Monday, May 15, 2017

Wanna Cry 2.0 is called Wanna Decryptor which has no "Kill Switch" no way to turn it off

  1. begin quote from:

    Wanna Decryptor wncry ransomware latest: hack explained ...

    www.wired.co.uk/article/wanna-decryptor-ransomware
    Wanna Decryptor 2.0 (wana decryptor/wncry), linked to NHS cyber attack was fixed with MS17-010 patch but may have mutated
  2. WCry or Wanna Decryptor - arstechnica.co.uk

    arstechnica.co.uk/security/2017/05/what-is-wanna<...
    A highly virulent new strain of self-replicating ransomware known as Wanna Decryptor, Wannacry, or Wcry, is shutting down computers all over the world, in part by ...
  3. Wanna Decryptor — Krebs on Security

    krebsonsecurity.com/tag/wanna-decryptor
    On Friday, May 12, countless organizations around the world began fending off attacks from a ransomware strain variously known as WannaCrypt, WanaDecrypt and Wanna.Cry.
  4. How I accidentally stopped a global Wanna Decryptor ...

    arstechnica.com/information-technology/2017/05/...
    Technology Lab — How I accidentally stopped a global Wanna Decryptor ransomware attack A British security researcher found and pulled WannaCrypt's kill switch. 

    Wanna Decryptor ransomware appears to be spawning and this time it may not have a kill switch

    Wanna Decryptor ransomware, also known as wncry, is said to have been responsible for the recent NHS cyber attack

    Getty Images / AFP / Stringer
    NHS Digital recently confirmed that the recent NHS cyberattack used the Wanna Decryptor ransomware to infect the systems of as many as 40 UK hospitals.
    This software is believed to have used tools stolen by the National Security Agency to exploit a flaw in Microsoft Windows.
    Ransomware Trojans are a type of malware designed to extort money from victims by holding files or entire computers to ransom.
    The ransomware typically demands payment to undo changes that the Trojan virus has made to the victim’s computer, which range from encrypting data stored on the victim’s disk to blocking normal access.

    Wanna Decryptor

    Wanna Decryptor is a so-called encryption-based ransomware also known as WannaCry or WCRY, Travis Farral, director of security strategy for Anomali told WIRED.
    It encrypts users files using AES and RSA encryption ciphers meaning the hackers can directly decrypt system files using a unique decryption key.
    In previous Wanna Decryptor attacks, victims have been sent ransom notes with “instructions” in the form of !Please Read Me!.txt files, linking to ways of contacting the hackers. Wanna Decryptor changes the computer's wallpaper with messages asking the victim to download the decryptor from Dropbox before demanding hundreds in bitcoin to work.
    Put more simply, once inside the system Wanna Decryptor creates encrypted copies of specific file types before deleting the originals, leaving the victims with the encrypted copies, which can't be accessed without a decryption key. Wanna Decryptor additionally increases the ransom amount, and threatens loss of data, at a predetermined time, creating a sense of urgency and greatly improving the chances victims will pay the ransom.
    Subscribe to WIRED
    It is unclear how the Wanna Decryptor ransomware infected the NHS systems, but it can spread through phishing emails or after visiting a website containing a malicious program. According to Avast, Wanna Decryptor, or WanaCrypt0r 2.0, is most likely spreading on so many computers by using an exploit the Equation Group, which is a group that is widely suspected of being tied to the NSA.

    How is the NSA involved?

    For several months, the Shadow Brokers hacking group, which obtained files from the NSA, has been releasing parts of the agency's hacking tools.
    As well as the ransomware being seen in the UK, it has appeared in hundreds of countries around the world. CCN-CERT, the Spanish computer emergency response organisation, issued an alert saying it had seen a "massive attack of ransomware" from WannaCry – a version of Wanna Decryptor.
    The vulnerability (MS17-010) is linked to Microsoft machines and can affect Windows Vista, 7, 8, 10, XP and versions of the Windows Server software. Microsoft initially announced the vulnerability on March 14 and recommended users patch their devices.
    Microsoft fixed MS17-010 in its March release but it is likely organisations affected did not patch their devices before the spread of the malware. As reported by Ars Technica and other organisations the MS17-010, also known as “EternalBlue,” was linked to the Shadowbrokers group.

    Has Microsoft fixed the problem?

    Following the global attack, Microsoft took the unusual step of issuing a fix for versions of Windows it had previously “retired”; those no longer supported by the company. This included Windows XP. Windows XP is still in use on PCs, including many used by the NHS, leaving users exposed. Anyone using Windows XP should update their system to the latest version as soon as possible.
    In a statement, Microsoft's president and chief legal officer Brad Smith said this attack "provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem."
    "We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," he continued. "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. This most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organised criminal action."

