Hands typing on a computer keyboard. (photo: hamburg_berlin/Shutterstock)
An
NSA-Derived Ransomware Worm Is Shutting Down Computers Worldwide
By Dan Goodin, Ars Technica
13 May 17
Wcry
uses weapons-grade exploit published by the NSA-leaking Shadow Brokers.
A highly
virulent new strain of self-replicating ransomware shut down computers all over
the world, in part by appropriating a National Security Agency exploit that was
publicly released last month by the mysterious group calling itself Shadow
Brokers.
The malware,
known as Wanna, Wannacry, or Wcry, has infected at least 75,000 computers,
according to antivirus provider Avast. AV provider Kaspersky Lab said organizations in at least 74 countries
have been affected, with Russia being disproportionately affected,
followed by Ukraine, India, and Taiwan. Infections are also spreading through the United States. The malware
is notable for its multi-lingual ransom demands, which support more than two-dozen languages.
Wcry
is reportedly causing disruptions at banks, hospitals, telecommunications
services, train stations, and other mission-critical organizations in multiple
countries, including the UK, Spain, Germany, and Turkey. FedEx, the UK
government's National Health Service, and Spanish telecom Telefonica have all
been hit. The Spanish CERT has called it a
"massive ransomware attack" that is encrypting all the files of
entire networks and spreading laterally through organizations.
The
virally spreading worm was ultimately stopped when a researcher who uses the
Twitter handle MalwareTech and works
for security firm Kryptos Logic took control of a domain name
that was hard-coded into the self-replicating exploit. The domain registration,
which occurred around 6 AM California time, was a major stroke of good luck,
because it was possible only because the attackers had failed to obtain the
address first.
The
address appeared to serve as a sort of kill switch the attackers could use to
terminate the campaign. MalwareTech's registration had the effect of ending the
attacks that had started earlier Friday morning in other parts of the world. As
a result, the number of infection detections plateaued dramatically in the
hours following the registration. It had no effect on WCry infections that were
initiated through earlier campaigns.
Remember
Code Red?
Another
cause for concern: wcry copies a weapons-grade exploit codenamed Eternalblue
that the NSA used for years to remotely commandeer computers running Microsoft
Windows. Eternalblue, which works reliably against computers running Microsoft
Windows XP through Windows Server 2012, was one of several potent exploits
published in the most recent Shadow Brokers release in
mid-April. The Wcry developers have combined the Eternalblue exploit
with a self-replicating payload that allows the ransomware to spread virally
from vulnerable machine to vulnerable machine, without requiring operators to
open e-mails, click on links, or take any other sort of action.
So-called
worms, which spread quickly amid a chain of attacks, are among the most
virulent forms of malware. Researchers are still investigating how Wcry takes
hold. The awesome power of worms came to the world's attention in 2001 when
Code Red managed to infect more than 359,000 Windows computers around the world
in 14 hours.
"The
initial infection vector is something we are still trying to find out,"
Adam Kujawa, a researcher at antivirus provider Malwarebytes, told Ars.
"Considering that this attack seems targeted, it might have been either
through a vulnerability in the network defenses or a very well-crafted spear
phishing attack. Regardless, it is spreading through infected networks using
the EternalBlue vulnerability, infecting additional unpatched systems."
It's
not clear if the Eternalblue exploit is Wcry's sole means of spreading or if it
has multiple methods of propagating. In an update that was notable for its
unlikely and extremely fortuitous timing, Microsoft patched the
underlying vulnerability in March, exactly four weeks before the Shadow
Brokers' April release published the weapons-grade NSA exploit. The rapid
outbreak of Wcry may be an indication that many, or possibly all, of the
companies hit had yet to install a critical Windows patch more than two months
after it was released.
Other
organizations in Spain known to be disrupted include telecom Vodafone Espana,
the KPMG consultancy, banks BBVA and Santander, and power company Iberdrola.
The Blackpool Victoria Hospital in the UK reportedly pleaded for patients
to seek treatment only for
life-threatening emergencies after Wcry crippled its network.
Portugal Telecom has also reported being infected.
Meanwhile, Barts Health Hospital in London is redirecting ambulances to other
facilities. At least two train stations showed signs of infections
according to display pictures published here and here.
According
to an article posted by Madrid-based El
Mundo, 85 percent of computers at Telefonica, Spain's dominant
telecom, are affected by the worm, although that figure has not been confirmed.
Officials at Telefonica and Spanish energy companies Iberdrola and
Gas Natural Fenosa have all instructed employees to shut down computers. While
the paper confirmed an attack on Telefonica, it said it was not yet clear if
the other two companies had been infected or if they ordered the shutdown
as a preventative measure.
Wcry
is demanding a ransom of $300 to $600 in Bitcoin to be paid by May 15, or, in
the event that deadline is missed, a higher fee by May 19. The messages left on
the screen say files will remain encrypted. It's not yet clear if there are
flaws in the encryption scheme that might allow the victims to restore the
files without paying the ransom.
People
who have yet to install the Microsoft fix—MS17-010—should do so right
away. People should also be extremely suspicious of all e-mails they receive,
particularly those that ask the recipient to open attached documents or click
on Web links.
C 2015 Reader Supported News
Donations can be sent
to the Baltimore Nonviolence Center, 325 E. 25th St., Baltimore, MD
21218. Ph: 410-323-1607; Email: mobuszewski [at] verizon.net. Go to http://baltimorenonviolencecenter.blogspot.com/
"The master class
has always declared the wars; the subject class has always fought the battles.
The master class has had all to gain and nothing to lose, while the subject
class has had nothing to gain and everything to lose--especially their
lives." Eugene Victor Debs
No comments:
Post a Comment