A highly virulent new strain of self-replicating ransomware is shutting down computers all over the world.
The malware, known as Wanna, Wannacry, or Wcry, has infected at least 57,000 computers, according to antivirus provider Avast. AV provider Kaspersky Lab said organizations in at least 74 countries have been affected.
Wcry uses weapons-grade exploit published by the NSA-leaking Shadow Brokers.
204 Comments
Tomi Engdahl says:
MS17-010 and the WannaCry vulnerability: Patching, Compliance, and SecOps Response
https://communities.bmc.com/community/bmcdn/bmc_service_automation/server_configuration_automation_bladelogic/blog/2017/05/13/ms17-010-and-the-wannacry-vulnerability
So, CVE-2017-0144 https://nvd.nist.gov/vuln/detail/CVE-2017-0144, a vulnerability that was identified about two months ago (published Mar 16 2017), is now being widely exploited in the wild, most visibly impacting hospitals in the UK’s National Health Service to the point that they’ve had to redirect incoming patients to other facilities.
This vulnerability is addressed by Microsoft Bulletin MS17-010, which is also included in OS-specific Security Bulletin (roll-ups) SB17-002, SB17-003, SB17-004. MS17-010 applies to Server 2003 and Server 2008, while SB17-002 applies to Server 2008 R2, SB17-003 applies to Server 2012 R2 and SB17-004 applies to Server 2012 (thanks to Joe Schuler)
Tomi Engdahl says:
Wannacry Ransomware: recent cyber-attack
https://www.europol.europa.eu/newsroom/news/wannacry-ransomware-recent-cyber-attack
The European Cybercrime Centre, EC3, at Europol is working closely with affected countries cybercrime units and key industry partners to mitigate the threat and assist victims.
https://www.nomoreransom.org/
Tomi Engdahl says:
UK National Cyber Security Center issues new statement on cyber attack
https://techcrunch.com/2017/05/14/uk-national-cyber-security-center-issues-new-statement-on-cyber-attack/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
The UK National Cyber Security Center is warning the nation to be on guard for another wave of cyber attacks after Friday’s massive WannaCry ransomware attack.
The nation’s National Health Service was severely impacted in Friday’s attack
This means that as a new working week begins it is likely, in the UK and elsewhere, that further cases of ransomware may come to light, possibly at a significant scale.
Tomi Engdahl says:
How to Accidentally Stop a Global Cyber Attacks
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I’m always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year.
Our standard model goes something like this.
1. Look for unregistered or expired C2 domains belonging to active botnets and point it to our sinkhole (a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them).
2. Gather data on the geographical distribution and scale of the infections, including IP addresses, which can be used to notify victims that they’re infected and assist law enforcement.
3. Reverse engineer the malware and see if there are any vulnerabilities in the code which would allow us to take-over the malware/botnet and prevent the spread or malicious use, via the domain we registered.
In the case of WannaCrypt, step 1, 2 and 3 were all one and the same, I just didn’t know it yet.
A few seconds after the domain had gone live I received a DM from a Talos analyst asking for the sample I had which was scanning SMB host, which i provided. Humorously at this point we had unknowingly killed the malware so there was much confusion as to why he could not run the exact same sample I just ran and get any results at all. As curious as this was, I was pressed for time and wasn’t able to investigate, because now the sinkhole servers were coming dangerously close to their maximum load.
I asked an employee to look into the worm code and verify the domain we registered would not change
Tomi Engdahl says:
Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool
https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=first-column-region®ion=top-news&WT.nav=top-news
Hackers exploiting malicious software stolen from the National Security Agency executed damaging cyberattacks on Friday that hit dozens of countries worldwide, forcing Britain’s public health system to send patients away, freezing computers at Russia’s Interior Ministry and wreaking havoc on tens of thousands of computers elsewhere.
The attacks amounted to an audacious global blackmail attempt spread by the internet and underscored the vulnerabilities of the digital age.
Transmitted via email, the malicious software locked British hospitals out of their computer systems and demanded ransom before users could be let back in — with a threat that data would be destroyed if the demands were not met.
Tomi Engdahl says:
‘Accidental hero’ halts ransomware attack and warns: this is not over
https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack
Tomi Engdahl says:
Registering a single web address may have stopped a global malware attack
12 comments
Finding the kill switch
https://www.theverge.com/2017/5/13/15635050/wannacry-ransomware-kill-switch-protect-nhs-attack
Tomi Engdahl says:
New York Times:
Europol chief says 200K computers in 150 countries were affected by WannaCry ransomware, while experts warn that new wave of attacks next week is likely
http://www.nytimes.com/2017/05/14/world/europe/cyberattacks-hack-computers-monday.html
Tomi Engdahl says:
http://www.iltalehti.fi/ulkomaat/201705142200136875_ul.shtml
Tomi Engdahl says:
Cyber attack: Monday morning meltdown expected as Europol chief warns of ‘escalating threat’
http://www.telegraph.co.uk/news/2017/05/14/major-cyber-attack-could-come-monday-experts-warn/
The threat from the cyber attack that crippled international services “will continue to grow” as people return to work on Monday, the head of Europol warned.
Since Friday’s breach more than 200,000 victims – including the NHS – across 150 countries have been infected by the Wanna Decryptor ransomware, also known as WannaCry.
Tomi Engdahl says:
New York Times:
Europol chief says 200K computers in 150 countries were affected by WannaCry ransomware, while experts warn that new wave of attacks next week is likely
Cyberattack’s Impact Could Worsen in ‘Second Wave’ of Ransomware
https://www.nytimes.com/2017/05/14/world/europe/cyberattacks-hack-computers-monday.html
ecurity experts are warning that the global cyberattack that began on Friday is likely to be magnified in the new workweek as users return to their offices and turn on their computers.
