The Wanna Cry ransomware
attack - one of the largest ever cyber attacks - appeared to be slowing
around 24 hours after it wrecked havoc and shut down tens of ...
WannaCry ransomware attack
From Wikipedia, the free encyclopedia
WannaCry ransomware attack
Screenshot of the ransom note left on an infected system
|
| Date |
12 May 2017–present |
| Location |
Worldwide |
| Also known as |
WannaCrypt, WanaCrypt0r. WCRY |
| Type |
Cyber-attack |
| Theme |
Ransomware encrypting hard disk with $300 – $1200 demand |
| Cause |
EternalBlue exploit |
| Outcome |
Over 200,000 victims and more than 230,000 computers infected[1][2] |
WannaCry (or
WannaCrypt,
[3] WanaCrypt0r 2.0,
[4][5] Wanna Decryptor[6]) is a
ransomware program targeting the
Microsoft Windows operating system. On Friday, 12 May 2017, a large
cyber-attack was launched using it, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the
cryptocurrency Bitcoin in 28 languages.
[7] The attack has been described by
Europol as unprecedented in scale.
[8]
The attack affected
Telefónica and several other large companies in Spain, as well as parts of Britain's
National Health Service (NHS),
[9] FedEx,
Deutsche Bahn, and
LATAM Airlines.
[10][11][12][13] Other targets in at least 99 countries were also reported to have been attacked around the same time.
[14][15]
Like previous ransomware, the attack spreads by
phishing emails,
[16] but also uses the
EternalBlue exploit developed by the U.S.
National Security Agency (NSA)
[17][18] to spread through a network which has not installed recent
security updates to directly infect any exposed systems.
[5][19] A "critical" patch had been issued by Microsoft on 14 March 2017 to remove the underlying vulnerability for supported systems,
[20] but many organizations had not yet applied it.
[21]
Those still running exposed older,
unsupported operating systems were initially at particular risk, such as
Windows XP and
Windows Server 2003, but Microsoft has now taken the unusual step of releasing updates for these.
[3][22]
Shortly after the attack began, a web security researcher known by his Twitter account MalwareTech, found an effective
kill switch which slowed the spread of infection, but new versions have now been detected that lack the kill switch.
[23][24][25][26][27]
Background
The purported infection vector,
EternalBlue, was released by the hacker group
The Shadow Brokers on 14 April 2017,
[28] along with other tools apparently leaked from
Equation Group, believed to be part of the United States
National Security Agency.
[29][30]
EternalBlue exploits vulnerability MS17-010
[20] in
Microsoft's implementation of the
Server Message Block
(SMB) protocol. Microsoft had released a "Critical" advisory, along
with an update patch to plug the vulnerability a month before, on 14
March 2017.
[20] This patch fixed several client versions of the
Microsoft Windows operating system, including
Windows Vista onwards (with the exception of
Windows 8), as well as server and embedded versions such as
Windows Server 2008 onwards and
Windows Embedded POSReady 2009 respectively, but not the older
Windows XP, according to Microsoft.
[20] According to
Dona Sarkar, head of the
Windows Insider Program at
Microsoft,
Windows 10 was not affected;
[31]
however, IT writer Woody Leonhard questioned if this is the case with
all Windows 10 systems, or just builds 14393.953 and later.
[32]
Starting from 21 April 2017, security researchers started reporting that computers with the
DoublePulsar backdoor installed were in the tens of thousands.
[33]
By 25 April, reports estimated the number of infected computers to be
up to several hundred thousands, with numbers increasing exponentially
every day.
[34][35] Apparently DoublePulsar was used alongside
EternalBlue in the attack.
[36][37]
Attack
Countries initially affected
[38]
On 12 May 2017, WannaCry began affecting computers worldwide.
[39] The initial infection might have been either through a
vulnerability in the network defenses or a very well-crafted
spear phishing attack.
[40] When executed, the malware first checks the "kill switch"
domain name[a]. If it is not found, then the ransomware
encrypts the computer's data,
[41][42][43] then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,
[44] and "laterally" to computers on the same network.
