Reply to post:

UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

DaLo

I presume the running of exe from temp is for users only (non-PC admin). MSI and windows update require admin privileges.

However, the initial file is a PDF/Word doc that can create a non-PE file that could still encrypt files, or scan for an executable-allowed directory. Or they use a vulnerability in existing software that then uses privilege escalation - like the recent windows SMB bug.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019