An NSA-derived ransomware worm is shutting down computers worldwide

A highly virulent new strain of self-replicating ransomware is shutting down computers all over the world.

The malware, known as Wanna, Wannacry, or Wcry, has infected at least 57,000 computers, according to antivirus provider Avast. AV provider Kaspersky Lab said organizations in at least 74 countries have been affected.

Wcry uses weapons-grade exploit published by the NSA-leaking Shadow Brokers.


  1. Tomi Engdahl says:

    Sophos waters down ‘NHS is totally protected’ by us boast
    Watered down homeopathy for computers is more powerful, m’kay?

    Sophos updated its website over the weekend to water down claims that it was protecting the NHS from cyber-attacks following last week’s catastrophic WannaCrypt outbreak.

    Proud website boasts that the “NHS is totally protected with Sophos” became “Sophos understands the security needs of the NHS” after the weekend scrub-up.

    Security-watchers, including former staffer Graham Cluley, noticed the reverse ferret.

    Sophos didn’t publish a definition update until 1825 BST, hours after an outbreak that forced hospitals to postpone scheduled treatments and appointments in scores of NHS Trusts. Sophos Live Protection functionality, if enabled, could detect WannaCrypt earlier than that.

    Signature updates aren’t the only layer of security in modern anti-malware but this only raises further questions about why Sophos’s technology didn’t pick up an attack based on a known exploit patched by Microsoft two months prior.

    Sophos executives can, however, console themselves that the security firm’s share price has risen markedly since the outbreak

  2. Tomi Engdahl says:

    Finnish hacker: The WannaCry attack could have been blocked easily

    Crisis caused by WannaCry- / Wanacryptor malware is frustrating because it could have been prevented so easily, thinks the hacker Benjamin Särkkä. He predicts that a historic assault may be a necessary reminder for many organizations, including in the healthcare sector, which still frequently use obsolete systems.

    “If someone has clicked a Windows Update Announcement for a couple of months and asked to remember later, then there may be a place to look at in the mirror, which was not a zero-day attack,” says Särkkä.

    WannaCryn has been told that many organizations have been paralyzed, for example, in health care. Industry operators still have access to several outdated platforms that are very expensive. Therefore, they may not have been updated either.

    “There are many real cases in the world where hospitals have 15 million euro worth of magnetic imaging equipment that works perfectly without problems but can not be upgraded, for example, because the manufacturer has gone bankrupt and nobody else can do anything about it,”

    Often, in these cases, the IT department may have warned you about it, but the costs involved in the exchange are doubtful. Behind the chosen risk tolerance is always someone’s decision.

    “In healthcare IT security is often a secondary issue when it comes to patient safety, and it has not yet woken up to the fact that these things are often linked together, and hopefully these players will start to invest more in security.”

    for example, the Defense Forces have several embedded systems that cause problems in such cases. There are likely to be expensive operations in the fleet where the fleet needs to be replaced.


  3. Tomi Engdahl says:

    WannaCry: Are you safe?

    Several large organizations reported an infection simultaneously. Among them were several British hospitals that had to suspend their operations. According to data released by third parties, WannaCry has infected more than 200,000 computers. The sheer number of infections is a big part of the reason it has drawn so much attention.

    The creators of WannaCry have taken advantage of the Windows exploit known as EternalBlue, which relies on a vulnerability that Microsoft patched in security update MS17-010, dated March 14 of this year. By using the exploit, the malefactors could gain remote access to computers and install the encryptor.

    by infecting one computer, WannaCry can infect an entire local area network and encrypt all of the computers on the network. That’s why large companies suffered the most from the WannaCry attack — the more computers on the network, the greater the damage.

    Here are several pieces of advice on how to prevent infection and minimize damage.

    Install software updates. This case desperately calls for all Windows users to install the MS17-010 system security update. Microsoft even released it for systems that are no longer officially supported, such as Windows XP or Windows 2003. Seriously, install it right now; it’s very important.

    Create file backups on a regular basis and store the copies on storage devices that are not constantly connected to the computer. If you have a recent backup copy, then an encryptor infection is not a catastrophe; you can spend a few hours reinstalling the operating system and apps, then restore your files and move on.

    Use a reliable antivirus.

  4. Tomi Engdahl says:

    Microsoft’s response to widespread cyberattacks may make you WannaCry

    Microsoft’s president and chief legal officer Brad Smith took to the company’s website to give a post mortem on the lessons that need to be learned from the global hack

    Put simply, cyberweapons are just that — weapons. It’s the digital equivalent of stockpiling a nuclear arsenal and keeping them in a standard safe (or keeping a deadly virus in the office fridge).

    The NSA shouldn’t think that it can amass powerful hacks and be able to keep them secure, because we’ve seen just how porous the U.S. cybersecurity apparatus is.

    If these were conventional weapons, the world would be up in arms. And indeed, the world should be.

  5. Tomi Engdahl says:

    New Wave of Ransom Threats Seen in Unprecedented Attack

    An unrivaled global cyber-attack is poised to continue claiming victims Monday as people return to work and turn on their desktop computers, even as hospitals and other facilities gained the upper hand against the first wave.

    About 97 percent of U.K. facilities and doctors disabled by the attack were back to normal operation, Home Secretary Amber Rudd said Saturday after a government meeting. At the height of the attack Friday and early Saturday, 48 organizations in the NHS were affected, and hospitals in London, North West England and Central England urged people with non-emergency conditions to stay away as technicians tried to stop the spread of the malicious software.

    “This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support.”