[45]
As with other modern ransomware, the payload displays a message
informing the user that files have been encrypted, and demands a payment
of around $300 in
bitcoin within three days or $600 within seven days.
[42][46]
The Windows
vulnerability is not a
zero-day flaw, but one for which Microsoft had made available a
security patch on 14 March 2017,
[20] nearly two months before the attack. The patch was to the Server Message Block (SMB) protocol used by Windows.
[47][48]
Organizations that lacked this security patch were affected for this
reason, although there is so far no evidence that any were specifically
targeted by the ransomware developers.
[47] Initially, any organization still running the older
Windows XP[49] was at particularly high risk because no security patches had been released since April 2014.
[3][50]
However, after the outbreak, Microsoft released a security patch for
Windows XP on 13 May 2017, the day after the attack launched.
[3]
According to
Wired,
affected systems will also have had the DoublePulsar backdoor
installed; this will also need to be removed when systems are decrypted.
[6]
Ken Collins of
Quartz wrote on May 12 that three or more
hardcoded
bitcoin addresses, or "wallets", are used to receive the payments of
victims. As with all such wallets, their transactions and balances are
publicly accessible even though the wallet owners remain unknown. To
track the ransom payments in real time, a
Twitterbot that watches each of the three wallets has been set up.
[51] As of 15 May 2017 at 11 AM, a total of 214 payments totaling nearly $56,000 had been transferred.
[52][53][54]
Variant
On May
14, two additional variants were released by the malware authors. One of
these variants had a new kill switch which was quickly registered,
while the other had no kill switch but had a corrupted payload
preventing encryption of files.
[55]
Impact
The ransomware campaign was unprecedented in scale according to
Europol.
[8] The attack affected many
National Health Service hospitals in England and Scotland,
[56] and up to 70,000 devices – including computers,
MRI scanners, blood-storage refrigerators and theatre equipment – may have been affected.
[57] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.
[11][58] In 2016, thousands of computers in 42 separate
NHS trusts in England were reported to be still running Windows XP.
[49] NHS hospitals in Wales and Northern Ireland were unaffected by the attack.
[9][11]
Nissan Motor Manufacturing UK in
Tyne and Wear, England halted production after the ransomware infected some of their systems.
Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.
[59][60]
The attack's impact could have been much worse had an anonymous
security expert, who was independently researching the malware, not
discovered that a kill-switch had been built in by its creators.
[61][62]
Cybersecurity expert Ori Eisen from
AdTruth
said that the attack appears to be "low-level" stuff, given the ransom
demands of $300 and states that the same thing could be done to
crucial infrastructure, like
nuclear power plants, dams or railway systems.
[63][64]
List of affected organizations
Defensive response
Several hours after the initial release of the ransomware on 12 May 2017, a researcher who blogs under the name MalwareTech
[94] discovered what amounted to be a "
kill switch"
hardcoded in the malware while trying to establish the size of the attack.
[95][96][97] Registering a
domain name for a
DNS sinkhole
stopped the attack spreading as a worm. While this did not help already
infected systems, it severely slowed the spread of the initial
infection and gave time for defensive measures to be deployed worldwide,
particularly in North America and Asia, which had not been attacked to
the same extent as elsewhere. Analysis of the kill switch suggested that
it may in fact be a bug in the malware whose code was originally
intended to make the attack harder to analyse.
[98][99][100][101]
However, the kill switch domain needs to be available locally, and the
response must be able to reach the malware to effectively work. Some
network configurations may prevent the kill switch from working.
[102]
Microsoft released a statement recommending users install update
MS17-010 to protect themselves against the attack. The update was
originally released in March 2017.
[103] In an unusual move, the company also created security patches for several now-unsupported versions of Windows, including
Windows XP,
Windows 8 and
Windows Server 2003.
[3]
Reactions
Several
experts highlighted the NSA's non-disclosure of the underlying
vulnerability, and their loss of control over the EternalBlue attack
tool that exploited it.
Edward Snowden said that if the NSA had "
privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, [the attack] may not have happened".
