A highly virulent new strain of self-replicating ransomware is shutting down computers all over the world.
The malware, known as Wanna, Wannacry, or Wcry, has infected at least 57,000 computers, according to antivirus provider Avast. AV provider Kaspersky Lab said organizations in at least 74 countries have been affected.
Wcry uses weapons-grade exploit published by the NSA-leaking Shadow Brokers.
204 Comments
Tomi Engdahl says:
Lily Hay Newman / Wired:
Hackers are using EternalBlue vulnerability discovered by NSA and an exploit released by Shadow Brokers to infect unpatched Windows computers with WannaCry
The Ransomware Meltdown Experts Warned About Is Here
https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/
A new strain of ransomware has spread quickly all over the world, causing crises in National Health Service hospitals and facilities around England, and gaining particular traction in Spain, where it has hobbled the large telecom company Telefonica, the natural gas company Gas Natural, and the electrical company Iberdrola. You know how people always talk about “the big one”? As far as ransomware attacks go, this looks a whole lot like it.
The ransomware strain WannaCry (also known as WanaCrypt0r and WCry) that caused Friday’s barrage appears to be a new variant of a type that first appeared in late March. This new version has only gained steam since its initial barrage, with tens of thousands of infections in 74 countries so far today as of publication time. Its reach extends beyond the UK and Spain, into Russia, Taiwan, France, Japan, and dozens more countries.
One reason WannaCry has proven so vicious? It seems to leverage a Windows vulnerability known as EternalBlue that allegedly originated with the NSA. The exploit was dumped into the wild last month in a trove of alleged NSA tools by the Shadow Brokers hacking group. Microsoft released a patch for the exploit, known as MS17-010, in March, but clearly many organizations haven’t caught up.
“In healthcare and other sectors we tend to be very slow to address these vulnerabilities,”
“But whoever is behind this is clearly extremely serious.”
Tomi Engdahl says:
Ransomware based on leaked NSA tools spreads to dozens of countries
https://techcrunch.com/2017/05/12/ransomware-based-on-leaked-nsa-tools-spreads-to-dozens-of-countries/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
A ransomware attack seemingly based on leaked NSA hacking tools is spreading like wildfire among unpatched Windows systems worldwide. Early reports suggested it was targeted at the UK’s National Health Service, but it’s clear now that the attack is a global one, with thousands of computers apparently affected in Russia alone.
A Kaspersky lab analysis puts the number of infected computers at more than 45,000 as of early Friday afternoon, the vast majority of which are Russian (Ukraine, India, and Taiwan follow).
Tomi Engdahl says:
Chris Baraniuk / BBC:
Ransomware infections reported around the world Friday, with companies and institutions hit in UK, US, Spain, Italy, China, Russia, Vietnam, Taiwan, more
Ransomware infections reported worldwide
http://www.bbc.com/news/technology-39901382?ocid=socialflow_twitter
A massive ransomware campaign appears to have infected a number of organisations around the world.
Screenshots of a well known program that locks computers and demands a payment in Bitcoin have been shared online by parties claiming to be affected.
There have been reports of infections in the UK, US, China, Russia, Spain, Italy, Vietnam, Taiwan and others.
Security researchers are linking the incidents together.
One cyber-security researcher tweeted that he had detected 36,000 instances of the ransomware, called WannaCry and variants of that name.
One cyber-security researcher tweeted that he had detected 36,000 instances of the ransomware, called WannaCry and variants of that name.
“This is huge,” he said.
The UK’s National Health Service (NHS) was also hit by a ransomware outbreak and screenshots of the WannaCry program were shared by NHS staff.
Tomi Engdahl says:
Damien Gayle / The Guardian:
Multiple hospitals across UK hit by ransomware attack, locking staff out of their computers and forcing hospitals to divert emergency patients — Many hospitals having to divert emergency patients, with doctors reporting messages demanding money … Hospitals across England have been hit …
NHS cyber-attack: hospital computer systems held to ransom across England
https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack?CMP=Share_iOSApp_Other
Many hospitals having to divert emergency patients, with doctors reporting messages demanding money
Hospitals across England have been hit by a large-scale cyber-attack, the NHS has confirmed, which has locked staff out of their computers and forced many trusts to divert emergency patients.
The IT systems of NHS sites across the country appear to have been simultaneously hit, with a pop-up message demanding a ransom in exchange for access to the PCs. NHS England has declared a major incident. NHS Digital said it was aware of the problem and would release more details soon.
Details of patient records and appointment schedules, as well as internal phone lines and emails, have all been rendered inaccessible.
“The investigation is at an early stage but we believe the malware variant is Wanna Decryptor. At this stage we do not have any evidence that patient data has been accessed.”
“This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.
Tomi Engdahl says:
The spread is immense. I’ve never seen anything before like this. This is nuts. Adam Kujawa, Malwarebytes
- from https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/
Tomi Engdahl says:
WannaCry Ransomware That’s Hitting World Right Now Uses NSA Windows Exploit
http://thehackernews.com/2017/05/wannacry-ransomware-unlock.html?m=1
The Ransomware in question has been identified as a variant of ransomware known as WannaCry (also known as ‘Wana Decrypt0r,’ ‘WannaCryptor’ or ‘WCRY’).