    Victims have paid about $50,000 in ransom so far, with the total expected to rise

    A spokesman for Spain’s Telefonica SA said the hack affected some employees at its headquarters, but the phone company is attacked frequently and the impact of Friday’s incident wasn’t major. FedEx said it was “experiencing interference,” the Associated Press reported.

    Renault halted production at some factories to stop the virus from spreading, a spokesman said Saturday, while Nissan’s car plant in Sunderland, in northeast England, was affected without causing any major impact on business, an official said.

    In Germany, Deutsche Bahn faced “technical disruptions” on electronic displays at train stations, but travel was unaffected

    There is a high probability that Russian-language cybercriminals were behind the attack, said Aleks Gostev, chief cybersecurity expert for Kaspersky Labs.

    “Ransomware is traditionally their topic,” he said. “The geography of attacks that hit post-Soviet Union most also suggests that.”

  6. Tomi Engdahl says:

    WannaCry ransomware is still spreading fast, but ‘kill switch’ defenses hold for now

    WannaCry ransomware sweeping the world hasn’t stopped its progress, but quick action by cybersecurity professionals has at least partially limited the damage it does as it goes.

  7. Tomi Engdahl says:

    Microsoft Warns Governments Against Exploit Stockpiling

    Microsoft Says WannaCry Ransomware Outbreak Should be a Wake Up Call for Governments

    Microsoft president and chief legal officer Brad Smith has renewed his call for an international ‘Digital Geneva Convention’ following the global WannaCrypt ransomware attack that started on Friday.

    In ‘The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack’, Smith wrote Sunday, “The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”

  8. Tomi Engdahl says:

    “Patched” WannaCry Ransomware Has No Kill-Switch

    After researchers managed to stop the recent WannaCry ransomware outbreak by registering domains that function as kill-switches, a variant of the malware that no longer uses this function has emerged, security researchers warn.

    WannaCry, also referred to as WanaCrypt0r, WannaCrypt, Wana Decrypt0r, and WCry, managed to wreak havoc worldwide over the past three days, hitting hospitals, ISPs, banks, government agencies, and carmakers, among others. The attacks started to propagate fast on Friday, with Europe hit the most, and Europol immediately designed a task force to assist in the investigation.

    The threat managed to spread fast because of a worm component that abuses two recently disclosed NSA exploits targeting Windows. The first, EternalBlue, is abused to penetrate vulnerable machines, while the second, the DoublePulsar backdoor, is used to load the relevant payload DLL during exploitation.

    Once it has infected a computer, the malware starts connecting to random IP addresses on port 445, which is used by Server Message Block (SMB), and uses this venue to propagate itself to other computers on the network. This also means that, the more computers are infected, the faster the malware can spread to new ones.

    The EternalBlue vulnerability was patched by Microsoft with its March 2017 security updates (the MS17-010 patch), but only on supported platforms.

  9. Tomi Engdahl says:

    Traditionally, malware has spread through email attachments and other links. Thousands of emails have been sent by malicious advertisers to pretty much search and the spread of malware is slow, as few people click suspicious links open.

    The WannaCry wrap program works in another way. Instead of sending a malicious code to random email addresses, the developers started by scanning vulnerable devices in advance.

    “After this, the perpetrators attacked at the same time thousands of vulnerable devices attacked, and those of malware started to spread from the surrounding devices”, Nixu leading security consultant Antti Nuopponen describes the events.

    A significant change to the previous one is that several machines are contaminated at one time instead of one machine. Especially in companies, malicious malware spreads widely, and managing the situation quickly becomes difficult.

    According to Nuopposen, malware is becoming more common every year. Last year, the crash gain from malware was over one billion dollars.

    Nuopponen believes that while security is constantly being upgraded and prepared for attacks, the perpetrators always go one step ahead


  10. Tomi Engdahl says:

    Ransom Tracker

    A bot live-tweeting Bitcoin ransom payments by victims of ransomware. Maybe using a public immutable ledger was not such a good idea. Run by

  11. Tomi Engdahl says:

    According to a Finnish hacker, WannaCry is not a cyber attack

    WannaCry called a wormhole called with several different names caused major damage at the turn of the week. The hacker Event Disobey founder Benjamin Särkän, the case of the history of this significant tightening up the malware.

    “I am with Mikko Hyppösen it agree that it is a historic event,” he says. The worm is the first Windows vulnerability of this sort for nearly 10 years.

    “These [remote code execution vulnerabilities] do not come often, and that’s why this is a huge deal.”

    According to him, WannaCry is the first online companion that has a lunatic program, a clear earning mechanism. It uses the vulnerability of Windows, which has been upgraded since March.

    At this time, it seems that this is a worm that uses stolen tools from the US NSA.

    According to Särk, however, this is not really a cyber attack, as it is publicly defined.

    “Not at all terrible, a cyber attack, and even more, this is a worm disorder that has been released, and whoever is behind it, it is likely to know that when it is wild, it will not end easily.”

    “Apple was right”

    Särkkä to mention also received last year publicized security incident , in which Apple refused created for the iPhone back door.

    “Apple made the right solution, the back door would have spread to all iPhone’s in the world, and this case proves that hard-coded rear doors will not cure the world, but will ease misuse.”



  12. Tomi Engdahl says:

    ‘Don’t Tell People To Turn Off Windows Update, Just Don’t’

    Often, the updates these products deliver patch some pretty nasty security flaws. If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as “MS17-010″ pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched.