Many workers, particularly in Asia, had logged off on Friday before the malicious software, stolen from the United States government, began proliferating across computer systems around the world. So the true effect of the attack may emerge on Monday as employees return and log in.
Moreover, copycat variants of the malicious software behind the attacks have begun to spread, according to experts. “We are in the second wave,” said Matthieu Suiche of Comae Technologies, a cybersecurity company based in the United Arab Emirates. “As expected, the attackers have released new variants of the malware. We can surely expect more.”
On Sunday, MalwareTech was one of many security experts warning that a less-vulnerable version of the malware is likely to be released.
Robert Pritchard, a former cybersecurity expert at Britain’s defense ministry, said that security specialists might not be able to keep pace with the hackers.
“This vulnerability still exits; other people are bound to exploit it,” he said. “The current variant will make its way into antivirus software. But what about any new variants that will come in the future?”
Allan Liska, an analyst with Recorded Future, a cybersecurity company, said a new version of the ransomware he examined Sunday did not have the kill switch. “This is probably version 2.1, and it has the potential to be much more effective — assuming security defenders haven’t spent all weekend patching,” he said.
Tomi Engdahl says:
The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack
Read more at https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#0GEyVgUW1Imvz58Z.99
Tomi Engdahl says:
Hackers Behind Massive Ransomware Attack Have Made an Embarrassingly Small Amount of Money
http://gizmodo.com/hackers-behind-massive-ransomware-have-made-an-embarras-1795195644
The WannaCry ransomware attack that spread around the globe yesterday caused chaos at hospitals, manufacturing shutdowns, headaches for Microsoft, and overtime for cybersecurity professionals. But the hackers responsible for this absurd attack have made relatively little in the way of profits.
According to an analysis by respected security researcher Brian Krebs, the hackers have thus far only pulled in about $26,000 for perpetrating what is believed to be one of the largest ransomware attacks in history.
Tomi Engdahl says:
Brad Smith / Microsoft on the Issues:
Microsoft decries “stockpiling of vulnerabilities by governments”, citing NSA, CIA leaks, reiterates points from its Feb. call for a “Digital Geneva Convention” — Early Friday morning the world experienced the year’s latest cyberattack.
The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack
Read more at https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#FrHZ46MKvkVGwuEg.99
Tomi Engdahl says:
Global Cyber Attack Halted: Autopsy Time
http://hackaday.com/2017/05/13/global-cyber-attack-halted-autopsy-time/
Friday saw what looked like the most dangerous ransomware infection to date. The infection known as WannaCry was closing down vital hospital IT systems across the UK canceling major operations and putting lives at risk.
Spread Halted?
It spread further around the world and almost became a global pandemic. Although machines are still encrypted demanding Bitcoin, one security blogger [MalwareTech] halted the ransomware by accident.
Why was the UK’s NHS Hit So Badly?
According to the [BBC] Information obtained by software firm Citrix under Freedom of Information laws in December suggest up to 90% of NHS trusts were still using Windows XP, However NHS Digital says it is a “much smaller number”. Microsoft has rolled out a free security update to Windows XP, Windows 8, and Windows Server 2003 “to protect their customers”. There was much warning about XP no longer receiving updates etc, the 2001 operating system just needs to die however so many programs especially embedded devices rely upon the fact that the OS running is Windows XP, This is a problem that needs sorted sooner rather than later.
So is this the end for ransomware?
No, this infection was stopped by accident the infected are either still infected or have paid up, had they not included the sloppy code in the first place then who knows what would have happened. Microsoft had rolled out patches but some people/organizations/Governments are lazy and don’t bother to apply them. Keep your computers up to date, Good luck because we think we will be seeing a lot more ransomware malware in the coming years.
[Update WannaCry v. 2.0 has been released without the “kill switch”, We wonder what will happen now. Probably not a lot as the media attention has been quite intense so it may not be that big an infectio
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Payments to the three Bitcoin addresses reportedly hardcoded in the WannaCry ransomware totaled merely $26K by Saturday
Global ‘Wana’ Ransomware Outbreak Earned Perpetrators $26,000 So Far
http://krebsonsecurity.com/2017/05/global-wana-ransomware-outbreak-earned-perpetrators-26000-so-far/
Tomi Engdahl says:
Edward Snowden:
In light of today’s attack, Congress needs to be asking @NSAgov if it knows of any other vulnerabilities in software used in our hospitals.
Source: https://twitter.com/Snowden/status/863108616773095425
Tomi Engdahl says:
Edward Snowden:
Despite warnings, @NSAGov built dangerous attack tools that could target Western software. Today we see the cost:
Source: https://twitter.com/Snowden/status/863104818629554177
Tomi Engdahl says:
MalwareInt(Beta)
https://intel.malwaretech.com/botnet/wcrypt/?t=24h&bid=all
Tomi Engdahl says:
NHS cyber-attack: GPs and hospitals hit by ransomware
http://www.bbc.com/news/health-39899646
Tomi Engdahl says:
WanaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain
EternalBlue now an eternal headache
https://www.theregister.co.uk/2017/05/12/spain_ransomware_outbreak/
Telefónica was one of several victims of a widespread file-encrypting ransomware outbreak, El Pais reports. Telefónica has confirmed the epidemic on its intranet while downplaying its seriousness, saying everything was under control. Fixed and mobile telephony services provided by the firm have not been affected.