    How bad is Wanna Decryptor?

    Rohyt Belani, CEO of PhishMe told WIRED Wanna Decryptor is "the atom bomb of ransomware," describing it as a dramatic shift from the typical impact of ransomware in previous attacks.

    How did Wanna Decryptor spread?

    While the source of infection has not yet been confirmed, Belani said almost all attacks have been delivered via phishing email. "This is the second time in two weeks we’ve seen nefarious activities propagating in a worm-like fashion, which may be a sign of things to come," Belani warned.

    PhishMe co-founder and CTO Aaron Higbee added he believes ransomware "actors" are in a retooling stage. These attacks confirm that theory and as malware authors change their tactics, responders will need to be vigilant to follow suit," Belani continued.
    Malwarebytes has a detailed technical analysis of how the Wanna Decryptor worm spreads.

    Is there a way to stop its spread?

    Despite the global spread of Wanna Decryptor, there's been an 'accidental' slow down in the continued amount of infections. Within the malware's code is a long URL that effectively acts as a 'kill switch'. Security researcher @malwaretechblog discovered the domain name when inspecting the malware's code and registered the name with internet services.
    During its execution, the malicious code would look up the domain name and only continue to work if it wasn't live; once the domain name was activated and detected by Wanna Decryptor it would stop spreading. The researcher behind the discovery said he was not certain at the time that buying the domain name would slow the spread.
    While the registering of the domain name was too late for those who have already been infected with the malware but the activation of the kill switch helped to slow its spread. There is, however, the possibility that different variants of the malware (with different kill switches) exist or could further be developed by attackers.

    Is the ransomware back in a new form?

    Since @malwaretechblog enabled the "kill switch" in the first version of the Wanna Decryptor malware, there has been speculation another version could be created with a different (or worryingly, no) URL. There have been claims multiple variants of the malware have been seen. For example, security company Rendition Infosec has claimed it has seen a variation of Wanna Decryptor that doesn't have a kill switch.
    "If you were counting on the kill switch being activated to save your network, we have unfortunate news for you: that approach isn’t going to work anymore," the firm says in a blog post.
    Bitdefender also says it has seen the same version of the malware that does not contain a kill switch. Its own blog post says "it was only a matter of time until a newer version would emerge bypassing" the kill switch.
    Separately, security researcher Matthieu Suiche‏ has registered a second kill switch found in one version of the malware and says it has stopped around 10,000 machines from being infected.

    Getting your files back

    At last year's WIRED Security conference, negotiator Moty Cristal explained ransomware can be easily bought on the darknet, which makes these kinds of attacks common: according to security firm Malwarebytes, 40 per cent of companies worldwide have been targeted by it as of August 2016.
    When ransomware is involved, Cristal said, "managing the human factor is key to overcoming a cyber crisis."
    "[Hackers] are serious, professional people with a criminal code of ethics". This means negotiations are key to getting files back. "60 per cent of negotiation failures can be attributed to the gap between the negotiator and the decision maker," continued Cristal.
    Tiffany Lin
    “On the bright side, it’s  easy to protect yourself: when you have a very structured discipline of data backup it’s easy to deal with ransomware.” Otherwise, paying is often the only way out. Ransomware criminals tend to de-encrypt data after payments; still, that comes at a cost. “If you pay, you’ll enter a sort of blacklist of people who pay and can be targeted again,” said Cristal, “The thought process is that once you pay you’ll always pay.”

    How to protect yourself?

    Avast said it detects all known versions of WanaCrypt0r 2.0, as do other anti-virus software.
    The safest way to protect yourself is to avoid clicking links from unknown sources. Security experts have strongly recommended all Windows users fully update their system with the latest available patches.
    "It is critical you install all available OS updates to prevent getting exploited by the MS17-010 vulnerability," added Malwarebytes. Any systems running a Windows version that did not receive a patch for this vulnerability should be removed from all networks.
    Additionally, any systems affected by this attack will have DOUBLEPULSAR installed and this will need to be removed. Certain anti-virus software, including Malwarebytes, are protected from this backdoor but script is also available that can remotely detect and remove it.
    It is also possible to disable the SMB1 file protocol, which the worm within the malware was using to spread across networks.
    Want to know more about the cyber threats of the future? WIRED Security 2017 returns to London in on September 28 to discuss the latest innovations, trends and threats in enterprise cyber defence, security intelligence and cybersecurity. Join us at King’s Place by booking your tickets today.

No comments: