
NEW YORK (AP) — Dozens of countries were hit with a huge cyberextortion attack Friday that locked up computers and held users’ files for ransom at a multitude of hospitals, companies and government agencies.
It was believed to the biggest attack of its kind ever recorded.
The malicious software behind the onslaught appeared to exploit a vulnerability in Microsoft Windows that was supposedly identified by the National Security Agency for its own intelligence-gathering purposes and was later leaked to the internet.
Britain’s national health service fell victim, its hospitals forced to close wards and emergency rooms and turn away patients. Russia appeared to be the hardest hit, according to security experts, with the country’s Interior Ministry confirming it was struck.
All told, several cybersecurity firms said they had identified the malicious software, which so far has been responsible for tens of thousands of attacks, in more than 60 countries. That includes the United States, although its effects there didn’t appear to be widespread, at least initially.
The attack infected computers with what is known as “ransomware” — software that locks up the user’s data and flashes a message demanding payment to release it. In the U.S., FedEx reported that its Windows computers were “experiencing interference” from malware, but wouldn’t say if it had been hit by ransomware.
Mikko Hypponen, chief research officer at the Helsinki-based cybersecurity company F-Secure, called the attack “the biggest ransomware outbreak in history.”
Security experts said the attack appeared to be caused by a self-replicating piece of software that enters companies and organizations when employees click on email attachments, then spreads quickly internally from computer to computer when employees share documents and other files.
Its ransom demands start at $300 and increase after two hours to $400, $500 and then $600, said Kurt Baumgartner, a security researcher at Kaspersky Lab. Affected users can restore their files from backups, if they have them, or pay the ransom; otherwise they risk losing their data entirely.
Chris Wysopal of the software security firm Veracode said criminal organizations were probably behind the attack, given how quickly the malware spread.
“For so many organizations in the same day to be hit, this is unprecedented,” he said.
The security holes it exploits were disclosed several weeks ago by TheShadowBrokers, a mysterious group that has published what it says are hacking tools used by the NSA as part of its intelligence-gathering.
Cyber attacks linked to North Korea, security experts claim
Computer security experts have linked code in the WannaCry ransomware software to North Korea
Cyber security researchers have found technical clues they said could link North Korea with the global WannaCry "ransomware" cyber attack that has infected more than 300,000 machines in 150 countries since Friday.
Symantec and Kaspersky Lab said on Monday some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, which researchers from many companies have identified as a North Korea-run hacking operation.
"This is the best clue we have seen to date as to the origins of WannaCry," Kaspersky Lab researcher Kurt Baumgartner told Reuters.
“At this time, all we have is a temporal link,” Eric Chien, an investigator at Symantec, told the New York Times. “We want to see more coding similarities to give us more confidence.’’
Experts have linked WannaCry to the Lazarus Group, a North Korean operation Credit: Bloomberg
American officials said Monday that they had also seen the same similarities, the newspaper reported.
Both firms said it was too early to tell whether North Korea was involved in the attacks, which crippled the NHS on Friday and became one of the fastest-spreading extortion campaigns on record.
The cyber companies' research will be closely followed by law enforcement agencies around the world, including Washington, where US President Donald Trump's homeland security adviser said on Monday that both foreign nations and cyber criminals were possible culprits.
Read more at http://www.telegraph.co.uk/technology/2017/05/15/north-korea-linked-global-cyber-attack-experts-examine-ransomware/
Even Russia got stung big time, guess they aren't the masterminds after all.
http://www.newsweek.com/global-cyber-attack-ransomware-nsa-russia-nhs-fedex-608729
Digital directory displays at Tiong Bahru Plaza and White Sands Mall have confirmed being affected by this ransomeware attack.
Display screen at Orchard Central Desigual outlet apparently was also attacked.
http://www.channelnewsasia.com/news/singapore/tiong-bahru-plaza-s-digital-directory-hit-by-global-ransomware-8846096
http://www.straitstimes.com/singapore/global-ransomware-attack-hits-digital-directory-at-tiong-bahru-plaza
Real time infection map at https://intel.malwaretech.com/botnet/wcrypt
From https://heimdalsecurity.com/blog/security-alert-uiwix-ransomware/
WannaCry distribution may have dropped, but the ransomware pandemic is not over.
As we feared in yesterday’s alert, another ransomware variant, known as Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have the potential to infect a large number of targets like the EternalBlue exploit has.