The strain of ransomware at the centre of the outbreak is a variant of WannaCrypt aka Wcry aka WanaCrypt aka Wanna Decryptor. Spain’s CERT put out an alert saying that the outbreak had affected several organizations.
https://www.telefonica.com/es/web/sala-de-prensa/-/incidencia-ciberseguridad
Tomi Engdahl says:
74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+
All you need to know – from ports to samples
https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/
Tomi Engdahl says:
PCs Connected To the Internet Will Get Infected With WanaDecrypt0r In Minutes
https://it.slashdot.org/story/17/05/15/0354230/pcs-connected-to-the-internet-will-get-infected-with-wanadecrypt0r-in-minutes?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
“The Wana Decrypt0r ransomware — also known as WCry, WannaCry, WannaCrypt, and WanaCrypt0r — infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow,” reports BleepingComputer. “During one of those infections, Wana Decrypt0r infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware’s scanning module, which helps it spread to new victims… Three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches.”
Honeypot Server Gets Infected with WannaCry Ransomware 6 Times in 90 Minutes
https://www.bleepingcomputer.com/news/security/honeypot-server-gets-infected-with-wannacry-ransomware-6-times-in-90-minutes/
The WannaCry ransomware — also known as WCry, Wana Decrypt0r, WannaCrypt, and WanaCrypt0r — infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow.
During one of those infections, WannaCry infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware’s scanning module, which helps it spread to new victims. Remind you that the ransomware was defanged via a kill-switch researchers found in its code, but this test shows how quickly new infections will be made if this kill switch wouldn’t have been discovered.
Furthermore, three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches.
We all know the huge problems caused by IoT malware and IoT botnets, and Benkow’s experiment shows how widespread the WannaCry problem is.
https://benkowlab.blogspot.fi/
Tomi Engdahl says:
PCs Connected To the Internet Will Get Infected With WanaDecrypt0r In Minutes
https://it.slashdot.org/story/17/05/15/0354230/pcs-connected-to-the-internet-will-get-infected-with-wanadecrypt0r-in-minutes?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
“The Wana Decrypt0r ransomware — also known as WCry, WannaCry, WannaCrypt, and WanaCrypt0r — infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow,” reports BleepingComputer. “During one of those infections, Wana Decrypt0r infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware’s scanning module, which helps it spread to new victims… Three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches.”
Honeypot Server Gets Infected with WannaCry Ransomware 6 Times in 90 Minutes
https://www.bleepingcomputer.com/news/security/honeypot-server-gets-infected-with-wannacry-ransomware-6-times-in-90-minutes/
The WannaCry ransomware — also known as WCry, Wana Decrypt0r, WannaCrypt, and WanaCrypt0r — infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow.
During one of those infections, WannaCry infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware’s scanning module, which helps it spread to new victims. Remind you that the ransomware was defanged via a kill-switch researchers found in its code, but this test shows how quickly new infections will be made if this kill switch wouldn’t have been discovered.
Furthermore, three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches.
We all know the huge problems caused by IoT malware and IoT botnets, and Benkow’s experiment shows how widespread the WannaCry problem is.
Tomi Engdahl says:
Microsoft Issues Emergency Patch in Response to Massive Ransomware Outbreak
http://www.securityweek.com/microsoft-issues-emergency-patch-response-massive-ransomware-outbreak
WannaCry Ransomware Exploits Windows SMB Vulnerability, Microsoft Issues Fix to Protect Outdated Systems
A fast-moving wave of ransomware attacks is hitting hard across the world, exploiting a recently patched vulnerability that was exposed in documents leaked from the NSA by the mysterious Shadow Broker group.
Dubbed WannaCry, the ransomware is exploiting a critical vulnerability in Microsoft’s Server Message Block (SMB) which was patched by Microsoft (MS17-010) for supported versions of Windows last month.
Also known as WCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r, the ransomware strain has reportedly hit more than 100 countries in less than 24 hours.
Tomi Engdahl says:
Manhunt for Hackers Behind Global Cyberattack
http://www.securityweek.com/manhunt-hackers-behind-global-cyberattack
International investigators hunted Saturday for those behind an unprecedented cyber-attack that affected systems in dozens of countries, including at banks, hospitals and government agencies, as security experts sought to contain the fallout.
The assault, which began Friday and was being described as the biggest-ever cyber ransom attack, struck state agencies and major companies around the world — from Russian banks and British hospitals to FedEx and European car factories.
“The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” said Europol, Europe’s police agency.
Europol said a special task force at its European Cybercrime Centre was “specially designed to assist in such investigations and will play an important role in supporting the investigation”.
Images appeared on victims’ screens demanding payment of $300 (275 euros) in Bitcoin, saying: “Ooops, your files have been encrypted!”
Payment is demanded within three days or the price is doubled, and if none is received within seven days the files will be deleted, according to the screen message.
“Paying the ransom does not guarantee the encrypted files will be released,” the US Department of Homeland Security’s computer emergency response team said.
“It only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information.”
- ‘Painful’ -
Experts and officials offered differing estimates of the scope of the attacks, but all agreed it was huge.
– Europe worst hit -
US software firm Symantec said the majority of organizations affected were in Europe, and the attack was believed to be indiscriminate.
The companies and government agencies targeted were diverse.
In the United States, package delivery group FedEx said it was “implementing remediation steps as quickly as possible,” while French carmaker Renault was forced to stop production at sites in France, Slovenia and Romania.
Russia’s interior ministry said some of its computers had been hit by a “virus attack” and that efforts were underway to destroy it. The country’s banking system was also attacked, although no problems were detected, as was the railway system.