    Don’t tell people to turn off Windows Update, just don’t

    Why is malware effective? Because of idiotic advice like this: “Stop Windows 10 from automatically updating your PC”
    - Troy Hunt (@troyhunt) May 13, 2017

    When you position this article from a year ago next to the hundreds of thousands of machines that have just had their files encrypted, it’s hard to conclude that it in any way constitutes good advice. I had the author of this post ping me and suggest that people should just manually update their things if they disabled Windows Update. That’s fine in, say, a managed desktop environment such as many organisations run and let’s be clear – disabling Windows Update isn’t the issue in that situation because there are professionals managing the rollout of patches (with the obvious exception of the organisations that just got hit by WannaCry). But your average person is simply not going to keep on top of these things which is why auto-updaters are built into so many software products these days. Obviously they’re in Windows, same with Mac OS and iOS, same with browsers like Chrome and Firefox and same again with the apps themselves on a device like your iPhone by virtue of the App Store automatically keeping them current.

    Leave your automatic updates on

    The frustrating part of the debate that ensued after that tweet is not that people weren’t proactive in protecting themselves, rather that they were proactively putting themselves at risk by disabling security features. Windows Update is the default position; you install the operating system (or receive it pre-installed from your hardware vendor of choice)

    Sometimes, updates will annoy you

    I’ve had Windows Update make me lose unsaved work. I’ve had it sitting there pending while waiting to rush out the door. I’ve had it install drivers that caused all manner of problems. I’ve had it change features so that they work differently and left me confused. I’ve had it consume bandwidth, eat up storage capacity and do any number of unexplainable things to my machines.

    Those of us who’ve felt Windows Update-inflicted pain will all agree on this:

    Microsoft needs to make Windows Update better.

    Last year US-CERT wrote about ransomware and one of their recommendations was as follows:

    Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.

    And in the wake of WannaCry, Microsoft’s President and Chief Legal Officer wrote about the need for urgent collective action:

    This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.

  13. Tomi Engdahl says:

    WannaCry did not seem to want to recover the files he captured at all.
    The WannaCry program, which has caused a great deal of damage worldwide, did not intend to let the files captured at any time after the ransom payment, writes security researcher Troy Hunt.

    The security company Check Point confirms its affair on its blog. According to the company, there is no known case where the ransom payer would have recovered his file.

    The theory is also supported by the fact that the malware program does not incorporate the “technical support” typical of the frustration programs, in which the criminals help the victim to pay for the ransom and get their files back.

    Most tightening programs return files after ransom payment. In this way, their perpetrators can continue their business in the future, as the victims know that they will receive their information back against payment.

    WannaCry has recently been linked to North Korea.

    Authorities and security companies recommend a non-payment as a rule of thumb


  14. Tomi Engdahl says:

    WannaCry – Paid Time Off?

    Let us open with a TL;DR – DO NOT pay the ransom demanded by the WannaCry ransomware!

    Now, let us explain why:

    As of this writing , the 3 bitcoin accounts associated with the WannaCry ransomware have accumulated more than $33,000 between them. Despite that, not a single case has been reported of anyone receiving their files back.

    The decryption process itself is problematic, to say the least.

    Unlike its competitors in the ransomware market, WannaCry doesn’t seem to have a way of associating a payment to the person making it. Most ransomware, such as Cerber, generate a unique ID and bitcoin wallet for each victim and thus know who to send the decryption keys to. WannaCry, on the other hand, only asks you to make a payment, and then… Wait. You can press the ‘Check Payment’ button, but so far this is the only outcome:

    Most A-list ransomware pride themselves on customer support, and are usually very easy to contact. Again, not the case with WannaCry. The only way of contacting the malware creators is through the “Contact Us” option on the ransom note screen. Despite our best efforts, we have yet to receive a reply.

    The second encrypt/decrypt routine is for the 10 files you can decrypt as a “free demo”- as if to assure the victims decryption of their files is possible, and persuading them to pay the ransom. Those 10 specific files are chosen at random during the time of encryption, and are also encrypted with a unique key per file. However, the private RSA key for these 10 is stored locally on the victim’s computer.

    Taking all this into consideration- the lack of reports of anyone getting their files back, the problematic payment and decryption system and the false demo of the decryption operation, puts into question the capability of the WannaCry’s developers to deliver on their promises to decrypt your files.

  15. Tomi Engdahl says:

    Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware

  16. Tomi Engdahl says:

    The malware now seen can change the world more than you think

    The beloved child has many names, sometimes even less desirable. WannaCry, Wcry, WannaCrypt or WanaCrypt0r, a known scratcher, may be one of the malware that changes the world.

    Let me first note that our Finns feel worthy of a certain sense of pride. The stoppage program stopped mills in France, disturbed rail transport in Germany and led to patients being out of hospitals in England. Finnish society, however, was not worse disturbed. Of course, there must be a bewilder in the future.

    However, more happened in the world. And not all of WannaCry’s effects are necessarily technical. The epidemic may also have more far-reaching effects.

    Does the weapon or its user surprise?
    WannaCryn uses the security gateway to originate at the US National Security Agency at NSA. The cyber weapons of the agency were robbed in the so-called Shadow Brokers network, and have since been leaked to the Internet. There they have come to the hands of the twilight of the net.

    When large software companies turn to their country’s government, it may be of greater importance.

    Edward Snowden rolled the cause of WannaCry directly at the NSA’s low, saying the victims of the extortion program had been stranded as NSA’s cyber-development contributors.

    Criticism also came from a more surprising direction. Brad Smith, a member of Microsoft’s executive board, abruptly addressed NSA and cyber-arsonist governments and proposed a “digital Geneva agreement” to change the situation.

    Is network freedom affected?
    WannaCry may give arguments to those who demand the dissolution of anonymity on the Internet. The ransom of the stripping program is paid with Bitcoin virtual currency, which is virtually impossible to trace.