Like other nasty ransomware variants, WannaCry also blocks access to a computer or its files and demands money to unlock it.
Tomi Engdahl says:
NHS cyber-attack: GPs and hospitals hit by ransomware
https://www.google.fi/amp/www.bbc.co.uk/news/amp/39899646
Tomi Engdahl says:
Massive ransomware infection hits computers in 99 countries
http://www.bbc.com/news/technology-39901382
A massive cyber-attack using tools believed to have been developed by the US National Security Agency has struck organisations around the world.
Computers in thousands of locations have been locked by a programme that demands $300 (£230) in Bitcoin.
In April hackers known as The Shadow Brokers claimed to have stolen the tools and released them online.
digital cryptocurrency Bitcoin that were seemingly associated with the ransomware were reported to have started filling up with cash.
A number of Spanish firms – including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural – suffered from the outbreak. There were reports that staff at the firms were told to turn off their computers.
Portugal Telecom, delivery company FedEx, a Swedish local authority and Megafon, the second largest mobile phone network in Russia, also said they had been affected.
A patch for the vulnerability was released by Microsoft in March, but many systems may not have had the update installed.
Some security researchers have pointed out that the infections seem to be deployed via a worm – a program that spreads by itself between computers.
By contrast, once WannaCry is inside an organisation it will hunt down vulnerable machines and infect them too. This perhaps explains why its impact is so public
Tomi Engdahl says:
The ransomware causing chaos globally
http://www.bbc.com/news/technology-39896393
Tens of thousands of organisations have been caught out by a computer virus called WannaCry. The malicious software locks data away and demands a payment of up to $300 (£230) a time before it will restore scrambled files.
Infections in more than 99 nations are being reported by security firms. It appears that the hardest hit are Russia and Spain.
Who made the WannaCry worm?
Currently, we do not know. Ransomware has been a firm favourite of cyber-thieves for some time as it lets them profit quickly from an infection. They can cash out easily thanks to the use of the Bitcoin virtual currency, which is difficult to trace.
The competition among different ransomware gangs has led them to look for ever more effective ways of spreading their malicious code.
WannaCry seems to be built to exploit a bug found by the US National Security Agency.
Tomi Engdahl says:
http://map.norsecorp.com/#/
Tomi Engdahl says:
Phillip Misner / MSRC:
In response to WannaCry attacks, Microsoft issues security update for older Windows versions, including Windows XP, Windows 8, and Windows Server 2003
Customer Guidance for WannaCrypt attack
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Microsoft solution available to protect additional products
Today many of our customers around the world and the critical systems they depend on were victims of malicious “WannaCrypt” software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers. This blog spells out the steps every individual and business should take to stay protected. Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.
Details are below.
In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.
For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider, that they are protected.
This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks).
We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below).
This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.
Some of the observed attacks use common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources.
Tomi Engdahl says:
Microsoft Security Bulletin MS17-010 – Critical
Security Update for Microsoft Windows SMB Server (4013389)
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Tomi Engdahl says:
Olivia Solon / The Guardian:
Cybersecurity researcher @MalwareTechBlog accidentally finds kill switch to stop spread of WannaCry malware by registering domain hardcoded into malware — Move by @malwaretechblog came too late to help those in Europe and Asia, but people in the US were given more time to develop immunity to the attack
‘Accidental hero’ finds kill switch to stop spread of ransomware cyber-attack
https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack
Spread of malware curtailed by expert who simply registered a domain name for a few dollars, giving many across world time to protect against attack
An “accidental hero” has halted the global spread of the WannaCry ransomware, reportedly by spending a few dollars on registering a domain name hidden in the malware.
The ransomware has wreaked havoc on organizations including FedEx and Telefonica, as well as the UK’s National Health Service (NHS), where operations were cancelled, x-rays, test results and patient records became unavailable and phones did not work.
Massive ransomware cyber-attack hits 74 countries around the world
Read more
However, a UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and activated a “kill switch” in the malicious software.
The switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.
“I saw it wasn’t registered and thought, ‘I think I’ll have that’,” he is reported as saying. The purchase cost him $10.69. Immediately, the domain name was registering thousands of connections every second.
“This was eminently predictable in lots of ways,” said Ryan Kalember from cybersecurity firm Proofpoint. “As soon as the Shadow Brokers dump came out everyone [in the security industry] realized that a lot of people wouldn’t be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.”
Tomi Engdahl says:
Telefonica Tells Employees to Shut Down Computers Amid Massive Ransomware Outbreak
https://www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/
We have an update on this outbreak here. The ransomware is using an NSA exploit leaked by The Shadow Brokers, and has made tens of thousands of victims worldwide, including the Russian Interior Ministry, Chinese universities, Hungarian telcos, FedEx branches, and more.