Germany’s rail operator Deutsche Bahn said its station display panels were affected. Universities in Greece and Italy also were hit.
- Accidental ‘kill switch’ -
Kaspersky said it was “trying to determine whether it is possible to decrypt data locked in the attack — with the aim of developing a decryption tool as soon as possible.”
On Saturday, a cyber security researcher told AFP he had accidentally discovered a “kill switch” that could prevent the spread of the ransomware.
Tomi Engdahl says:
Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r
https://yro.slashdot.org/story/17/05/15/0137215/microsoft-blasts-spy-agencies-for-leaked-exploits-used-by-wanadecrypt0r
Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There’s an “emerging pattern” of these stockpiles leaking out, he says, and they cause “widespread damage” when that happens. He goes so far as to liken it to a physical weapons leak — it’s as if the US military had “some of its Tomahawk missiles stolen”…
Microsoft blasts spy agencies for hoarding security exploits
It likens ‘WannaCry’ to someone stealing Tomahawk missiles.
https://www.engadget.com/2017/05/14/microsoft-blasts-spy-agency-exploit-hoarding/
Microsoft is hopping mad that leaked NSA exploits led to the “WannaCry” (aka “WannaCrypt”) ransomware wreaking havoc on computers worldwide. Company President Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There’s an “emerging pattern” of these stockpiles leaking out, he says, and they cause “widespread damage” when that happens. He goes so far as to liken it to a physical weapons leak — it’s as if the US military had “some of its Tomahawk missiles stolen.”
To Smith, this is a “wake-up call.” Officials ought to treat a mass of exploits with the same caution that they would a real-world weapons cache, he argues. Microsoft had already floated the concept of a “Digital Geneva Convention” that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos. Will the NSA and other agencies listen? Probably not — but Microsoft at least some has some evidence to back up its claims.
Tomi Engdahl says:
Ransomware scum have already unleashed kill-switch-free WannaCrypt variant
Researchers warn over new Uiwix strain
https://www.theregister.co.uk/2017/05/15/wannacrypt_variant/
Miscreants have launched a ransomware worm variant that abuses the same vulnerability as the infamous WannaCrypt malware.
Danish firm Heimdal Security warned on Sunday that the new Uiwix strain doesn’t include a kill-switch domain, like the one that proved instrumental in minimising the harm caused by WannaCrypt last week, although this is subject to some dispute.
“As far as I know there’s only been two variants (one this morn) and none without [a kill]switch,” security researcher Dave Kennedy told El Reg. Other researchers, including Kevin Beaumont, are also telling us they haven’t yet seen a variant of WannaCrypt without a kill switch.
Tomi Engdahl says:
WanaCry because your organization is slow to patch? Stop the tears with TearSt0pper!
https://www.renditioninfosec.com/2017/05/wanacry-because-your-organization-is-slow-to-patch-stop-the-tears-with-tearst0pper/
WanaCrypt0r 2.0 has been spreading like wildfire and causing severe impact to individuals and businesses alike. Wcry not only is a crypto-ransomware variant, but packages a leaked NSA exploit with it (MS17-010), creating a self-propagating ransomware worm.
To protect our clients and now the general public, Rendition Infosec has released TearSt0pper. Simply put, TearSt0pper creates a mutex (mutual exclusion object) that will prevent WanaCrypt0r 2.0/Wcry from infecting a system.
Slow patching cycles by organizations for MS17-010 coupled with Wcry modifications leaves many still vulnerable to infection and spread. TearSt0pper by Rendition Infosec stops the tears and can be run from any user privilege as tested. This means administrators can deploy TearSt0pper throughout the enterprise as a group policy object, etc. without requiring the binary to be run as Administrator.
Protect systems from future infection by WanaCry with TearSt0pper and CONTINUE TO PATCH MS17-010.
Tomi Engdahl says:
RANSOMWARE
How to protect your business against Ransomware
https://secure.f-secure.com/ransomware-protection
WannaCry Ransomware and How to Defend Against It
https://www.cybereason.com/what-is-the-wannacry-ransomware-attack-and-how-to-defend-against-it/
Tomi Engdahl says:
RANSOMWARE
How to protect your business against Ransomware
https://secure.f-secure.com/ransomware-protection
What should you do?
1. Ensure DeepGuard and real-time protection is turned on in all your corporate endpoints.
2. Identify endpoints without the Microsoft issued patch (4013389) with Software Updater or other available tool.
3. Patch it immediately with Software Updater or other available tools.
In case you are unable to patch it immediately, we recommend to disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 in order to reduce attack surface
4. Configure the firewall to properly block traffic
Block 445 inbound to all internal and internet-facing Windows systems to prevent workstations from getting infected
Block 455 outbound from servers to prevent the servers from spreading WannaCrypt within the environment
Alternatively, you can set F-Secure Firewall policy to its highest setting, which has predefined rules to block the attack.
Tomi Engdahl says:
Microsoft Security Bulletin MS17-010 – Critical
Security Update for Microsoft Windows SMB Server (4013389)
Published: March 14, 2017
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Tomi Engdahl says:
‘WannaCry’ Malware Attack Could Just Be Getting Started: Experts
http://www.nbcnews.com/news/us-news/blockbuster-wannacry-malware-could-just-be-getting-started-experts-n759356
The estimated 200,000 computers crippled worldwide by last week’s mammoth ransomware attack could be only the tip of the iceberg, security experts said Sunday.
The apparently random attack, called “WannaCry,” hit on Friday and spread like wildfire before a malware researcher identified as Marcus Hutchins was able to halt it temporarily a day later, when workers in many companies weren’t in their offices.
