Just got a mail from Virgin stating I'm possibly infected by WannaCry.
First off, you're wrong. I made VERY sure all my systems are up to date on Friday (and they're all patched fine).
Second, none of my PC's are infected with the ransomware (running windows 10 + fully patched)
Third, you're scaremongering people who don't know better that they may be infected and cough up cash to pay for your support.
Things I'd suggest: Block port 445 from entering the VM network (you don't do this at the moment). I have router logs which prove this. My router is also discarding port 445 attempts towards it (I run modem mode by the way with my own router).
Please show me where dst port 445 was originating from my IP, I'd LOVE to see the logs, but I guess you won't have it.
Random signature here... I'll get back to this some day!
It's hilarious, as I don't have any Windows machines at home. I can't find any other reference on the internet.
Does anybody know what is the 'detection' method they used ?
Your personal data could be at risk of being inaccessible
We have been alerted that one or more of your devices has become infected with ransomware, a type of malicious software that encrypts all the information held on your device and demands a ransom payment in order for the files to be unencrypted.
Virgin Media and its network are not impacted by the ransomware attack. However, we were advised about the potential risk to your data through our work with a number of not-for-profit organisations across the banking industry and security sectors. These organisations collate information on devices across the Internet that appear to be infected by malware.
The WannaCry malware was detected on a device using your internet connection or home network on 13 May 2017.
Apologies for any confusion over the recent WannaCry mailings, we've queried this with our Internet Security team who have provided more information on how and why the communications have been sent.
Shadowserver have identified some Virgin Media IP addresses that have communicated with domain names the WannaCry malware communicates with. They use a technology called DNS Sinkholing to be able to identify the IP addresses that have tried to query the domains in question. The reports are not related to any incoming or outgoing traffic on port 445 – the malware does not communicate over the port, it just uses it to propagate.
The issue with the sinkholing method is some will have visited these domains out of curiosity or as part of some security research – this kind of activity is usually done in a safe environment like a virtual machine. We’d expect to see the reporting of a few false positives due to this.
Ah well that explains it for me I had a look at the kill switch website ( linked on BBC ) that the Security dude bought which stopped that first iteration to see what he put up there... nothing exciting at the time.