannaCry ransomware attack. I think that the content in the WannaCry article can easily be explained in the context of WannaCry ransomware attack, and the WannaCry ransomware attack article is of a reasonable size that the merging of WannaCry will not cause any problems as far as article size or undue weight is concerned. GliderMaven ( talk) 01:39, 16 May 2017 (UTC)
Are we ready to close this and move forward? The sooner we get rid of the {{ main}} the better. Anna Frodesiak ( talk) 22:06, 18 May 2017 (UTC)
Oh, rats. Now we have Wikipedia:Articles for deletion/WannaCry. I guess User:ViperSnake151 did not notice the merger template at the top of WannaCry and this discussion.
I strongly suggest the following:
Let's get this cleaned up! Does this sound good? Anna Frodesiak ( talk) 22:13, 18 May 2017 (UTC)
The result of the move request was: Not moved.( non-admin closure) Per WP:SNOW. There seems to be no chance of this RM going anywhere, the original proposal was flawed in offering multiple options without any clear rationale why any of them would be better than the current one, and more importantly, the article and title situation have evolved considerably since the RM was opened (so much so that a new RM could easily be justified). The article is no longer just about the attack (the source of most early Oppose votes), as a section on the software itself has been added as part of the merger discussion below. — Insert CleverPhrase Here 22:54, 18 May 2017 (UTC)
WannaCry ransomware attack → ? – This has been discussed in a few different sections above, though it'd be better to have one centralised discussion. So far, the following names have been brought up:
I lean towards either the current name or
WannaCry, though I don't mind (somewhat neutral on the matter, simply opening this to have a centralised discussion, instead of multiple different sections). Pinging all participants of other discussions: @
Gestrid,
ViperSnake151,
Fgnievinski, and
Uncle Roy:
Anarchyte (
work |
talk)
03:06, 15 May 2017 (UTC)
It is now a subsection called "WannaCry" within the "Background" section.
Should we make "WannaCry" a main section equal to the section "The cyberattack"? Should we call it "The virus" with the first words in the section "WannaCry is the name of the actual virus..." to make things perfectly clear?
Should we split "EternalBlue and DoublePulsar" into subsections "EternalBlue" and "DoublePulsar" within "The virus"? Why? Because DoublePulsar isn't mentioned until the end of that part. Visitors want to know what it is, and right away.
Should we start the "DoublePulsar" subsection with "DoublePulsar is a backdoor installed..."?
I think that arrangement would make things clear to visitors.
Anna Frodesiak ( talk) 22:24, 18 May 2017 (UTC)
I boldly did it. If not an improvement, please revert and trout me back to the stone age. :) Anna Frodesiak ( talk) 23:24, 18 May 2017 (UTC)
My understanding of why registering the gobbledegook domain killed the attack, from reading the original source among others, is that seeking that domain was a trick used by the malware to detect whether it was being run in a test environment—which apparently would generate a false positive to see what happened—or on a real computer—which would obviously fail—so when the domain was registered, all currently-active infections suddenly gained the impression that they were being scrutinised and went into hiding. However this does not seem to be described in the current article: is there a particular reason? TIA HAND — Phil | Talk 10:57, 19 May 2017 (UTC)
I placed a {{ Recentism}} tag to the reactions section.
Honestly, I think most of the article should belong to wikinews. I know it talks about the attack, but we should focus to the wider effects of the event, and avoid day-to-day updates, more fitting to a news article. Titore ( talk) 00:30, 19 May 2017 (UTC)
I think we need a section on file recovery options in the article. The article currently does not give any indication of actions to be taken after infection, just ways to prevent infection. Are there ways of recovering files other than forking over the cash? Does paying the ransom actually release the files? These questions are not answered in the article (that I can see) and is a major oversight, given that the first port of call for many infected by the virus might be this article. — Insert CleverPhrase Here 23:33, 17 May 2017 (UTC)
We have some advice like [4] which says not to pay them because it 'encourages them', but for users that have files encrypted who's value far outweighs 300-600, this might not carry much weight (and the article gives no indication whether paying the ransome works or not).
[5] apparently europol recommends not to pay, "Europol warns that paying up doesn't guarantee that you'll get everything back. And giving the hackers what they want proves the worm is effective, the agency said." again not great advice to those weighing up their options.
The BBC is more helpful in this article saying that a manual human operator would have to activate decryption directly and that "because of the way in which WannaCry has been designed, the sad fact is that people are very unlikely to regain access to their files, even if they do pay." linking to this post which says that not a single case has been reported of someone getting thier files back dispite $30,000 (another source says $50,000) having been gathered by the hackers. "Unlike its competitors in the ransomware market, WannaCry doesn’t seem to have a way of associating a payment to the person making it. Most ransomware, such as Cerber, generate a unique ID and bitcoin wallet for each victim and thus know who to send the decryption keys to. WannaCry, on the other hand, only asks you to make a payment, and then… Wait... Most A-list ransomware pride themselves on customer support, and are usually very easy to contact. Again, not the case with WannaCry. The only way of contacting the malware creators is through the “Contact Us” option on the ransom note screen. Despite our best efforts, we have yet to receive a reply."