Tomi Engdahl says:
WannaCryptor Ransomware
https://www.enigmasoftware.com/wannacryptorransomware-removal/
Tomi Engdahl says:
Protecting against Ransom-WannaCry (May 2017)
Technical Articles ID: KB89335
https://kc.mcafee.com/corporate/index?page=content&id=KB89335
Tomi Engdahl says:
Global WannaCry ransomware outbreak uses known NSA exploits
https://www.google.fi/amp/blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/amp/
Tomi Engdahl says:
WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
Ransom: between $300 to $600. There is code to ‘rm’ (delete) files in the virus. Seems to reset if the virus crashes.
Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
Kill switch: If the website http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host.
Tomi Engdahl says:
Cyber Attack latest LIVE: Updates as Nissan confirm they have been hit by hack which crippled NHS
http://www.chroniclelive.co.uk/news/north-east-news/cyber-attack-nhs-latest-news-13029913
The Sunderland Nissan plant were hit by the attack at 5pm last night causing the manufacturing systems to go down.
A Nissan spokesman said: “Like many organisations, our UK plant was subject to a ransomware attack affecting some of our systems on Friday evening. Our teams are working to resolve the issue.”
Nissan confirm Sunderland car plant brought to a halt by cyber attack which swept NHS
http://www.chroniclelive.co.uk/news/north-east-news/nissan-confirm-sunderland-car-plant-13030041
Hospitals and businesses across the world have been affected by the attack which began on Friday, including Sunderland-based car plant
Tomi Engdahl says:
“It’s this constant tug of war. Do you let intelligence agencies continue to take advantage of vulnerabilities to fight terrorists or do you give it to the vendors and fix them?”
The NSA is among many government agencies around the world to collect cyber weapons and vulnerabilities in popular operating systems and software so they can use them to carry out intelligence gathering or engage in cyberwarfare.
Tomi Engdahl says:
WannaCry: This Could Get Really Painful, Really Fast – See more at: https://www.gigamon.com/blog/2017/05/12/wannacry-get-really-painful-really-fast/#sthash.5VsOs242.dpuf
Tomi Engdahl says:
WannaCry’ ransomware attack spreads worldwide (update)
https://www.google.fi/amp/s/www.engadget.com/amp/2017/05/12/12-countries-hit-in-massive-cyber-heist/
Tomi Engdahl says:
WannaCryptor Ransomware
https://www.enigmasoftware.com/wannacryptorransomware-removal/
The WannaCryptor Ransomware uses the AES-128 encryption to encrypt the victim’s files.
The WannaCryptor Ransomware is being distributed as a bogus messaging program that is being sent to victims through corrupted email messages.
Preventing and Dealing with the WannaCryptor Ransomware Infections
PC security researchers advise computer users against paying the WannaCryptor Ransomware ransom or contacting the people responsible for this attack. Instead, they should have preventive measures in play to both stop the WannaCryptor Ransomware from infecting a computer and limit the damage done to data if an infection does occur. PC security researchers strongly advise computer users to install a reliable security program that is fully up-to-date, which can help intercept the WannaCryptor Ransomware before it carries out its attack. It is also essential to have a reliable backup method that ensures that computer users can recover their files from the backup copy rather than having to pay the WannaCryptor Ransomware ransom amount to recover their files after an attack.
Tomi Engdahl says:
BLOG / MAY 12, 2017
FROM NSA EXPLOIT TO WIDESPREAD RANSOMWARE: WANNACRY IS ON THE LOOSE
https://f5.com/labs/articles/threat-intelligence/malware/from-nsa-exploit-to-widespread-ransomware-wannacry-is-on-the-loose-26847
Over a dozen years ago, malware pioneer Dr. Peter Tippett coined the expression “virus disaster,” which describes the point at which more than 25 machines are infected on a single network as the “tipping point” for complete shutdown of a network.1 The new ransomware WannaCry,2 which locks down all files on an infected computer until the owner pays a ransom, seems to have plunged whole sections of critical infrastructure into a virus disaster. Hospitals in the UK were the first to feel it’s bite, but the damage is spreading far and wide. This is likely to jeopardize patient health as hospitals are being shut down. If someone dies because of this, we’ll be looking at murder by malware.3 That will be a game-changer for security and compliance.
The malware is using MS17-010,4 a.k.a. “EternalBlue” (a Shadow Brokers-released NSA exploit5) to punch through the network of anyone who hadn’t patched the week’s old vulnerability. This vulnerability hits Server Message Block (SMB) protocol file sharing, which is often wide open within organizational networks and thereby facilitates fast spreading of this attack.
The obvious message is to patch quickly, though most organizations already know this and were probably already working to patch. This is where secondary layers of defense can buy you time: lock down traffic both incoming from the Internet and moving laterally through your networks. Block or restrict TCP ports 22, 23, 3389, 139, and 145 as well as UDP 137 and 138. Make sure backups are tight and complete.
