A highly virulent new strain of self-replicating ransomware known as Wanna Decryptor, Wannacry, or Wcry, is shutting down computers all over the world, in part by ...
On
Friday, May 12, countless organizations around the world began fending
off attacks from a ransomware strain variously known as WannaCrypt,
WanaDecrypt and Wanna.Cry.
Technology Lab — How I accidentally stopped a global Wanna Decryptor ransomware attack A British security researcher found and pulled WannaCrypt's kill switch.
NHS cyberattack: NCSC warns 'significant' ransomware attack could hit as UK returns to work
NHS
NHS Digital recently confirmed that the recent NHS cyberattack used the Wanna Decryptor ransomware to infect the systems of as many as 40 UK hospitals.
This software is believed to have used tools stolen by the National Security Agency to exploit a flaw in Microsoft Windows. Ransomware Trojans are a type of malware designed to extort money from victims by holding files or entire computers to ransom.
The
ransomware typically demands payment to undo changes that the Trojan
virus has made to the victim’s computer, which range from encrypting
data stored on the victim’s disk to blocking normal access.
Live tracker reveals how much NHS hackers are making from their ransomware demands
Bitcoin
It encrypts users files using
AES and RSA encryption ciphers meaning the hackers can directly decrypt
system files using a unique decryption key.
In previous Wanna
Decryptor attacks, victims have been sent ransom notes with
“instructions” in the form of !Please Read Me!.txt files, linking to
ways of contacting the hackers. Wanna Decryptor changes the computer's
wallpaper with messages asking the victim to download the decryptor from
Dropbox before demanding hundreds in bitcoin to work.
Put
more simply, once inside the system Wanna Decryptor creates encrypted
copies of specific file types before deleting the originals, leaving the
victims with the encrypted copies, which can't be accessed without a
decryption key. Wanna Decryptor additionally increases the ransom
amount, and threatens loss of data, at a predetermined time, creating a
sense of urgency and greatly improving the chances victims will pay the
ransom. Subscribe to WIRED
It
is unclear how the Wanna Decryptor ransomware infected the NHS systems,
but it can spread through phishing emails or after visiting a website
containing a malicious program. According to Avast, Wanna Decryptor, or
WanaCrypt0r 2.0, is most likely spreading on so many computers by using
an exploit the Equation Group, which is a group that is widely suspected
of being tied to the NSA.
Hacking the hackers: everything you need to know about Shadow Brokers' attack on the NSA
Hacking
As well as the ransomware being seen in the UK, it has appeared in hundreds of countries around the world. CCN-CERT,
the Spanish computer emergency response organisation, issued an alert
saying it had seen a "massive attack of ransomware" from WannaCry – a
version of Wanna Decryptor.
The vulnerability (MS17-010) is
linked to Microsoft machines and can affect Windows Vista, 7, 8, 10, XP
and versions of the Windows Server software. Microsoft initially
announced the vulnerability on March 14 and recommended users patch their devices.
Microsoft
fixed MS17-010 in its March release but it is likely organisations
affected did not patch their devices before the spread of the malware. As reported by Ars Technica and other organisations the MS17-010, also known as “EternalBlue,” was linked to the Shadowbrokers group.
Has Microsoft fixed the problem?
Following
the global attack, Microsoft took the unusual step of issuing a fix for
versions of Windows it had previously “retired”; those no longer
supported by the company. This included Windows XP. Windows XP is still
in use on PCs, including many used by the NHS, leaving users exposed.
Anyone using Windows XP should update their system to the latest version
as soon as possible.
In a statement, Microsoft's president and
chief legal officer Brad Smith said this attack "provides yet another
example of why the stockpiling of vulnerabilities by governments is such
a problem."
"We have seen vulnerabilities
stored by the CIA show up on WikiLeaks, and now this vulnerability
stolen from the NSA has affected customers around the world," he
continued. "Repeatedly, exploits in the hands of governments have leaked
into the public domain and caused widespread damage. This most recent
attack represents a completely unintended but disconcerting link between
the two most serious forms of cybersecurity threats in the world today –
nation-state action and organised criminal action."
How bad is Wanna Decryptor?
Rohyt
Belani, CEO of PhishMe told WIRED Wanna Decryptor is "the atom bomb of
ransomware," describing it as a dramatic shift from the typical impact
of ransomware in previous attacks.
