When you click on links to various merchants on this site and make a purchase, this can result in this site earning a commission. Affiliate programs and affiliations include, but are not limited to, the eBay Partner Network.
A ransomware cyber-attack that may have originated from the theft of “cyber weapons” linked to the US government has hobbled hospitals in England and spread to countries across the world.
Security researchers with Kasperksy Lab have recorded more than 45,000 attacks in 74 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefonica were infected.
By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.
Markus Jakobsson, chief scientist with security firm Agari, said that the attack was “scattershot” rather than targeted.
“It’s a very broad spread,” Jakobsson said, noting that the ransom demand is “relatively small”.
“This is not an attack that was meant for large institutions. It was meant for anyone who got it.”
The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA). At the time, there was skepticism about whether the group was exaggerating the scale of its hack.
On Twitter, whistleblower Edward Snowden blamed the NSA.
“If https://twitter.com/NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened,”
“It’s very easy for someone to say that, but the reality is the US government isn’t the only one that has a stockpile of exploits they are leveraging to protect the nation,” said Jay Kaplan, CEO of Synack, who formerly worked at the NSA.
“It’s this constant tug of war. Do you let intelligence agencies continue to take advantage of vulnerabilities to fight terrorists or do you give it to the vendors and fix them?”
The NSA is among many government agencies around the world to collect cyber weapons and vulnerabilities in popular operating systems and software so they can use them to carry out intelligence gathering or engage in cyberwarfare. The agency did not immediately respond to a request for comment.
Ransomware is a type of malware that encrypts a user’s data, then demands payment in exchange for unlocking the data. This attack was caused by a bug called “WanaCrypt0r 2.0” or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.
“This was eminently predictable in lots of ways,” said Ryan Kalember from cybersecurity firm Proofpoint. “As soon as the Shadow Brokers dump came out everyone [in the security industry] realized that a lot of people wouldn’t be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.”
The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the “payment will be raised” after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.
“Attacks with language support show a progressive increase of the threat level,” Jakobsson said.
The attack hit England’s National Health Service (NHS) on Friday, locking staff out of their computers and forcing some hospitals to divert patients.
“The attack against the NHS demonstrates that cyber-attacks can quite literally have life and death consequences,” said Mike Viscuso, chief techology officer of security firm Carbon Black. “When patients’ lives are at stake, there is no time for finger pointing but this attack serves as an additional clarion call that healthcare organizations must make cybersecurity a priority, lest they encounter a scenario where lives are risked.”
Ransomware attacks are on the rise. Security company SonicWall, which studies cyberthreats, saw ransomware attacks rise 167 times in 2016 compared to 2015.
“Ransomware attacks everyone, but industry verticals that rely on legacy systems are especially vulnerable,” said Dmitriy Ayrapetov, executive director at SonicWall.
A Los Angeles hospital paid $17,000 in bitcoin to ransomware hackers last year, after a cyber-attack locked doctors and nurses out of their computer system for days.
Jakobsson said that the concentration of the attack in Russia suggested that the attack originated in Russia. Since the malware spreads by email, the level of penetration in Russia could be a sign that the criminals had access to a large database of Russian email addresses.
However, Jakobsson warned that the origin of the attack remains unconfirmed.
1. Do not have Group Policy forcing updates.
2. Have not spent a little money to implement Sonic Wall or equivalent.
3. Have not updated to Win 10 (or at least beyond XP and/or Vista).
Yeah, the ransomware can hit any flavor of Windows, but it uses the SMB exploit on unpatched machines to spread via the network. From what I understand, Win10 is not affected by the SMB exploit, but I'm a little confused on that part because the patch lists Win10.
Microsoft solution available to protect additional products
Today many of our customers around the world and the critical systems they depend on were victims of malicious “WannaCrypt” software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers. This blog spells out the steps every individual and business should take to stay protected. Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.
Details are below.
In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.
For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider, that they are protected.
This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks).
We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below).
This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.
Some of the observed attacks use common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources. For Office 365 customers we are continually monitoring and updating to protect against these kinds of threats including Ransom:Win32/WannaCrypt. More information on the malware itself is available from the Microsoft Malware Protection Center on the Windows Security blog. For those new to the Microsoft Malware Protection Center, this is a technical discussion focused on providing the IT Security Professional with information to help further protect systems.
We are working with customers to provide additional assistance as this situation evolves, and will update this blog with details as appropriate.
Phillip Misner, Principal Security Group Manager Microsoft Security Response Center
ive read, since bitcoin has a way to see the history, the thieves have only stole $33,000 and rising...about a hundred companies so far and rising...so said article estimates about $300 for the initial ransom which is set to rise rise after a week.
ive read, since bitcoin has a way to see the history, the thieves have only stole $33,000 and rising...about a hundred companies so far and rising...so said article estimates about $300 for the initial ransom which is set to rise rise after a week.
It's probably so small of an amount because of the ask, and because some businesses simply didn't pay the ransom. A good and recent backup gives businesses the option to not pay the ransom.
Some security researches found a fatal flaw in the 1.0 version that was effectively a "kill switch", so I assume the propagators have adjusted it accordingly.