Given the above information, I think we can safely put together a section saying that WannaCry, though purporting to be ransomware, does not in fact have the capability for file recovery, and that paying the ransom will not result in the recovery of files without direct intervention or contact with the hackers (which no one has been able to establish). And furthermore that not a single account of someone getting their files unlocked by paying the ransom has been reported. — Insert CleverPhrase Here 23:33, 17 May 2017 (UTC)
They keep getting added and then reverted. [6] [7] [8]
I tried adding them directly to wikidata, but that was reverted too. Unsurprisingly, the problem seems to be the title we use...
See the discussion on wikidata. Titore ( talk) 13:07, 21 May 2017 (UTC)
First, so that I understand, The WannaCry malware contains EternalBlue and DoublePulsar within it? Anna Frodesiak ( talk) 19:47, 19 May 2017 (UTC)
Anyone? Anna Frodesiak ( talk) 21:21, 19 May 2017 (UTC)
EternalBlue is a ++so called little-known manufacturing fault in the window... other may call it carefully crafted mechanism which intentionality may be dismissed by manufacturer. There is a lot of unknowns but the goals and means are heurresticlly probable by long accumulated statistic. Please be semanticllay aware of meanings what may be anti semantic. — Preceding unsigned comment added by 2601:248:4301:5A70:4A5D:60FF:FE32:8309 ( talk) 18:41, 20 May 2017 (UTC)
To editors Nil Einne, Stephan Schulz, Chaheel Riens and MjolnirPants: Okay, I made some changes. Did I get any of it right? :) Anna Frodesiak ( talk) 06:04, 21 May 2017 (UTC)
Initially, a piece of code called EternalBlue exploits a vulnerability..., which I think is still greatly misunderstanding how this works. Unlike DoublePulsar, which is a specific tool, the code would not called "EternalBlue". I'm going to try to give a simple-ish explanation of how WannaCrypt works, using various writeups plus some other unsourceable stuff because I've been reading about this a bit too much. My tech knowledge is hopefully enough to understand broadly what's going on but still somewhat limited (I'm a freshly graduated CS-ish major, see my userpage, but I also kind of suck at it) so the explanation shouldn't be too complicated; also, in the interest of trying to keep it accessible things won't necessarily be 100% accurate; stuff in small parenthesis is usually just notes or supplemental info that may or may not be necessary to understand. If this is completely off the mark please feel free to call me on my BS ;).
with parenthetical notes
|
---|
First, the software enters a Windows system through
Server Message Block, or SMB (more on how exactly that happens below). It does a check (trying to reach the "kill switch" domain) to see if it's on a researcher's environment (by the way, we really need to improve our articles on malware research). If it thinks it is (basically, if it can get a response from a supposedly inactive domain, it's not on a "normal" computer), it shuts down; if not, it continues running. The software then does two things. First, it runs the ransomware. At the same time, it starts scanning over SMB (checking both local networks and random IP addresses) to see if any connected devices are potentially vulnerable to the
EternalBlue exploit (essentially, if the port that SMB uses is open). If it finds any, it will try to transfer a bit of code over SMB to the target computer; if the computer is vulnerable, this code automatically runs without any security checks (this process is what can be called
EternalBlue, as a noun) - the code attempts to install DoublePulsar. If it works, or if DoublePulsar was already installed, it then uses DoublePulsar to download the main malware code to the new computer (via another SMB packet) and then run it, restarting the cycle.
|
without parenthetical notes
|
---|
First, the software enters a Windows system through
Server Message Block, or SMB. It does a check to see if it's on a researcher's environment. If it thinks it is, it shuts down; if not, it continues running. The software then does two things. First, it runs the ransomware. At the same time, it starts scanning over SMB to see if any connected devices are potentially vulnerable to the
EternalBlue exploit. If it finds any, it will try to transfer a bit of code over SMB to the target computer; if the computer is vulnerable, this code automatically runs without any security checks - the code attempts to install DoublePulsar. If it works, or if DoublePulsar was already installed, it then uses DoublePulsar to download the main malware code to the new computer and then run it, restarting the cycle.
|
I am going to leave this to others from here on in. I am out of my depth and will watch what you all do with this. Feel free to revert or anything you wish. Many thanks again for all the help. Best, Anna Frodesiak ( talk) 11:45, 21 May 2017 (UTC)
Fantastique! I can actually read it and understand. Before (May 19), the article really didn't make things clear. Everyone's combined efforts at a description really helped. MjolnirPants's nutshell description and ansh666's copy edits nailed it. Thank you all again! Anna Frodesiak ( talk) 22:08, 21 May 2017 (UTC)
Sorry, but this was more of a personal essay built around two tweets by Snowden. This whole WannaCry event got a fair bit of attention for a day or two, but is not significantly different to 101 other security threats out there. There are good sources such as this one for your argument, but they must link to WannaCry to be appropriate - and should just be another item under "Reaction". Snori ( talk) 21:00, 20 May 2017 (UTC)