Tomi Engdahl says:
Microsoft patches Windows XP to fight the WannaCrypt ransomware attacks
https://community.webroot.com/t5/Security-Industry-News/Microsoft-patches-Windows-XP-to-fight-the-WannaCrypt-ransomware/td-p/292258
Microsoft to now make the security update available for all platforms, including those receiving custom support only — Windows XP, Windows 8, and Windows Server 2003
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
Tomi Engdahl says:
Telefonica Tells Employees to Shut Down Computers Amid Massive Ransomware Outbreak
https://www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/
Tomi Engdahl says:
Microsoft release statement on massive worldwide WannaCrypt ransomware attack
https://www.google.fi/amp/s/mspoweruser.com/microsoft-release-statement-on-massive-worldwide-ransomware-attack/amp/
The attack appears to exploit a hole patched by Microsoft in a critical update in March 2017, encrypting important data documents on PCs which have not been patched.
Now Microsoft has released an official statement on the matter on Friday, saying:
“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt. In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows Update enabled, are protected. We are working with customers to provide additional assistance.”
Tomi Engdahl says:
WannaCry ransomware attack
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
WannaCry, also known as WannaCrypt[2] or WanaCrypt0r 2.0,[3] is a ransomware malware tool. In May 2017, a large cyber attack using it was launched, infecting over 230,000 computers in 99 countries, demanding ransom payments in 28 languages. The attack has been described by Europol as unprecedented in scale.
The attack affected Telefónica and several other large companies in Spain, as well as parts of Britain’s National Health Service (NHS),[5] FedEx and Deutsche Bahn.[6][7][8] Other targets in at least 99 countries were also reported to have been attacked around the same time.[9][10] More than 1,000 computers at the Russian Interior Ministry, the Russian Emergency Ministry and the Russian telecommunications company MegaFon, have been reported as infected.
WannaCry is believed to use the EternalBlue exploit, which was allegedly developed by the U.S. National Security Agency to attack computers running Microsoft Windows operating systems.
Microsoft has taken the unusual step of releasing patches for Windows XP and 2003. A kill switch has been found in the code, which prevents new infections. This has been activated by researchers and should slow the spread. However different versions of the attack may be released and all vulnerable systems still need to be patched.
Tomi Engdahl says:
Nissan Motor Manufacturing UK in Tyne and Wear, one of Europe’s most productive car manufacturing plants, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware
Source: https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
Tomi Engdahl says:
Factbox: Don’t click – What is the ‘ransomware’ WannaCry worm?
http://www.reuters.com/article/us-britain-security-hospitals-ransomware-idUSKBN1882O2
Malicious software called ‘ransomware’ has forced British hospitals to turn away patients and affected Spanish companies such as Telefonica as part of a global outbreak that has affected tens of thousands of computers.
WannaCry is not just a ransomware program, it’s also a worm.
This means that it gets into your computer and looks for other computers to try and spread itself as far and wide as possible.
Tomi Engdahl says:
Microsoft adds detection, protection against global cyberattack: statement
http://www.reuters.com/article/us-britain-security-hospitals-microsoft-idUSKBN1882SZ
Tomi Engdahl says:
Global cyber attack slows but experts see risk of fresh strikes
http://www.reuters.com/article/us-britain-security-hospitals-idUSKBN18820S
A global cyber attack described as unprecedented in scale forced a major European automaker to halt some production lines while hitting schools in China and hospitals in Indonesia on Saturday, though it appeared to die down a day after its launch.
Capitalizing on spying tools believed to have been developed by the U.S. National Security Agency, the cyber assault has infected tens of thousands of computers in nearly 100 countries, with Britain’s health system suffering the worst disruptions.
Europol’s European Cybercrime Center said it was working closely with country investigators and private security firms to combat the threat and help victims. “The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” it said in a statement.
“We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,”
But the attackers may yet tweak the code and restart the cycle.
Tomi Engdahl says:
That global ransomware attack was halted apparently by accident
https://techcrunch.com/2017/05/13/that-global-ransomware-attack-was-halted-apparently-by-accident/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
Yesterday’s global ransomware attack was scary for several reasons, but quick action by a security researcher at MalwareTech at least put an end to its spreading — although the researcher didn’t realize it at the time.
It had the potential to spread quickly and far, as it in fact did, and in doing so attract the attention of IT people who would want to contain and study it.
As a safety against this, the payload contained some code that queried a certain domain known to the authors to be unregistered.
The security researcher, on seeing that the ransomware called out to this unregistered domain, immediately registered it so they could monitor the traffic (they could — producing the map above). They thought it would just help track its spreading, but in fact by registering that domain they effectively killed the whole attack. Because now when the code pinged that domain, it returned that it was registered, and therefore the ransomware would never activate itself! They’d pulled the plug and didn’t even realize it.
Unfortunately, it doesn’t help people who are already hit by the ransom
Tomi Engdahl says:
Current wave of ransomware not written by ordinary criminals, but by the NSA
https://www.privateinternetaccess.com/blog/2017/05/current-wave-ransomware-not-written-ordinary-criminals-nsa/
A lot of computers, including those at hospitals and other critical institutions, are being hit by a new wave of ransomware. The weaponized parts of this software were developed by – and inevitably leaked from – the National Security Agency. This shows again that the NSA’s mission, keeping a nation safe, is in direct conflict with its methods.
The ethical hacker community has claimed for a long time that the NSA’s mission is in direct conflict with its methods: an agency cannot keep a country safe by keeping its weaknesses secret from those who could fix them. In this case, the NSA also weaponized software to target those weaknesses – software that inevitably leaked, as all data does sooner or later.
So how do you prevent the existence of weaponized software? How do you prevent weapons of mass destruction coming out into the wild like this?
The obvious answer is “don’t write the weaponized software in the first place”,
It’s also a matter of “inform software vendors of vulnerabilities to help keep us all safe”,
There’s also obviously a matter of “install security patches provided by software vendors”
Tomi Engdahl says:
NHS seeks to recover from global cyber-attack as security concerns resurface
https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack?CMP=fb_gu
Cybersecurity centre says teams ‘working round the clock’ to fix systems rendered inaccessible by international ransomware attack
Tomi Engdahl says:
What is ‘WanaCrypt0r 2.0′ ransomware and why is it attacking the NHS?
https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20
Malicious software has attacked computers across the NHS and companies in Spain, Russia, the Ukraine and Taiwan. What is it and how is it holding data to ransom?
The ransomware has already caused hospitals across England to divert emergency patients – but what is it, how does it spread and why is this happening in the first place?
What is ransomware?
Ransomware is a particularly nasty type of malware that blocks access to a computer or its data and demands money to release it.
How does it spread?
Most ransomware is spread hidden within Word documents, PDFs and other files normally sent via email, or through a secondary infection on computers already affected by viruses that offer a back door for further attacks.
It is also being called Wanna Decryptor 2.0, WCry 2, WannaCry 2 and Wanna Decryptor 2.
WanaCrypt0r 2.0 is asking for $300 worth of the cryptocurrency Bitcoin to unlock the contents of the computers.
Who are they?
The creators of this piece of ransomware are still unknown, but WanaCrypt0r 2.0 is their second attempt at cyber-extortion. An earlier version, named WeCry, was discovered back in February this year: it asked users for 0.1 bitcoin (currently worth $177, but with a fluctuating value) to unlock files and programs.
How is the NSA tied in to this attack?
Once one user has unwittingly installed this particular flavour of ransomware on their own PC, it tries to spread to other computers in the same network. In order to do so, WanaCrypt0r uses a known vulnerability in the Windows operating system, jumping between PC and PC. This weakness was first revealed to the world as part of a huge leak of NSA tools and known weaknesses by an anonymous group calling itself “Shadow Brokers” in April.
Was there any defence?
Yes. Shortly before the Shadow Brokers released their files, Microsoft issued a patch for affected versions of Windows, ensuring that the vulnerability couldn’t be used to spread malware between fully updated versions of its operating system. But for many reasons, from lack of resources to a desire to fully test new updates before pushing them out more widely, organisations are often slow to install such security updates on a wide scale.
Who are the Shadow Brokers? Were they behind this attack?
In keeping with almost everything else in the world of cyberwarfare, attribution is tricky. But it seems unlikely that the Shadow Brokers were directly involved in the ransomware strike: instead, some opportunist developer seems to have spotted the utility of the information in the leaked files, and updated their own software accordingly. As for the Shadow Brokers themselves, no-one really knows, but fingers point towards Russian actors as likely culprits.
Why is the NHS being targeted?
The NHS does not seem to have been specifically targeted, but the service is not helped by its reliance on old, unsupported software. Many NHS trusts still use Windows XP
Attacks on healthcare providers across the world are at an all-time high as they contain valuable private information, including healthcare records.
Tomi Engdahl says:
WannaCry, the Biggest Ransomware Outbreak Ever
https://safeandsavvy.f-secure.com/2017/05/12/wannacry-may-be-the-biggest-cyber-outbreak-since-conficker/
F-Secure Labs has been warning about the exponential growth of ransomware and the dangers of government surveillance tools unleashed into the wild. Cypto-ransomoware WannaCry — which exploded across the globe on Friday — seems to combine the worst of the dangers implied by both warnings.
F-Secure has gotten reports from more than 60 countries. Mikko Hypponen, our chief research officer, calls it “the biggest ransomware outbreak in history.”
Tomi Engdahl says:
What You Need to Know About WannaCry Now
https://safeandsavvy.f-secure.com/2017/05/13/what-you-need-to-know-about-wannacry-now/
Who has been hit?
A huge number of organizations have been impacted, along with considerable amounts of public infrastructure. This is a global outbreak for which we got reports from more than 60 countries. It has hit healthcare organizations, as well as telcos, gas and electric companies. For example, the National Health Service in England was one of the most affected organizations, with hospitals closed and surgeries postponed.
According to F-Secure Labs, the most affected countries are Russia and China, then France, Taiwan, US , Ukraine and South Korea.
How big is it?
Mikko Hypponen, our chief research officer, called it “the biggest ransomware outbreak in history” in terms of infections. But as of Saturday morning, the day after the outbreak, it had only made a measly $25,000, according F-Secure Labs’ Andy Patel. “The spread of WCry was slowed by the actions of an ‘accidental hero’ who registered a ‘killswitch’ domain name he found in the code,”
Tomi Engdahl says:
Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware
https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/
The ransomware problem
Firstly, if ransomware is a foreign enough concept and you genuinely want to understand what it’s about, I made a free course for Varonis last year titled “Introduction to Ransomware”. One of the observations I make in that course is that this class of malware has been around for decades starting with the AIDS trojan dating back to 1999
This variant attempted to make the PC unusable unless a ransom was paid.