As expected, this strain does not include a killswitch domain, like WannaCry did.
We reckon that this is the first of many variants to follow, which will aim to exploit this vulnerability and infect as many devices as possible until the necessary patch is applied.
Uiwix also has self-replicating capabilities, as WannaCry did, Uiwix works in the same way as other ransomware variants. When the encryption starts, it adds the .uiwix extension to all the infected files. Additionally, it will drop a text file called “_DECODE_FILES.txt” that contains the requirement for decryption payment.
The content of the text file is the following:
>> ALL YOUR PERSONAL FILES ARE DECODED <<<
Your personal code: [% unique ID%]
To decrypt your files, you need to buy special software. Do not try to decode or modify files, it may be broken.
To restore data, follow the instructions!
You can learn more at this site:
https://4ujngbdqqm6t2c53.onion [.] two https://4ujngbdqqm6t2c53.onion [.] cab https://4ujngbdqqm6t2c53.onion [.] Now
If a resource is unavailable for a long time to install and use the tor browser.
After you start the Tor browser you need to open this link http://4ujngbdqqm6t2c53[.]onion
The relevant TOR link moves the victim to a payment gateway, which charges 0.11943 bitcoins corresponding to about $218.
Uiwix poses an even bigger threat than WannaCry ransomware because it does not include a kill switch domain which, when blocked, can contain its distribution. With no dial back option to block, the only way of protecting against it at the moment is to patch the affected operating systems (list in yesterday’s alert).
Since the analysis is ongoing, we will add details about IoCs, C&Cs, the number of infections and affected countries shortly.
What’s more, researchers have already uncovered a WannaCry strain that also doesn’t include the kill switch domain.
Also, Europol has also confirmed that the threat is escalating and the number of infections is growing. It has now affected “more than 200,000 victims in 150 countries”.
Taken from https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware
What you need to know about the WannaCry Ransomware
WannaCry ransomware spreads aggressively across networks, holds files to ransom.
What has happened?
On May 12, 2017 a new variant of the Ransom.CryptXXX family (Detected as Ransom.Wannacry) of ransomware began spreading widely impacting a large number of organizations, particularly in Europe.
What is the WannaCry ransomware?
WannaCry encrypts data files and ask users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.
Figure 1 Ransom demand screen displayed by WannaCry Trojan
It also drops a file named !Please Read Me!.txt which contains the ransom note.
Figure 2 Ransom demand note from WannaCry Trojan
It propagates to other computers by exploiting a known SMB remote code execution vulnerability in Microsoft Windows computers. (MS17-010)
Am I protected against this threat?
The Blue Coat Global Intelligence Network (GIN) provides automatic detection to all enabled products for web-based infection attempts.
Symantec and Norton customers are protected against WannaCry using a combination of technologies.
Antivirus
• Ransom.Wannacry
• Ransom.CryptXXX
• Trojan.Gen.8!Cloud
• Trojan.Gen.2
Customers should run LiveUpdate and verify that they have the following definition versions or later installed in order to ensure they have the most up-to-date protection:
• 20170512.009
SONAR protection
• SONAR behavior detection technology will also detect Wannacry variants.
Network based protection
Symantec also has the following IPS protection in place which has proven highly effective in proactively blocking attempts to exploit the MS17-010 vulnerability:
• OS Attack: Microsoft SMB MS17-010 Disclosure Attempt
• Attack: Shellcode Download Activity
The following IPS signature also blocks activity related to Ransom.Wannacry:
• System Infected: Ransom.Ransom32 Activity
Organizations should also ensure that they have the latest Windows security updates installed, in particular MS17-010 to prevent spreading.
Who is impacted?
A number of organizations globally have been affected, the majority of which are in Europe.
Is this a targeted attack?
No, this is not believed to be a targeted attack at this time. Ransomware campaigns are typically indiscriminate.
Why is it causing so many problems for organizations?
WannaCry has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows. Computers which do not have the latest Windows security updates applied are at risk of infection.
Can I recover the encrypted files?
Decryption is not available at this time but Symantec is investigating. Symantec does not recommend paying the ransom. Encrypted files should be restored from back-ups where possible.
What are best practices for protecting against ransomware?
• New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
• Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
• Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
• Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
• Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.
• Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to “roll back” to the unencrypted form.