That means an untold number of other infected systems could still be waiting to be discovered when people return to work on Monday and fire up their computers.
And there’s worse news: At least two new variations of the malware have already been detected.
All it takes is for one computer on a network to be infected for all of the computers on that network to be compromised.
While Microsoft had stopped supporting older versions of Windows, it said it is pushing out special automatic updates to those systems to block the worm.
Tomi Engdahl says:
This could be bad, new #WannaCry #ransomware with new kill switch domain, I bet someone other than original actors did this and released
Source: https://twitter.com/darienhuss/status/863738023795621888
Tomi Engdahl says:
WannaCry Kill-Switch(ed)? It’s Not Over! WannaCry 2.0 Ransomware Arrives
Saturday, May 13, 2017 Swati Khandelwal
https://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html
Tomi Engdahl says:
The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack
https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.0001m8ckub1q8f2stke29h7mp846d
All of this provides the broadest example yet of so-called “ransomware,” which is only one type of cyberattack. Unfortunately, consumers and business leaders have become familiar with terms like “zero day” and “phishing” that are part of the broad array of tools used to attack individuals and infrastructure. We take every single cyberattack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported. Clearly, responding to this attack and helping those affected needs to be our most immediate priority.
Tomi Engdahl says:
Microsoft Warns Governments Against Exploit Stockpiling
http://www.securityweek.com/microsoft-warns-governments-against-exploit-stockpiling
Microsoft Says WannaCry Ransomware Outbreak Should be a Wake Up Call for Governments
Microsoft president and chief legal officer Brad Smith has renewed his call for an international ‘Digital Geneva Convention’ following the global WannaCrypt ransomware attack that started on Friday.
In ‘The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack’, Smith wrote Sunday, “The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”
Some estimates now suggest that WannaCrypt has affected more than 200,000 users in 200 different countries. But if Smith’s proposals were already standard practice, it need never have happened. Earlier this year he called for a digital Geneva Convention that “should mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them.”
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” he wrote yesterday. “This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
The current worldwide ‘incident’, which could be described as ‘a perfect storm’, happened (and is continuing) through the convergence of three primary threats: the continued use of unsupported operating systems (more specifically, Windows XP); the continuing success of phishing; and the availability of 0-day exploits.
Tomi Engdahl says:
“Let’s have fun when we talk about this as the biggest attack ever”
According to F-Secure’s leading expert, there have been millions of contaminated machines in the biggest attacks.
According to an expert at F-Secure, the cyber attack that began on Friday was technically at the 2003 level.
According to him, the global impact remained low. About 200,000 computers are thought to be contaminated.
He recalls that in the early 2000s, cyber attacks were contaminated with millions of machines contaminated.
The extraordinarily wide cyber attack launched on Friday has been devastating in about 150 countries. EU Police Commissioner Europol reports attacks have hit 200,000 targets and describes the assault as “unprecedented.
- The attack was technically at the 2003 level. There was not something that should have been surprising or new. It was a network mail that spread with vulnerability. Nearly 60 days of repair have been available for the vulnerability, Niemelä says.
There was nothing technically unusual about the attack.
- After all, what this could have been like was, indeed, the impact on the global scale was really small.
- Wow, when it comes to saying that this attack would be the biggest ever. If you compare worm-outbreakes and virus tokens to the early 2000s, then millions, if not even tens of millions of contaminated machines, were talked about. This was the biggest attack for some time…
According to Niemelä, in Finland and Western Europe, the problem was handled very well.
- If you want to generalize, so in countries that are usually disciplined, this is also the case. Big thanks goes to businesses with IT management, which were meticulously made sure that the equipment was updated.
Niemelä lists three ways to protect his machine from similar attacks in the future.
- Using a firewall, adjusting its settings to the right and using good security software. These rescued Finland and long ago also Western Europe.
According to Niemelä, F-Secure did not even notice.
- We did not get any big reports from our customers. It just went straight to automatic combat.
The reason for the vulnerability of certain systems is clear.
- There are certain industrial and medical systems where Windows XP is part of a production system. It’s part of the machine, like anything else, and can not just change it. Unfortunately, many industrial journalists have such silly terms that the system should not be upgraded, or the warranty will lapse, Niemelä says.
According to him, customers have slowly awakened to not condone the condition, but in the past the solution was very typical.
- Such devices are less commonly connected to the Internet. When all other devices in the organization are protected, no infection can reach this vulnerable point at all. This is exactly what was done in Finland.
Source: http://www.iltalehti.fi/digi/201705152200138053_du.shtml
Tomi Engdahl says:
New WannaCrypt ransomware variant discovered in the wild
The global ransomware campaign may not be anywhere close to over yet.
http://www.zdnet.com/article/new-wannacry-variant-swarms-discovered-in-the-wild/
New ransomware samples of WannaCrypt variants have been discovered in the wild but it is yet to be seen if they pose the same threat as the first ransomware attack wave.
On Friday, at least 47 trusts across England and 13 National Health Service (NHS) services in Scotland were faced with severe disruption as IT services went into lockdown due to the Wanna Decryptor ransomware, also known as WannaCrypt, WanaCrypt0r and WannaCry.
Following reports of the ransomware attack across the UK, researchers soon discovered instances of the same malware being used in thousands of attacks in 150 countries at last count, including the UK, Russia, and Spain. It is believed the ransomeware has claimed at least 200,000 victims.
WannaCrypt infects vulnerable systems through phishing campaigns, malicious emails and malware-laden attachments in the typical way ransomware generally operates.
However, once one infection is successful, the ransomware then encrypts everything it can get its hands on — including hard drives and external storage devices — before performing a scan to find and jump to new systems which are not protected against the malware.