Tomi Engdahl says:
WCry: Knowns And Unknowns
https://labsblog.f-secure.com/2017/05/13/wcry-knowns-and-unknowns/
WCry, WannaCry, Wana Decrypt0r. I’m sure at this point you’ve heard something about what the industry has dubbed the largest crypto ransomware outbreak in history. Following its debut yesterday afternoon, a lot of facts have been flying around. Here’s what we know, and don’t know.
WCry has currently made a measly $25,000
The spread of WCry was slowed by the actions of an “accidental hero” who registered a “killswitch” domain name he found in the code.
But, it only takes a small edit of that code, and a re-release to get the thing spreading like wildfire again.
It’s been featured in many public places
It is reportedly super-easy to reverse engineer.
Microsoft has released a patch for Windows XP because of this malware…
Even Microsoft haven’t figured out the initial entry vector.
yes, F-Secure’s products block WCry.
Tomi Engdahl says:
Security Alert: WannaCry Leaves Exploited Computers Vulnerable to Round Two
Preventing another ransomware outbreak becomes essential
https://heimdalsecurity.com/blog/security-alert-wannacry-computers-vulnerable/
As an industry, we’ve been talking about ransomware and its impact for 2-3 years now, and, during this time, many of our own security alerts alerted users about ongoing campaigns spreading encrypting malware.
In spite of this, many Internet users still have a difficult time prioritizing their proactive cyber security as need-to-have rather than nice-to-have. As a consequence, computers go unpatched, unprotected and become easy targets.
What we’ve seen in the past 24 hours reveals how each click on “postpone update” created another target for WannaCry ransomware and its variants (WCry, WanaCrypt0r, WanaCrypt0r 2.0) to infect and use for distribution. It’s the nightmare scenario we feared when we wrote this post.
The WannaCry ransomware attack – 5 things you need to know
A ransomware attack of “unprecedented level” (Europol) started spreading WannaCry ransomware around the world on Friday, May 12, 2017, around 11 AM ET/3PM GMT.
Until now, hundreds of thousands of Windows-running computers in 99 countries have been affected, with the highest numbers of infections in Russia, Ukraine, India and Taiwan.
Cyber criminals are using the EternalBlue exploit released by The Shadow Brokers on March 14, 2017. This exploit was patched the same day, when Microsoft issued a critical security update (Microsoft Security Bulletin MS17-010).
The reason why this particular campaign became so extensive is because it exploits a vulnerability in Windows SMBv1 and SMBv2 to move laterally within networks and infect other computers.
If you haven’t installed the updates and are running a vulnerable operating system (see list below), even if your data hasn’t been encrypted, your computer might still have a backdoor that attackers can leverage in a potential round two of attacks.
How to check if your system is patched
If you’re unsure whether your computer is updated to the latest version, you can run Microsoft Baseline Security Analyzer 2.3 and discover which updates are missing. The tool also lists the missing updates by severity and potential impact.
https://www.microsoft.com/en-us/download/details.aspx?id=7558
Tomi Engdahl says:
Renault And Nissan Plants Hit By Massive Ransomware Attack
http://jalopnik.com/renault-and-nissan-plants-hit-by-massive-ransomware-att-1795190743
French auto giant Renault became the first major French company to report being affected by Friday’s ransomware attack that affected tens of thousands of computers in almost 100 countries across the world, reports Automotive News. An English plant of Renault’s alliance partner Nissan was also hit by the attack.
Renault stopped production across several of its European plants as a result of the attack, which encrypted data on computers until a ransom was paid, according to a Renault spokesman who spoke with Automotive News.
Additionally, a Paris prosecutor has opened an investigation into the attack, which covers “Renault and other possible victims,” per Reuters.
Renault declined to give a list of all the Renault and alliance member sites were affected by the cyberattack. A Renault plant in Sandouville, France, was one of those confirmed to have shut down.
A Nissan plant in Sunderland, England, was also reported to have halted production however, a Nissan spokesman would not confirm the shutdown to Automotive News—he would only confirm that they were affected by the ransomware attack.
Renault, Nissan European operations deal with global cyber attack
http://www.autonews.com/article/20170513/OEM01/170519882/renault-nissan-european-operations-deal-with-global-cyber-attack?utm_source=dlvr.it&utm_medium=twitter
Renault stopped production at several European sites on Saturday to prevent the spread of a global cyber attack that hit its computer systems, a spokesman said.
“Proactive measures have been put in place, including the temporarily suspension of industrial activity at some sites,” the spokesman said.
The Paris prosecutor has opened an investigation following the cyber attack, a judicial source told Reuters on Saturday. The probe covers “Renault and other possible victims,” the source said.
“Like many organizations, our UK plant was subject to a ransomware attack affecting some of our systems on Friday evening. Our teams are working to resolve the issue,” said the spokesman.