[104] British cybersecurity expert
Graham Cluley
also sees "some culpability on the part of the U.S. intelligence
services". According to him and others "they could have done something
ages ago to get this problem fixed, and they didn't do it". He also said
that despite obvious uses for such tools
to spy on people of interest, they have a duty to protect their countries' citizens.
[105]
Others commented that this attack shows that the practice of
intelligence agencies to stockpile exploits for offensive purposes
rather than disclosing them for defensive purposes may be problematic.
[62]
Microsoft president Brad Smith wrote, "Repeatedly, exploits in the
hands of governments have leaked into the public domain and caused
widespread damage. An equivalent scenario with conventional weapons
would be the U.S. military having some of its
Tomahawk missiles stolen."
[106][107]
Richard Jameson from IT Security firm InfoTech Legal confirms that
this is not a targeted attack on the NHS, all organisations are at risk,
the NHS is just an ill prepared high profile victim.
Arne Schönbohm, President of Germany's
Federal Office for Information Security (BSI) stated that "the current attacks show how vulnerable our
digital society is. It's a wake up call for companies to finally take IT-security [seriously]".
[48]
Adam Segal, director of the digital and cyberspace policy program at the
Council on Foreign Relations
stated that "the patching and updating systems are broken, basically,
in the private sector and in government agencies" and noted that
"there's no assurance that even if the government reveals a
vulnerability people are going to move quickly enough to make and apply
the patch".
[62]
In addition, Segal said that governments' apparent inability to secure
vulnerabilities "opens a lot of questions about backdoors and access to
encryption that the government argues it needs from the private sector
for security".
[62]
According to James Scott from the Institute of Critical
Infrastructure Technology, ransomware emerged "as an epidemic" in 2016,
with the healthcare sector being particularly vulnerable. He stated that
"the staff have no
cyber-hygiene training,
they click on phishing links all the time. The sad thing is they
weren't backing up their data properly either, so that's a big problem.
They should be doing that all the time." He also noted that "you're only
as strong as your weakest link within your organisation from a
cyber-perspective".
[108]
To the contrary, healthcare insiders contend Microsoft is viewed upon,
internally, as just another a sick patient insensitive to anyone's needs
but their own, and because healthcare is
ETL
intensive, that software updates infrequently neuter their macros and
interfere with their applications, causing system tools and complex
overlapping algorithms malfunction, that their reluctance to software
updates is well founded, and they are quite correct in admonishing their
IT professionals to adopt a conservative approach, leaving well enough
alone, foregoing updates when their automation seems to function just
right.
British Prime Minister
Theresa May
said of the ransomware, "This is not targeted at the NHS. It is an
international attack. A number of countries and organizations have been
affected."
[109] However, writing in
The Guardian, technology expert Charles Arthur said that the effects of the hack were exacerbated by
Conservative Party under-funding of the NHS as part of
the government's austerity measures, in particular the
Department of Health's refusal to pay extra to Microsoft to keep protecting outdated
Windows XP systems from such attacks.
[110] Home secretary
Amber Rudd refused to say whether patient data had been
backed up, and shadow health secretary
Jon Ashworth accused health secretary
Jeremy Hunt of refusing to act on a critical note from Microsoft two months previously, as other warnings from the
National Cyber Security Centre (NCSC) and
National Crime Agency.
[111] On 14 May 2017 the NCSC updated its latest guidance on dealing with ransomware attacks.
[112]
In the attack some see a dramatic demonstration of the value of having good,
secure backups and good cyber-security including having the latest security patches installed.
[113]
See also
Notes
- www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
References
On 12 May 2017, WannaCry began affecting computers worldwide.[39] The initial infection might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack.[40] When executed, the malware first checks the "kill switch" domain name[a]. If it is not found, then the ransomware encrypts the computer's data,[41][42][43] then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,[44] and "laterally" to computers on the same network.[45] As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of around $300 in bitcoin within three days or $600 within seven days.[42][46]Countries initially affected[38]
Media related to WannaCry ransomware attack at Wikimedia Commons
No comments:
Post a Comment