According to security firm Recorded Future, WannaCry first appeared on 31 March but the version now appearing in attacks has been modified, such as the inclusion of “worm-like” capabilities which allow the malware to spread through any networked systems which have not been patched via NetBIOS.
The ransomware uses a known Microsoft Windows Server Message Block (SMB) vulnerability, EternalBlue (MS17-010), which is a bug in Windows SMBv1 and SMBv2.
The security flaw is reportedly one of the same zero-day vulnerabilities released as part of the Shadow Brokers NSA cache.
You can view a live update map of the WannaCry spread here.
https://intel.malwaretech.com/botnet/wcrypt
Tomi Engdahl says:
Ransomware attack: Hospitals still struggling in aftermath of WannaCrypt’s rampage
http://www.zdnet.com/article/ransomware-attack-hospitals-still-struggling-in-aftermath-of-wannacrypts-rampage/
Three days after the initial cyberattack, NHS hospitals are still suffering from disruption as new infections come to light.
NHS hospitals are still struggling in the fight against a global ransomware attack, with computer systems in several hospitals locked three days after the initial outbreak and previously unaffected hospitals revealed to have fallen to WannaCrypt ransomware.
As NHS organisations start a new work week, it appears the attack is far from over, with the previously unaffected Shrewsbury and Telford Hospital NHS Trust added to the list of victims.
“As has been widely reported, on Friday a large number of NHS Trusts were affected by a computer virus that was contained in an email attachment. Unfortunately, the virus was detected on a small number of machines at SaTH,” said Sara Biffen, Deputy Chief Operating Officer at The Shrewsbury and Telford Hospital NHS Trust (SaTH).
“As a precautionary measure, some of the Trust’s systems were suspended briefly in order to reduce any further risk,” she added.
NHS Digital said it is continuing to work to fight against the WannaCry cyberattack and its impact on the health service.
Cybersecurity researchers have suggested the ransomware attacks are so potent because they exploit a known software flaw dubbed EternalBlue. This Windows flaw is one of many zero-days which apparently was known by the NSA — before being leaked by the Shadow Brokers hacking collective.
Tomi Engdahl says:
With the Success of WannaCry, Imitations are Quickly In Development
https://www.bleepingcomputer.com/news/security/with-the-success-of-wannacry-imitations-are-quickly-in-development/
With the successful launch of the WannaCry Ransomware last Friday, ransomware developers are being quick to release their own imitations. As of today, I found 4 different WannaCry knockoffs in various forms of development. Of particular interesting is what appears to be a WannaCry Ransomware generator that allows you to customize the appearance and text of the lock screen.
DarkoderCrypt0r
Of the four WannaCry imitators, DarkoderCrypt0r is the farthest along in development as it actually encrypts files on a computer.
Aron WanaCrypt0r 2.0 Generator v1.0
Aran wanaCrypt0r 2.0 Generator v1.0 is an interesting sample as it is being developed to be a customizable WannaCry Ransomware generator. This program allows you to create a customized WannaCry lock screen where a developer can customize the text, images, and colors of the lock screen.
Wanna Crypt v2.5
Wanna Crypt v2.5 is in the very beginning stages of development as it only displays the lock screen shown below when launched.
WannaCrypt 4.0
Like Wanna Crypt v2.5, WannaCrypt 4.0 is in the beginning stages of development and does not encrypt anything at this time.
Tomi Engdahl says:
http://www.independent.co.uk/life-style/gadgets-and-tech/news/nhs-cyber-attack-wannacry-ransomware-computers-infected-virus-malwaretech-a7734911.html
‘Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You’re only safe if you patch ASAP,’ says accidental hero, 22, who shut down major attack
Tomi Engdahl says:
Bank of China ATMs Go Dark As Ransomware Attack Cripples China
http://www.zerohedge.com/news/2017-05-13/bank-china-atms-go-dark-ransomware-attack-slams-china
In the aftermath of the global WannaCry ransomware attack, which has spread around the globe like wildfire, a significant number of corporations and public services have found their infrastructure grinding to a halt, unable to operate with unprotected if mission-critical computers taken offline indefinitely. Some of the more prominent examples so far include:
NHS: The British public health service – the world’s fifth-largest employer, with 1.7 million staff – was badly hit, with interior minister Amber Rudd saying around 45 facilities were affected. Several were forced to cancel or delay treatment for patients.
Germany’s Deutsche Bahn national railway operator was affected, with information screens and ticket machines hit. Travelers tweeted pictures of hijacked departure boards showing the ransom demand instead of train times. But the company insisted that trains were running as normal.
Renault: The French automobile giant was hit, forcing it to halt production at sites in France and its factory in Slovenia as part of measures to stop the spread of the virus.
FedEx: The US package delivery group acknowledged it had been hit by malware and said it was “implementing remediation steps as quickly as possible.” .
Russian banks, ministries, railways: Russia’s central bank was targeted, along with several government ministries and the railway system. The interior ministry said 1,000 of its computers were hit by a virus. Officials played down the incident, saying the attacks had been contained.
Telefonica: The Spanish telephone giant said it was attacked but “the infected equipment is under control and being reinstalled,” said Chema Alonso, the head of the company’s cyber security unit and a former hacker.
Sandvik: Computers handling both administration and production were hit in a number of countries where the company operates, with some production forced to stop. “In some cases the effects were small, in others they were a little larger,” Head of External Communications Par Altan said.