He declined to confirm media reports that production at the plant, which employs 7,000, had been halted.
The attack disrupted Britain’s health system and global shipper FedEx.
Tomi Engdahl says:
Old Windows PCs can stop WannaCry ransomware with new Microsoft patch
In a rare step, Microsoft published a patch for Windows XP, Windows Server 2003 and Windows 8.
http://www.pcworld.com/article/3196694/security/old-windows-pcs-can-stop-wannacry-ransomware-with-new-microsoft-patch.html
Tomi Engdahl says:
Cylance vs. WannaCry-WanaCrypt0r 2.0
https://www.cylance.com/en_us/blog/cylance-vs-wannacry-wanacrypt0r-2-0.html
Due to the nature of the flaw, machines that are propagated to via the worm functionality do not require interaction from the user on the victimized host.
The worm/ransomware binary handles the remote execution. In most confirmable cases today, stage one is a malicious phishing email. This includes an attachment that “patient zero” executes, which infects them, while simultaneously kickstarting “Stage 2” – the worm-type functionality and internal propagation/pivoting.
In addition to employing strong and effective endpoint controls, users are also encouraged to:
• Keep software up-to-date, including operating systems
• Avoid dangerous web locations
• Educate users to detect potential cyberattacks delivered via phishing emails, infected banners, spam emails, social engineering attempts, etc.
Tomi Engdahl says:
Ransomware Outbreak WannaCry
https://www.redsocks.eu/news/ransomware-wannacry/
Tomi Engdahl says:
From NSA Exploit to Widespread Ransomware: WannaCry is on the Loose
https://f5.com/labs/articles/threat-intelligence/malware/from-nsa-exploit-to-widespread-ransomware-wannacry-is-on-the-loose-26847
Over a dozen years ago, malware pioneer Dr. Peter Tippett coined the expression “virus disaster,” which describes the point at which more than 25 machines are infected on a single network as the “tipping point” for complete shutdown of a network.1 The new ransomware WannaCry,2 which locks down all files on an infected computer until the owner pays a ransom, seems to have plunged whole sections of critical infrastructure into a virus disaster. Hospitals in the UK were the first to feel it’s bite, but the damage is spreading far and wide. This is likely to jeopardize patient health as hospitals are being shut down. If someone dies because of this, we’ll be looking at murder by malware.3 That will be a game-changer for security and compliance.
The malware is using MS17-010,4 a.k.a. “EternalBlue” (a Shadow Brokers-released NSA exploit5) to punch through the network of anyone who hadn’t patched the week’s old vulnerability.
Block or restrict TCP ports 22, 23, 3389, 139, and 145 as well as UDP 137 and 138. Make sure backups are tight and complete.
Tomi Engdahl says:
WannaCry cyber attack
https://en.wikipedia.org/wiki/WannaCry_cyber_attack
WannaCry is believed to use the EternalBlue exploit, which was developed by the U.S. National Security Agency (NSA)[15][16] to attack computers running Microsoft Windows operating systems.[4][17] Although a patch to remove the underlying vulnerability had been issued on 14 March 2017,[18] users who delayed in applying security updates, or use unsupported versions of Windows, were left vulnerable.[19] Microsoft has taken the unusual step of releasing updates for the unsupported Windows XP and Windows Server 2003 and patches for Windows 8 operating systems.[2][20]
The Windows vulnerability is not a zero-day flaw, but one for which Microsoft had made available a security patch on 14 March 2017,[18] nearly two months before the attack.
Any organization still running the older Windows XP[40] was at particularly high risk because until 13 May,[2] no security patches had been released since April 2014.[41] Following the attack, Microsoft released a security patch for Windows XP.
The ransomware campaign was unprecedented in scale according to Europol.[8] The attack affected many National Health Service hospitals in the UK,[43] and up to 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment – may have been affected.
Nissan Motor Manufacturing UK in Tyne and Wear, one of Europe’s most productive car manufacturing plants, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.
Reactions
Upon learning about the impact on the NHS, Edward Snowden said that had the NSA “privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, [the attack] may not have happened”.[80]
British cybersecurity expert Graham Cluley also sees “some culpability on the part of the U.S. intelligence services”. According to him and others “they could have done something ages ago to get this problem fixed, and they didn’t do it”.
Cybersecurity expert Ori Eisen notes that the attack appears to be “low-level” stuff, given the ransom demands of $300 and states that the same thing could be done to crucial infrastructure, like nuclear power plants, dams or railway systems.
Tomi Engdahl says:
NHS cyber attack: Analyst tells how he killed WannaCry ransomware ravaging systems around the world
http://www.independent.co.uk/life-style/gadgets-and-tech/news/nhs-cyber-attack-ransomware-wannacry-kill-switch-domain-name-malwaretech-a7734296.html
Tomi Engdahl says:
http://www.independent.co.uk/life-style/gadgets-and-tech/news/nhs-cyber-attack-wannacry-ransomware-computers-infected-virus-malwaretech-a7734911.html
‘Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You’re only safe if you patch ASAP,’ says accidental hero, 22, who shut down major attack
A second version of the devastating WannaCry ransomware – that does not contain the “kill switch” used by a 22-year-old security analyst to shut down many attacks – is set to be released by the hackers, putting more computers at risk.