    It may well be that the upcoming debate is just about to deal with this. Instead of settling cyberspace rules, the network can be moved in a more controlled direction. Payment traffic could well be the first places to start, as bitcoin also includes drug trafficking.

    The stinging program can become a political issue if it can be shown to be responsible for deaths. There is a risk because the malware spilled healthcare systems in many countries. If cybercrime begins to kill people, the stakes will rise.

    This may in turn affect how cybercriminals can be brought to justice. Cybercrime is international


  17. Tomi Engdahl says:

    While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday’s WinXP fix was built in February
    And it took three months to release despite Eternalblue leak

    Exclusive When the WannaCrypt ransomware exploded across the world over the weekend, infecting Windows systems using a stolen NSA exploit, Microsoft president Brad Smith quickly blamed the spy agency. If the snoops hadn’t stockpiled hacking tools and details of vulnerabilities, these instruments wouldn’t have leaked into the wild, sparing us Friday’s cyber assault, he said.

    “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” said Smith.

    Speaking of hoarding, though, it’s emerged Microsoft was itself stockpiling software – critical security patches for months.

    Around January this year, Microsoft was tipped off by persons unknown that the NSA’s Eternalblue cyber-weapon, which can compromise pre-Windows 10 systems via an SMBv1 networking bug, had been stolen and was about to leak into the public domain. In March, Microsoft emitted security fixes for supported versions of Windows to kill off the SMB vulnerability, striking Eternalblue dead on those editions.

    In April, exactly a month later, an NSA toolkit of hacking weapons, including Eternalblue, was dumped online by the Shadow Brokers: a powerful loaded gun was now in the hands of any willing miscreant.

    On Friday night, Microsoft issued emergency patches for unsupported versions of Windows that did not receive the March update – namely WinXP, Server 2003, and Windows 8 RT. Up until this point, these systems – and all other unpatched pre-Windows 10 computers – were being menaced by WannaCrypt, and variants of the software nasty would be going after these systems in the coming weeks, too.

    The Redmond tech giant was praised for issuing the fixes for its legacy Windows builds. It stopped supporting Windows XP in April 2014, and Server 2003 in July 2015, for instance, so the updates were welcome.

    However, our analysis of the metadata within these patches shows these files were built and digitally signed by Microsoft on February 11, 13 and 17, the same week it had prepared updates for its supported versions of Windows. In other words, Microsoft had fixes ready to go for its legacy systems in mid-February but only released them to the public last Friday after the world was engulfed in WannaCrypt.

    The SMBv1 bug is trivial, by the way: it is a miscalculation from a 32-bit integer to a 16-bit integer that can be exploited by an attacker to overflow a buffer, push too much information into the file networking service, and therefore inject malicious code into the system and execute it. Fixing this programming blunder in the Windows codebase would have been easy to back port from Windows 8 to XP.

    If you pay Microsoft a wedge of cash, and you’re important enough, you can continue to get security fixes for unsupported versions of Windows under a custom support license. It appears enterprises and other organizations with these agreements got the legacy fixes months ago, but us plebs got the free updates when the house was already on fire.

    Custom support is a big earner: Microsoft charged Britain’s National Health Service $200 per desktop for year one, $400 for year two and $800 for a third year as part of its contract.

    Naturally, Microsoft doesn’t want to kill the goose that lays such lovely golden eggs, by handing out patches for old gear for free. And supporting a 16-year-old operating system like Windows XP must be a right pain in the ASCII for its engineers.

  18. Tomi Engdahl says:

    Snippet of WannaCry Ransomware Linked to Suspected North Korean Malware

    To be absolutely clear, this is not a claim that North Korea was behind Friday’s ransomware wave, and the code similarities are not in the malware from last week’s attacks. Instead, at the moment, this is just a decent lead in the investigation into the attack’s origins.

    The first one to point out the similarities in the code between a February 2017 WannaCry sample and the Lazarus Group backdoor from 2015 was Neel Mehta, a threat intelligence researcher at Google. In particular, Mehta highlighted the “crypter,” the ransomware bit that locks the files. Kaspersky Lab then analyzed the code and confirmed the similarities on Monday.

    WannaCry and Lazarus Group – the missing link?

    The cryptic message in fact refers to a similarity between two samples that have shared code.

    Among other things, the Lazarus group was responsible for the Sony Wiper attack, the Bangladesh bank heist and the DarkSeoul operation.

    We believe Lazarus is not just “yet another APT actor”. The scale of the Lazarus operations is shocking. The group has been very active since 2011 and was originally disclosed when Novetta published the results of its Operation Blockbuster research

    Is it possible this is a false flag?

    In theory anything is possible, considering the 2015 backdoor code might have been copied by the Wannacry sample from February 2017.

  19. Tomi Engdahl says:

    The Finnish Police instructs you: Do this if WannaCry hits your computer

    Intense WannaCry crunch program has not, at least, so far become a major epidemic in Finland. No criminal reports have been filed yet to the Central Bureau of Cybercrime Control.

    Detective Chief Inspector Tero Muurman not prompt anyone to pay a ransom to the criminals, but to take, if necessary, without delay, contact the police.

    “Paying is uncertain, it may not help recovering the files. It may be that it can, that’s not it,” he says.

    The police do not even recommend paying the criminals either because the criminals would have the will they wanted. “The money they are pursuing, paying only to help them.”

    If the malware gets on its machine, the files can be restored primarily from the backup if that one exists.

    If you want to make an offense report, give the police as complete information as possible about the attack. How did the infection occur? Have you clicked suspicious email attachments? What is the Bitcoin address for ransoms to pay?