You're fine. You'd have to execute a file by opening an attachment in an email or clicking on a link in an email. That's not to say that future versions won't use fake adds on websites or some other method as a vector for the attack.
The update was pushed in mid-march. It only patches the SMB exploit that allows wanncry to spread via a network. If you open the attachment or click on the link, you're screwed unless your AV has been updated to detect known WannaCry versions.
I run CryptoPrevent in Extreme Mode with file the HoneyPot enabled.
theres a picture of what infected computers show on toms hardware link below. i tried to upload picture to here but it wouldnt go through. lol wonder why
Users under threat from an ongoing global ransomware outbreak that has targeted Windows computers in more than 70 countries can keep their systems safe with security software such as Bitdefender and should make sure to get the latest patches from Microsoft, experts say. The WannaCry ransomware encrypts files in the PCs it infects. Attackers demand a ransom be paid in exchange for decryption.
"This particular ransomware is correctly identified and blocked by 30% of the AV vendors using current virus definitions,” said Ivanti’s Phil Richards, cited by The Mirror. The expert mentioned Bitdefender as one of the solutions effective against WannaCry.
To stay safe, you should also keep your Windows system updated with the latest security patches from Microsoft via your Windows system’s auto-update feature.
The attacks have caused major disruption to hospitals, telecom companies or gas and utilities plants. Among the organisations that took the worst hits is the National Health Service (NHS) in the UK.
Why is this ransomware attack different
Unlike other ransomware families, the WannaCrytor strain does not spread via infected e-mails or infected links. Instead, it takes advantage of a security hole in most Windows versions to automatically execute itself on the victim PC. According to various reports, this attack avenue has been developed by the National Security Agency (NSA) in the US as a cyber-weapon and it was leaked to the public earlier in April along with other classified data allegedly stolen from the agency.
Analyzing the infection mechanism we can say that WannaCry is one of the biggest threats that both end users and companies have to face recently. Because the list of vulnerable Windows PCs can be found through a simple internet search and the code be executed remotely, no interaction from the user is needed. Once the PC is infected, it acts like a worm, it replicates itself in order to spread to other computers.
Our analysis reveals that the wormable component is based on the EternalBlue exploit that had been leaked out in a data dump allegedly coming from the NSA. This strain of malware is one of the few that combine the aggressive spreading mechanism of a cyber-weapon with the irreversible distructive potential of ransomware. Up until now, more than 120,000 computers worldwide have been infected.
Bitdefender has developed strong anti-ransomware capabilities to help users stay safe from such sophisticated attacks, which have been on the increase in recent years.
Find out if you are vulnerable. The MS17-010 vulnerability affects almost all versions of the Windows operating system, including those who are not actively supported anymore, such as Windows XP, Windows Vista and Windows Server 2003. Because of the extremely high impact, Microsoft has decided to issue patches for ALL operating system, including the unsupported ones. If your operating system does not have the specific hotfix installed, then you are vulnerable and need to update immediately.
Any other vendors have something similar to Sophos Intercept X? They are able to role back encrypted files (because they keep a copy of the original file before it's over written), and they are able to detect when a process is encrypting files in the background and terminate the process.
The proven CryptoGuard capabilities in Sophos Intercept X block ransomware as soon as it starts trying to encrypt your files, returning data to its original state. Intercept X:
Protects endpoints from ransomware attacks
Automatically rolls back encrypted file changes with no data loss
I think a lot of AVs have added ransomware monitoring that checks for a process that tries to encrypt files. Also SMB isn't a routeable protocol so the Ransomware is originally getting into a system through an email attachment or malicious website as usual but once it's on a PC and can spread to other PCs on the network through the NSA SMB vulnerability.
Some evidence is pointing to North Korea as the ones who released WCRY
I am not buying that... To what end would they do this? To make a few million dollars?
I smell a concerted criminal enterprise trying to throw off the scent of investigators by making it look like the traffic and command/control was in NK.
Hackers/criminals in Nigeria, Croatia or Russia all seem more likely to me.
It's not about making money, it's about showing their strength. Attack us and we'll retaliate with a cyber attack
at least that's what I read in a news article.
Right, but there really wasn't any meaningful impact on the US. the UK healthcare system maybe, but it's not like this is a digital Pearl Harbor or anything... I mean, NK would be better off stealing Pirates of the Caribbean XII if they want to have a global impact...
NK releasing ransomware is a joke. No one will be talking about this in a week. Impact = none.
The fact that Microsoft (or any other OS) allows a program to encrypt your files without telling you that its about to do that is nuts.
It will if you use an account other than an admin account, which most people don't do. I create a normal user account to log in to my computers for everyday use. When anything needs admin access to execute I get prompted for my admin credentials.
It will if you use an account other than an admin account, which most people don't do. I create a normal user account to log in to my computers for everyday use. When anything needs admin access to execute I get prompted for my admin credentials.
Its not just about admin rights. As an admin, most if not all OS's ask me to confirm that I want to delete a file when I go to delete it. When a process is going to encrypt my files. you should get some kind of prompt.
05-12-2017, 03:35 PM