Costin Raiu, of web security firm Kaspersky Lab, told Hacker News that they had already seen versions of the malware that did not contain the website domain name used to shut down the program, but he later backtracked saying “my bad” and this was not actually the case.
However, experts warned it was likely only a matter of time before this did happen and urged people to instal a security patch released specially by Microsoft.
WannaCry Kill-Switch(ed)? It’s Not Over! WannaCry 2.0 Ransomware Arrives
Saturday, May 13, 2017 Swati Khandelwal
http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html?m=1
If you are following the news, by now you might be aware that a security researcher has activated a “Kill Switch” which apparently stopped the WannaCry ransomware from spreading further.
But it’s not true, neither the threat is over yet.
However, the kill switch has just slowed down the infection rate.
Moreover, multiple security researchers have claimed that more samples of WannaCry are in the wild without ‘kill-switch’ domain connect function, referred as WannaCry 2.0, and still infecting unpatched computers worldwide.
So far, over 237,000 computers across 99 countries around the world have been infected, and the infection is still rising even hours after the kill switch was triggered by the 22-years-old British security researcher behind the twitter handle ‘MalwareTech.’
WannaCry is an insanely fast-spreading ransomware malware that leverages a Windows SMB exploit to remotely target a computer running on unpatched or unsupported versions of Windows.
Once infected, WannaCry also scans for other vulnerable computers connected to the same network, as well scans random hosts on the wider Internet, to spread quickly.
The SMB exploit, currently being used by WannaCry, has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself “The Shadow Brokers” over a month ago.
You should know that the kill-switch would not prevent your unpatched PC from getting infected, in the following scenarios:
If you receive WannaCry via an email, a malicious torrent, or other vectors (instead of SMB protocol).
If by chance your ISP or antivirus or firewall blocks access to the sinkhole domain.
If the targeted system requires a proxy to access the Internet, which is a common practice in the majority of corporate networks.
If someone makes the sinkhole domain inaccessible for all, such as by using a large-scale DDoS attack.
WannaCry 2.0, Ransomware without Kill-Switch is on Hunt!
However, shortly after that, we were confirmed by Costin Raiu, the director of global research and analysis team at Kaspersky Labs, that his team had seen more WannaCry samples on Friday that did not have the kill switch.
“I can confirm we’ve had versions without the kill switch domain connect since yesterday,” told The Hacker News.
So, expect a new wave of ransomware attacks, with an updated WannaCry variant, which would be difficult to stop, until and unless all vulnerable systems get patched.
Even after WannaCry attacks made headlines all over the Internet and Media, there are still hundreds of thousands of unpatched systems out there that are open to the Internet and vulnerable to hacking.
Get Prepared: Upgrade, Patch OS & Disable SMBv1
MalwareTech also warned of the future threat, saying “It’s very important [for] everyone [to] understand that all they [the attackers] need to do is change some code and start again. Patch your systems now!”
“Informed NCSC, FBI, etc. I’ve done as much as I can do currently, it’s up to everyone to patch,” he added.
As we notified today, Microsoft took an unusual step to protect its customers with an unsupported version of Windows — including Windows XP, Vista, Windows 8, Server 2003 and 2008 — by releasing security patches that fix SMB flaw currently being exploited by the WannaCry ransomware.
Tomi Engdahl says:
WannaCry has Hit Over 200,000 Systems in 150 Countries, Warned Europol
http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html?m=1
Speaking to Britain’s ITV, Europol chief Rob Wainwright said the whole world is facing an “escalating threat,” warning people that the numbers are going up and that they should ensure the security of their systems is up to date.
“We are running around 200 global operations against cyber crime each year, but we’ve never seen anything like this,” Wainwright said, as quoted by BBC.
“The latest count is over 200,000 victims in at least 150 countries. Many of those victims will be businesses, including large corporations. The global reach is unprecedented.”
Ransomware cyber-attack threat escalating – Europol
http://www.bbc.com/news/technology-39913630?ns_mchannel=social&ns_campaign=bbc_breaking&ns_source=twitter&ns_linkname=news_central
Friday’s cyber-attack has affected more than 200,000 victims in 150 countries, Europol chief Rob Wainwright says.
He told the BBC the act was “unprecedented in its scale” and warned more people could find themselves affected on Monday morning.
The virus took control of users’ files, demanding payments; Russia and the UK were among the worst-hit countries.
Experts say another attack could be imminent and have warned people to ensure their security is up to date.
Mr Wainwright said that the ransomware was being combined with a worm application allowing the “infection of one computer to quickly spread across the networks”.
He added: “That’s why we’re seeing these numbers increasing all the time.”
‘Patch before Monday’
BBC analysis of three accounts linked with the global attack suggests the hackers have been paid the equivalent of £22,080.
The UK security researcher known as “MalwareTech”, who helped to limit the ransomware attack, predicted “another one coming… quite likely on Monday”.