    Tracking bitcoin payments is challenging, but the more information is, the better


  20. Tomi Engdahl says:

    The attack was hit by, among other things, the British public health system, the German railway company Deutsche Bahn, the American courier company FedEx, and the Spanish telecom operator Telefonica. In addition, for example, a French carmaker, Renault, had been forced to suspend production at its mills across Europe for an attack.

    The crackdown program attack also had a major disadvantage in China, where it was reported to have hit the heaviest masses of computers and complicated, among other things, the authorities, universities, gas stations, ATMs and hospitals.


  21. Tomi Engdahl says:

    WCry/WanaCry Ransomware Technical Analysis

    There has been a lot of discussion about the method of propagation and the overall impact of this ransomware, but what does this ransomware actually do from start to finish? That is the question I’ll answer in this post.

    The WCry Execution Flow

    The WCry ransomware follows a flow similar to that of other ransomware as it damages a machine. The high level flow is as follows: It begins with an initial beacon, other researchers have already reported is basically a killswitch function. If it makes it past that step, then it looks to exploit the ETERNALBLUE/MS17-010 vulnerability and propagate to other hosts. WCry then goes to work doing damage to the system, first laying the foundations for doing the damage and getting paid for recovery, and once that’s done, WCry starts encrypting files on the system. See the diagram below for an overview of how this malware works.

    the malware inflicts damage by executing a series of tasks.

    Encryption routine

    10. Creates a new thread to overwrite files on disk

    a. Generate a key
    b. Generate Data Buffers for each file
    c. Call thread for function StartAddress to begin writing encrypting file contents
    d. Tack on extension “.WNCRYT”


    Despite its ability to propagate so quickly, the ransomware activities taken by this malware are not particularly interesting or novel. As I demonstrated in this malware, the killswitch in the execution flow provided a unique opportunity to slow down the ransomware. As security researcher MalwareTech discovered, and Talos described in detail, this malware was programmed to bail out upon a successful connection to that server, which stops the malware altogether. We should all thank MalwareTech for setting up the sinkhole, which caused this outbreak to slow sooner than it otherwise would have.

    This malware is easy to modify. As mentioned above, other researchers are already finding variants in the wild. If you’re running Windows and haven’t patched yet, now’s the time to do it. And while you’re at it, go test your backups to build some confidence that you won’t be forced to choose between paying up or losing data should the worst happen to you or your organization.

  22. Tomi Engdahl says:

    Tweetstorm: Why the WannaCry authors better run for it now, or how with the NSA toys I’d already have identified them: 1/n

    It’s pretty clear now that WannaCry got loose accidentally: the danger of self propagating experiments that started with Morris and FC 2/n

    Since the payment infrastructure was completely broken: didn’t stay up, no per-user Bitcoin address, etc, it clearly got out early 3/n

    Which means that finding “patient 0″, the system that first ran the worm, would pretty much give you a big arrow pointing to the authors 4/n

    And, unfortunately, the “kill switch” isn’t just a kill switch, it is a beacon broadcasting, “hey, I got infected”. So to find patient 0 5/n

    Just query passive DNS for the first reference to the killswitch domain. Verisign may be able to do this. The NSA sure can 6/n

    So, IMO, the NSA should query for patient 0 on their passive DNS take on XKS etc, find the initial infection(s), and tell the Russians 8/n


  23. Tomi Engdahl says:

    Is Microsoft to blame for the largest ransomware attacks in internet history?
    When software outruns hardware

    Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We’re only beginning to calculate the damage inflicted by the WannaCry program — in both dollars and lives lost from hospital downtime — but at the same time, we’re also calculating blame.

    There’s a long list of parties responsible, including the criminals, the NSA, and the victims themselves — but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

    For some, the answer is an obvious no. Writing in The New York Times over the weekend, sociologist Zeynep Tufekci placed the blame squarely on Microsoft for its decision to stop supporting older Windows versions.

    The World Is Getting Hacked. Why Don’t We Do More to Stop It?

  24. Tomi Engdahl says:

    Lucinda Shen / Fortune:
    Cybersecurity stocks rise on WannaCrypt news, with the five biggest firms cumulatively adding nearly $6B in market cap on Monday

    These Cybersecurity Stocks Are Beating the WannaCry Ransomware Hackers

    Despite the global scale of the ransomware attack dubbed “WannaCry,” its creators have reportedly collected just $50,000 in bitcoin from the hack as of early Monday.

    Meanwhile, the cybersecurity industry’s valuation rose billions over the weekend, as investors bet on an increase in cyber attacks driving business to those who know how to defend against it.

  25. Tomi Engdahl says:

    A Group Linked to Leaking NSA Spying Tools Is Making Another Threat

    A group that took credit for leaking NSA cyber spying tools—including ones used in the WannaCry global ransomware attack—has said it plans to sell code that can be used to hack into the world’s most used computers, software and phones.

    Using trademark garbled English, the Shadow Brokers group said in an online statement that, from June, it will begin releasing software to anyone willing to pay for access to some of the tech world’s biggest commercial secrets.

    It said it was set to sell access to previously undisclosed vulnerabilities, known as zero-days, that could be used to attack Microsoft’s latest software system, Windows 10 (msft, +0.98%). The post did not identify other products by name.

    It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian, or North Korean nuclear and missile programs, without providing further details.

    “More details in June,” it promised.

    Shadow Brokers came to public attention last August when it mounted an unsuccessful attempt to auction off a set of older cyber-spying tools it said were stolen from the U.S. National Security Agency.

    The leaks, and the global WannaCry virus attack, have renewed debate over how and when intelligence agencies should disclose vulnerabilities used in cyber spying programs to so that businesses and consumers can better defend themselves against attacks.