Now, courtesy of 95cn.org, and its twitter account, we have the first visual evidence that China too was materially impacted, to the point where not only local ATMs had been taken offline, but Chinese traffic police, immigration authorities and various public security bureaus and schools have suspended normal work until the malware threat is resolved.
Tomi Engdahl says:
WannaCry ransomware attack
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
List of affected organizations
Several experts highlighted the NSA’s non-disclosure of the underlying vulnerability, and their loss of control over the EternalBlue attack tool that exploited it. Edward Snowden said that if the NSA had “privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, [the attack] may not have happened”.[102] British cybersecurity expert Graham Cluley also sees “some culpability on the part of the U.S. intelligence services”. According to him and others “they could have done something ages ago to get this problem fixed, and they didn’t do it”. He also said that despite obvious uses for such tools to spy on people of interest, they have a duty to protect their countries’ citizens.[
Others commented that this attack shows that the practice of intelligence agencies to stockpile exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic
Tomi Engdahl says:
WannaCry hits Bank of China and Russian FIs
https://ibsintelligence.com/ibs-journal/wannacry-hits-bank-china-russian-fis/
China has emerged as one of the victims of the WannaCry ransomware attack. Bank of China ATMs were taken offline whilst the situation was tackled. Chinese traffic police, immigration authorities and various public security bureaus and schools were also suspended.
Elsewhere, Russia’s central bank was also targeted, along with several government ministries, the railway system and a number of Russian banks, but their computer networks were not penetrated, the cybersecurity monitoring centre FinCert, which is operated by Russia’s central bank, reported. Sberbank, Russia’s largest bank, commented: “Cybersecurity systems have discovered attempts to infect the bank infrastructure in due course. The bank network is protected from such an attack. No virus infection happened.”
Tomi Engdahl says:
Wannacry wrecking havoc to banks, commercial and public sector worldwide
https://www.enterpriseinnovation.net/article/wannacry-wrecking-havoc-banks-commercial-and-public-sector-worldwide-466216229
On May 12, the UK’s National Health Services, Spain’s Telefonica, logistics firm FedEx were among the first organizations to get infected with the WannaCrypt ransomware malware.
On March 14, 2016, Microsoft announced the first of two major updates for its Windows 10 operating system including the security update (MS17-010) aimed at fixing a Windows Server Message Block (SMB) vulnerability.
Although the patch was initially developed for the Windows 10 operating system, the extent of the WannaCrypt (also known as WannaCry, WannaCrypt0r 2.0 or Wcrypt or Wanna Decryptor) attacked has prompted Microsoft to provide a security update for Windows XP, Windows 8 and Windows Server 2003 despite these versions no longer officially supported by the vendor. Windows Vista, Windows 7 and Windows 8.1 were included in the March update.
History lesson
On May 5, 2000, the I Love You virus hit the world spreading causing up to US$8.7 billion in damages and infecting an estimated 10% of internet-connected computers at the time. Much of the cost associated with the virus was time and resources spent to remove the infection and recover files from backups. To stop the spread of the contagion, some organizations, including the US Pentagon, CIA, the British Parliament, shut down their mail system.
However, the I Love You virus is arguably not the most lethal of cyber infections, in recent years parts of the world has experienced directly the wrath of Zeus (2007), Conficker (2008), CrytoLocker (2005), Qakbot (2011), Sykipot (2007), Sandworm (2009) and now WannaCrypt (or WannaCry). What is indicative of all these attacks is that both users of connected devices will continue to be targets as long as there is money to be made.
The financial tool of the WannaCry malware is still being tallyed. Victims are given 3 days to respond to the ransom demand or face a doubling of ransom demand.
More to come
The malware is expected to continue to propagate given how slow organizations are to react to attacks and the ability to propagate patches. And as long as organizations are unwilling or too slow to implement patches, the risk of spread of the contagion is high.
Tomi Engdahl says:
WannaCry (WannaCrypt) Ransomware Encrypts Victim Data
https://www.hkcert.org/my_url/en/alert/17051301
Tomi Engdahl says:
Slashdot Asks: In the Wake Of Ransomware Attacks, Should Tech Companies Change Policies To Support Older OSs Indefinitely?
https://ask.slashdot.org/story/17/05/15/0739227/slashdot-asks-in-the-wake-of-ransomware-attacks-should-tech-companies-change-policies-to-support-older-oss-indefinitely
In the aftermath of ransomware spread over the weekend, Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, writes an opinion piece for The New York Times:
At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, “pay extra money to us or we will withhold critical security updates” can be seen as its own form of ransomware. In its defense, Microsoft probably could point out that its operating systems have come a long way in security since Windows XP, and it has spent a lot of money updating old software, even above industry norms. However, industry norms are lousy to horrible
The World Is Getting Hacked. Why Don’t We Do More to Stop It?
https://www.nytimes.com/2017/05/13/opinion/the-world-is-getting-hacked-why-dont-we-do-more-to-stop-it.html
The path to a global outbreak on Friday of a ransom-demanding computer software (“ransomware”) that crippled hospitals in Britain — forcing the rerouting of ambulances, delays in surgeries and the shutdown of diagnostic equipment — started, as it often does, with a defect in software, a bug. This is perhaps the first salvo of a global crisis that has been brewing for decades. Fixing this is possible, but it will be expensive and require a complete overhaul of how technology companies, governments and institutions operate and handle software. The alternative should be unthinkable.
Just this March, Microsoft released a patch to fix vulnerabilities in its operating systems, which run on about 80 percent of desktop computers globally. Shortly after that, a group called “Shadow Brokers” released hacking tools that took advantage of vulnerabilities that had already been fixed in these patches.