How did Wanna Decryptor spread?
While the source of infection has not yet been confirmed, Belani said almost all attacks have been delivered via phishing email.
"This is the second time in two weeks we’ve seen nefarious activities
propagating in a worm-like fashion, which may be a sign of things to
come," Belani warned.
PhishMe co-founder and CTO Aaron Higbee
added he believes ransomware "actors" are in a retooling stage. These
attacks confirm that theory and as malware authors change their tactics,
responders will need to be vigilant to follow suit," Belani continued.
Malwarebytes has a detailed technical analysis of how the Wanna Decryptor worm spreads.
Is there a way to stop its spread?
Despite
the global spread of Wanna Decryptor, there's been an 'accidental' slow
down in the continued amount of infections. Within the malware's code
is a long URL that effectively acts as a 'kill switch'. Security
researcher @malwaretechblog discovered the domain name when inspecting the malware's code and registered the name with internet services.
During
its execution, the malicious code would look up the domain name and
only continue to work if it wasn't live; once the domain name was
activated and detected by Wanna Decryptor it would stop spreading. The
researcher behind the discovery said he was not certain at the time that
buying the domain name would slow the spread.
While the registering of the
domain name was too late for those who have already been infected with
the malware but the activation of the kill switch helped to slow its
spread. There is, however, the possibility that different variants of
the malware (with different kill switches) exist or could further be
developed by attackers.
Is the ransomware back in a new form?
Since
@malwaretechblog enabled the "kill switch" in the first version of the
Wanna Decryptor malware, there has been speculation another version
could be created with a different (or worryingly, no) URL. There have
been claims multiple variants of the malware have been seen. For
example, security company Rendition Infosec has claimed it has seen a variation of Wanna Decryptor that doesn't have a kill switch.
"If
you were counting on the kill switch being activated to save your
network, we have unfortunate news for you: that approach isn’t going to
work anymore," the firm says in a blog post. Bitdefender
also says it has seen the same version of the malware that does not
contain a kill switch. Its own blog post says "it was only a matter of
time until a newer version would emerge bypassing" the kill switch.
Separately, security researcher Matthieu Suiche has registered a second kill switch found in one version of the malware and says it has stopped around 10,000 machines from being infected.
Getting your files back
At last year's WIRED Security conference, negotiator Moty Cristal explained ransomware
can be easily bought on the darknet, which makes these kinds of attacks
common: according to security firm Malwarebytes, 40 per cent of
companies worldwide have been targeted by it as of August 2016.
When ransomware is involved, Cristal said, "managing the human factor is key to overcoming a cyber crisis."
"[Hackers] are serious, professional people with a criminal
code of ethics". This means negotiations are key to getting files back.
"60 per cent of negotiation failures can be attributed to the gap
between the negotiator and the decision maker," continued Cristal.
Tiffany Lin
“On
the bright side, it’s easy to protect yourself: when you have a very
structured discipline of data backup it’s easy to deal with ransomware.”
Otherwise, paying is often the only way out. Ransomware criminals tend
to de-encrypt data after payments; still, that comes at a cost. “If you
pay, you’ll enter a sort of blacklist of people who pay and can be
targeted again,” said Cristal, “The thought process is that once you pay
you’ll always pay.”
Viruses, trojans, malware, worms - what's the difference?
Cybersecurity
The safest way to protect yourself is to avoid clicking
links from unknown sources. Security experts have strongly recommended
all Windows users fully update their system with the latest available
patches.
"It is critical you install all available OS updates to
prevent getting exploited by the MS17-010 vulnerability," added
Malwarebytes. Any systems running a Windows version that did not receive
a patch for this vulnerability should be removed from all networks.
Additionally,
any systems affected by this attack will have DOUBLEPULSAR installed
and this will need to be removed. Certain anti-virus software, including
Malwarebytes, are protected from this backdoor but script is also
available that can remotely detect and remove it.
It is also possible to disable the SMB1 file protocol, which the worm within the malware was using to spread across networks.
Want to know more about the cyber threats of the
future? WIRED Security 2017 returns to London in on September 28 to
discuss the latest innovations, trends and threats in enterprise cyber
defence, security intelligence and cybersecurity. Join us at King’s
Place by booking your tickets today.
No comments:
Post a Comment