  26. Tomi Engdahl says:

    WannaCry Update: Microsoft Pushes a “Geneva Convention” to Thwart Cyberattacks

    Smith told this year’s RSA 2017 conference, to take a page from the atomic age.

    “What the world needs is a new independent organization, a bit like the International Atomic Energy Agency that has addressed nuclear nonproliferation for decades,” Smith said in February. “We need an agency that has the international credibility not only to observe what’s happening, but to call the question and even identify the attackers when nation-state attacks happen. That is the only way that governments will come to recognize that this is not a program that will continue to pay off.”

  27. Tomi Engdahl says:

    Inside the worst ransomware outbreak in history, and how to protect yourself

    Here are my basic tips:

    1. If you’re concerned about your files, back them up. Windows and MacOS both have built-in backup tools.
    2. Keep your software up-to-date. Don’t disable auto-update. Developers are constantly fixing security vulnerabilities. Even though it seems like a pain, install their recommended updates.
    3. Don’t open suspicious email attachments.
    4. Don’t rely on tools like anti-virus alone to protect you from these sorts of attacks. You personally need to be vigilant. Security isn’t a product — it’s a process.

    If your computer gets infected with ransomware, and you don’t have backups of your files, you may want to go ahead and pay the ransom. While this rewards the criminals, it’s a small price to pay for saving irreplaceable files, such as family photos.

    Remember that without the cryptographic key, even the most powerful governments in the world have no way of helping you unlock your files.

    WannaCry hit Russia the hardest. Cybersecurity consultancy Comae estimates that nearly half of infections occurred there.

  28. Tomi Engdahl says:

    Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry
    Campaign that flew under the radar used hacked computers to mine Monero currency.

    On Friday, ransomware called WannaCry used leaked hacking tools stolen from the National Security Agency to attack an estimated 200,000 computers in 150 countries. On Monday, researchers said the same weapons-grade attack kit was used in a much-earlier and possibly larger-scale hack that made infected computers part of a botnet that mined cryptocurrency.

    Like WannaCry, this earlier, previously unknown attack used an exploit codenamed EternalBlue and a backdoor called DoublePulsar, both of which were NSA-developed hacking tools leaked in mid April by a group calling itself Shadow Brokers. But instead of installing ransomware, the campaign pushed cryptocurrency mining software known as Adylkuzz.

    Kafeine, a well-known researcher at security firm Proofpoint, said the attack started no later than May 2 and may have begun as early as April 24. He said the campaign was surprisingly effective at compromising Internet-connected computers that have yet to install updates Microsoft released in early March

    The attack is launched from several virtual private servers which are massively scanning the Internet on TCP port 445 for potential targets.

    Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download[s] the mining instructions, cryptominer, and cleanup tools.

    Symptoms of the attack include a loss of access to networked resources and system sluggishness. Kafeine said that some people who thought their systems were infected in the WannaCry outbreak were in fact hit by the Adylkuzz attack. The researcher went on to say this overlooked attack may have limited the spread of WannaCry by shutting down SMB networking to prevent the compromised machines from falling into the hands of competing botnets.

    Assembling a botnet the size of the one that managed WannaCry and keeping it under wraps for two to three weeks is a major coup. Monday’s revelation raises the possibility that other botnets have been built on the shoulders of the NSA but have yet to be identified.

  29. Tomi Engdahl says:

    Great news everyone! WCry 2.0 functions PERFECTLY under Wine, you can infect your Linux desktops too if you are so inclined! ;-


  30. Tomi Engdahl says:

    Wcry Ransomware

    Wcry (also known as WannaCry, Wana Decrypt0r 2.0, WanaDecryptor or WNCRY virus) is a ransomware-type virus discovered by security reasearcher S!Ri. Once infiltrated, Wcry encrypts files using AES-128 cryptography. During encryption, this malware appends filenames with the “.wcry” extension

    The message states that files are encrypted and can only be restored using a unique key. AES is a symmetric encryption algorithm and, therefore, a unique key is generated during encryption. This key is used to encrypt and decrypt files, and restoring files without it is impossible. Unfortunately, the key is stored on a remote server controlled by Wcry’s developers.

    Research shows that these people often ignore victims once the ransom is paid. Therefore, if you pay, you will probably be scammed.

    There are dozens of ransomware-type viruses similar to Wcry. Examples include Serpent, Digisom, JobCrypter, Zyka, and many others. As with Wcry, these viruses encrypt files and make ransom demands. The only major differences are size of ransom and cost of decryption. The distribution methods are also identical. Cyber criminals proliferate ransomware by employing trojans, fake software update tools, peer-to-peer (P2P) networks (torrents, eMule, etc.), third party software download sources (freeware download websites, free file hosting websites, etc.), and spam emails (malicious attachments).

  31. Tomi Engdahl says:

    Select one of the available Restore Points and click “Next” (this will restore your computer system to an earlier time and date, prior to the Wcry ransomware virus infiltrating your PC).

    To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Wcry are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

    If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated.


  32. Tomi Engdahl says:

    WannaCrypt raises questions over government cyber priorities

    The fallout from the WannaCrypt ransomware attack which quickly spread to multiple countries and systems last Friday continues to cause consternation around the world.

    Critics have suggested a lack of government funding has left the NHS wide open to malware attacks that exploit outdated software.

    It’s not clear exactly how much of that money has been spent so far on upgrading critical systems. But, very evidently, there is still much work to do to get the public sector off of legacy platforms such as Windows XP.