It seemed that Shadow Brokers had acquired tools the National Security Agency had used to break into computers. Realizing these tools were stolen, the N.S.A. had warned affected companies like Microsoft and Cisco so they could fix the vulnerabilities. Users were protected if they had applied the patches that were released, but with a catch: If an institution still used an older Microsoft operating system, it did not receive this patch unless it paid for an expensive “custom” support agreement.
The cash-strapped National Health Service in Britain, which provides health care to more than 50 million people, and whose hospitals still use Windows XP widely, was not among those that signed up to purchase the custom support from Microsoft.
Continue reading the main story
They were out in the cold.
On May 12, a massive “ransomware” attack using one of those vulnerabilities hit hospitals in Britain, telecommunication companies in Spain, FedEx in the United States, the Russian Interior Ministry and many other institutions around the world. They had either not applied these patches to systems where it was available for free, or had not paid the extra money for older ones.
Computer after computer froze, their files inaccessible, with an ominous onscreen message asking for about $300 worth of “bitcoin”
But the crisis is far from over. This particular vulnerability still lives in unpatched systems, and the next one may not have a convenient kill switch.
While it is inevitable that software will have bugs, there are ways to make operating systems much more secure — but that costs real money. While this particular bug affected both new and old versions of Microsoft’s operating systems, the older ones like XP have more critical vulnerabilities. This is partly because our understanding of how to make secure software has advanced over the years, and partly because of the incentives in the software business. Since most software is sold with an “as is” license, meaning the company is not legally liable for any issues with it even on day one, it has not made much sense to spend the extra money and time required to make software more secure quickly.
This isn’t all Microsoft’s fault though. Its newer operating systems, like Windows 10, are much more secure. There are many more players and dimensions to this ticking bomb.
During this latest ransomware crisis, it became clear there were many institutions that could have patched or upgraded their systems, but they had not. This isn’t just because their information technology departments are incompetent (though there are surely cases of that, too). Upgrades come with many downsides that make people reluctant to install them.
As an added complication, the ways companies communicate about upgrades and unilaterally change the user interface make people vulnerable to phishing, since one is never sure what is a real login or upgrade message and what is a bogus one, linking to a fake website trying to steal a login.
The problem is even worse for institutions like hospitals which run a lot of software provided by a variety of different vendors, often embedded in expensive medical equipment.
The next crisis facing us is the so-called “internet of things”: devices like baby monitors, refrigerators and lighting now come with networked software. Many such devices are terribly insecure and, worse, don’t even have a mechanism for receiving updates. In the current regulatory environment, the people who write the insecure software and the companies who sold the “things” bear no liability.
First, companies like Microsoft should discard the idea that they can abandon people using older software. The money they made from these customers hasn’t expired; neither has their responsibility to fix defects
At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra.
The United States government has resources and institutions to help fix this. N.S.A.’s charter gives it a dual role: both offensive and defensive.
In other words, we can’t eliminate bugs, but with careful design, we can make it so that they cannot easily wreak havoc like this.
It is time to consider whether the current regulatory setup, which allows all software vendors to externalize the costs of all defects and problems to their customers with zero liability, needs re-examination.
Tomi Engdahl says:
WannaCry ransomware cyber-attacks slow but fears remain
http://www.bbc.com/news/technology-39920141
How has Monday been so far?
Many firms employed experts over the weekend to try to prevent new infections.
The picture now appears better in Europe.
Senior spokesman for Europol, Jan Op Gen Oorth, told the AFP news agency: “The number of victims appears not to have gone up and so far the situation seems stable in Europe, which is a success.
“It seems that a lot of internet security guys over the weekend did their homework and ran the security software updates.”
UK Health Minister Jeremy Hunt confirmed to the BBC that UK intelligence services had found no evidence of a second wave of attacks on Monday.
Companies in Asia and Europe have been warning employees to be careful when clicking on attachments and links in their emails.
The message from the UK’s National Crime Agency was “do not pay!” – there is no guarantee that systems will be restored.
What’s behind Microsoft’s ‘wake-up call’ warning?
The computing giant says the tool used in this current attack had been developed by the US National Security Agency and was stolen by hackers.
It is highly critical of the way governments store data on software vulnerabilities.
Microsoft president and chief legal officer Brad Smith said on Sunday: “We have seen vulnerabilities stored by the CIA show up on Wikileaks, and now this vulnerability stolen from the NSA has affected customers around the world.
“An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.”
Tomi Engdahl says:
Worldwide Cyberattack Stopped After Sole Researcher Accidentally Discovers Kill Switch
http://www.iflscience.com/technology/worldwide-cyberattack-stopped-after-sole-researcher-accidentally-discovers-kill-switch/
A worldwide cyberattack of “unprecedented” proportions affected 150 countries last Friday, with health services in the UK, FedEx, and Telefonica, the primary telecommunications operator in Spain, being some of the high-profile victims of it. It was a ransomware-style attack
It appears that a garbled domain name, the address of a website essentially, was layered into the program’s source code. At a hunch, this so-called “accidental hero” – who had been exploring a sample of the cyberattack program – decided to buy the domain name for a measly $10.69 just to see what happened.
Immediately after the domain became active on the Web, it began to register thousands upon thousands of hits.
These connections then appeared to rapidly shut down the cyberattack, and within a few hours, people’s files were accessible again. The activation of the domain seemed to be the “kill switch”, one that the programmers would use to eventually stop the spread of the virus.
Initially, the British cybersecurity researcher – who tweets anonymously as @malwaretechblog – panicked, as the press first thought that the infection was caused by registering the domain name. Soon, though, his technical heroics came to light, and he was receiving praise from both government agencies and the media.