    Microsoft has rightly taken flak for not continuing to provide security patches for its older platforms

  33. Tomi Engdahl says:

    WannaCry Ransomware picture collection from infected countries around the world

  34. Tomi Engdahl says:

    While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday’s WinXP fix was built in February
    And it took three months to release despite Eternalblue leak

  35. Tomi Engdahl says:

    Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar

    On Friday, May 12, attackers spread a massive ransomware attack worldwide using the EternalBlue exploit to rapidly propagate the malware over corporate LANs and wireless networks. EternalBlue, originally exposed on April 14 as part of the Shadow Brokers dump of NSA hacking tools, leverages a vulnerability (MS17-010) in Microsoft Server Message Block (SMB) on TCP port 445 to discover vulnerable computers on a network and laterally spread malicious payloads of the attacker’s choice. This particular attack also appeared to use an NSA backdoor called DoublePulsar to actually install the ransomware known as WannaCry.

    Over the subsequent weekend, however, we discovered another very large-scale attack using both EternalBlue and DoublePulsar to install the cryptocurrency miner Adylkuzz. Initial statistics suggest that this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection.

  36. Tomi Engdahl says:

    Synopsys’ Robert Vamosi digs into last Friday’s massive ransomware infection that impacted the UK health system, a Spanish telecom, and many other organizations running unpatched Windows – and whether there’s a second version out there.

    WannaCry ransomware attack takes the world by storm

    In the wake of WannaCry: What we now know and how to move forward

  37. Tomi Engdahl says:

    Security researcher says he’s figured out how to decrypt WannaCry

    The ransomware WannaCry has infected hundreds of thousands of computer systems around the globe, but a security researcher claims he’s figured out how to beat it.

    In some cases, that is.

    Adrien Guinet says that he was able to decrypt a ransomwared computer running Windows XP in his lab by discovering the prime numbers that make up the WannaCry private key. The private key is what a ransomware victim would need to buy off his attackers in order to regain access to his own files, but Guinet says he was able to do this without paying any Bitcoin ransom.

    Importantly, Guinet acknowledges this technique has only been demonstrated to work on a computer running Windows XP. Why does that matter? Despite initial reports, those systems were not affected by the major May 12 outbreak as the worm that spread the ransomware didn’t hit those systems.

    However, WannaCry itself does work on XP — suggesting that if the ransomware manages to spread to XP this new technique could be used to help future victims.

    “In order to work, your computer must not have been rebooted after being infected,” Guinet wrote on Github. “Please also note that you need some luck for this to work,” he added, “and so it might not work in every cases!”

    Why luck? As Guinet explains, when WannaCry infects a computer it generates encryption keys that rely on prime numbers. Here comes the important part: The ransomware “does not erase the prime numbers from memory before freeing the associated memory.”

    “If you are lucky (that is the associated memory hasn’t been reallocated and erased),” continues Guinet, “these prime numbers might still be in memory.”

    Wannacry in-memory key recovery for WinXP

    This software has only been tested and known to work under Windows XP. In order to work, your computer must not have been rebooted after being infected.

    Please also note that you need some luck for this to work (see below), and so it might not work in every cases!

  38. Tomi Engdahl says:

    WannaCry benefits from unlearned lessons of Slammer, Conficker

    Friday’s massive WannaCry ransomware attack was certainly a gut punch for many organizations. But few should be shocked by its rapid spread – especially those who remember Slammer and Conficker.

    Those contagions – ancient malware by today’s standards – spread through exposed Microsoft vulnerabilities. WannaCry spread the same way. In each case, Microsoft had already released a patch for the security holes.

    And so for some, an important lesson continues to go unrecognized: that organizations must keep a close watch for patch updates and deploy the fixes immediately.

    Deja vu

    WannaCry – also known as Wanna Decrypter 2.0, WCry, WanaCrypt and WanaCrypt0r – exploited a Windows vulnerability that Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

    It hit organizations across the globe, including National Health Service hospitals (NHS) in the UK. Analysis seems to confirm that the attack was launched using NSA code leaked by a group of hackers known as the Shadow Brokers.

    It’s likely that some were infected because they hadn’t gotten around to applying the MS17-010 patch. But others suffered because they were running older, unsupported Windows versions and, as a result, never received that security update.

    Conficker is a widespread network worm that began to spread to millions of unpatched PCs in 2008.

  39. Tomi Engdahl says:

    Wannacry or Conficker: How to prevent worms in real life

    There is plenty of published info about Wannacry; I am not replicating any here. How can your company avoid being hit? It is simple and it is complicated. First we need to understand why companies don’t apply patches:

    1. They don’t know it should be done.
    2. They feel they are too busy to do it.
    3. They feel it creates issues, with no obvious benefit.
    4. They don’t do it often enough.
    5. There are no immediate drawbacks of stopping to patch, eventually it becomes normal not to do it.
    6. The people responsible to do it move on to new jobs, and the new ones don’t get promotions or are rewarded for doing it. Why bother?

    Preventing worms is a team effort between the Systems teams and Security teams. Security teams are responsible for monitoring new vulnerabilities and patches, and handing over that information to the System team.

  40. Tomi Engdahl says:

    ‘WannaCry Makes an Easy Case For Linux’

    The thing is, WannaCry isn’t the first of its kind. In fact, ransomware has been exploiting Windows vulnerabilities for a while. The first known ransomware attack was called “AIDS Trojan” that infected Windows machines back in 1989.

    The important question here is this: Have their been any ransomware attacks on the Linux desktop? The answer is no. With that in mind, it’s pretty easy to draw the conclusion that now would be a great time to start deploying Linux on the desktop. I can already hear the tired arguments. The primary issue: software. I will counter that argument by saying this: Most software has migrated to either Software as a Service (SaaS) or the cloud. The majority of work people do is via a web browser. Chrome, Firefox, Edge, Safari; with few exceptions, SaaS doesn’t care.

    WannaCrypt makes an easy case for Linux

    Ransomware got you down? There’s a solution that could save you from dealing with this issue ever again. That’s right. It’s Linux.

  41. Tomi Engdahl says:

    Windows XP PCs Infected By WannaCry Can Be Decrypted Without Paying Ransom

    Windows XP PCs infected by WCry can be decrypted without paying ransom
    Decryption tool is of limited value, because XP was unaffected by last week’s worm.

    Owners of some Windows XP computers infected by the WCry ransomware may be able to decrypt their data without making the $300 to $600 payment demand, a researcher said Thursday.

    Adrien Guinet, a researcher with France-based Quarkslab, has released software that he said allowed him to recover the secret decryption key required to restore an infected XP computer in his lab. The software has not yet been tested to see if it works reliably on a large variety of XP computers, and even when it does work, there are limitations. The recovery technique is also of limited value because Windows XP computers weren’t affected by last week’s major outbreak of WCry. Still, it may be helpful to XP users hit in other campaigns.

    “This software has only been tested and known to work under Windows XP,”

  42. Tomi Engdahl says:

    Microsoft Withheld Update That Could Have Slowed WannaCry: Report

    American software giant Microsoft held back from distributing a free security update that could have protected computers from the WannaCry global cyber attack, the Financial Times reported Thursday.

    In mid-march, Microsoft distributed a security update after it detected the security flaw in its XP operating system that enabled the so-called WannaCry ransomware to infiltrate and freeze computers last week.

    But the software giant only sent the free security update — or patch — to users of the most recent version of the Windows 10 operating system, the report said.

    Users of older software, such as Windows XP, had to pay hefty fees for technical support, it added.

    “The high price highlights the quandary the world’s biggest software company faces as it tries to force customers to move to newer and more secure software,” it said.

    A Microsoft spokesperson based in the United States told AFP: “Microsoft offers custom support agreements as a stopgap measure” for companies that choose not to upgrade their systems.

    “To be clear, Microsoft would prefer that companies upgrade and realise the full benefits of the latest version rather than choose custom support.”

  43. Tomi Engdahl says:

    Microsoft should have left Windows XP to rot and die

    Microsoft’s decision to release an emergency patch for Windows XP to foil the WannaCrypt ransomware attack has sent consumers and enterprise customers a confusing double message.

    Windows XP is the rotting zombie that Microsoft just can’t seem to shed.

    Is Windows XP dead or not?

    Well, the message out there now seems to be that Microsoft is willing to release patches as long as the screams from those still using the operating system that should have died April 8, 2014, when extended support ended, are loud enough.

  44. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    New tool decrypts WannaCry-infected computers running Windows XP, 7, and 2003, if they have not been rebooted — A tool released on Friday decrypts PCs running a fuller suite of Windows versions. — New hope glimmered on Friday for people hit by last week’s virulent ransomware worm …

    More people infected by recent WCry worm can unlock PCs without paying ransom
    A tool released on Friday decrypts PCs running a fuller suite of Windows versions

    New hope glimmered on Friday for people hit by last week’s virulent ransomware worm after researchers showed that a broader range of PCs infected by WCry can be unlocked without owners making the $300 to $600 payment demand.

    A new publicly available tool is able to decrypt infected PCs running Windows XP and 7, and 2003, and one of the researchers behind the decryptor said it likely works for other Windows versions, including Vista, Server 2008, and 2008 R2. The tool, known as wanakiwi, builds off a key discovery implemented in a different tool released Thursday. Dubbed Wannakey, the previous tool provided the means to extract key material from infected Windows XP PCs but required a separate app to transform those bits into the secret key required to decrypt files.

    Matt Suiche, cofounder of security firm Comae Technologies, helped develop and test wanakiwi and reports that it works. Europol the European Union’s law-enforcement agency, has also validated the tool.

    Like Wannakey, wanakiwi takes advantage of shortcomings in the Microsoft Cryptographic Application Programming Interface that WCry and other Windows applications use to generate keys for encrypting and decrypting files. While the interface includes functions for erasing a key from computer memory once it has been secured, previously overlooked limitations sometimes allow the prime numbers used to create a key to remain intact in computer memory. Those numbers can then be recovered as long as PCs remain powered on and the memory location storing the numbers isn’t overwritten with new data.

    Wanakiwi is able to successfully scour the memory of infected XP and 7 machines, extract the p and q variables that the secret key was based on, and reassemble the finished key. The tool then uses the key to decrypt all files locked by the WCry ransomware.

    As was the case with Wannakey, the recovery won’t work if an infected computer has been restarted. And even when an infected PC has remained powered on, the decryptor may not work if the memory location that stored the key material has been overwritten.

    “In lots of cases, the key cannot be recovered,” Delpy said. Victims “need a good amount of luck!”

  45. Tomi Engdahl says:

    Snowden on ransomware attack: ‘It’s hard being right in the worst possible way’

    Edward Snowden called the continuing “ransomware” scourge “a perfect storm of all the problems everyone has been warning about”

    The ransomware Wanna Cry, also known as WanaCrypt0r and WanaDecrypt, boosted its effectiveness by using leaked hacking tools apparently stolen from the National Security Agency, where Snowden was an intelligence contractor before he leaked documents outlining bulk surveillance programs.

    Snowden has also spoken out against the more focused NSA hacking operations.

    A similar point was made Sunday by Microsoft President and chief legal officer Brad Smith in a blog post calling for governments to report all security vulnerabilities they discover to manufacturers.


Leave a Comment

Your email address will not be published. Required fields are marked *