SCF Advanced Search


Members
Stats
  • Total Posts: 32066
  • Total Topics: 9692
  • Online Today: 1423
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)











Author Topic: New WanaCrypt0r ransomeware spreading at an alarming rate  (Read 946 times)

0 Members and 1 Guest are viewing this topic.


Samker's Computer Forum - SCforum.info

Sponsored Links:




Samker

  • SCF Administrator
  • *****
  • Posts: 7456
  • KARMA: 312
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Pal,
Thank you very much for the heads-up :up: , I suppose that this is IT World news No1. these days.

---

More info about developing situation - "'Accidental hero' halts ransomware attack and warns: this is not over": https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

Quote
Expert who stopped spread of attack by activating software’s ‘kill switch’ says criminals will ‘change the code and start again’


The “accidental hero” who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted.

The ransomware used in Friday’s attack wreaked havoc on organisations including FedEx and Telefónica, as well as the UK’s National Health Service (NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.

But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting: https://twitter.com/MalwareTechBlog , with the help of Darien Huss from security firm Proofpoint: https://twitter.com/darienhuss , found and inadvertently activated a “kill switch” in the malicious software.

Disruption from cyber-attack to last for days, says NHS Digital – as it happened
British prime minister thanks NHS staff for working overnight after attack of ‘unprecedented’ scale
 Read more
The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who works for Kryptos logic, an LA-based threat intelligence company.

“I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit,” he told the Guardian. “I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”

The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.

MalwareTech explained that he bought the domain because his company tracks botnets, and by registering these domains they can get an insight into how the botnet is spreading. “The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain,” he said. But the following hours were an “emotional rollercoaster”.

“Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realised it was actually the other way around and we had stopped it,” he said.

MalwareTech said he preferred to stay anonymous “because it just doesn’t make sense to give out my personal information, obviously we’re working against bad guys and they’re not going to be happy about this.”

He also said he planned to hold onto the URL, and he and colleagues were collecting the IPs and sending them off to law enforcement agencies so they can notify the infected victims, not all of whom are aware that they have been affected.

He warned people to patch their systems, adding: “This is not over. The attackers will realise how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”

He said he got his first job out of school without any real qualifications, having skipped university to start up a tech blog and write software.

“It’s always been a hobby to me, I’m self-taught. I ended up getting a job out of my first botnet tracker, which the company I now work for saw and contacted me about, asking if I wanted a job. I’ve been working there a year and two months now.”

But the dark knight of the dark web still lives at home with his parents, which he joked was “so stereotypical”. His mum, he said, was aware of what had happened and was excited, but his dad hadn’t been home yet. “I’m sure my mother will inform him,” he said.

“It’s not going to be a lifestyle change, it’s just a five-minutes of fame sort of thing. It is quite crazy, I’ve not been able to check into my Twitter feed all day because it’s just been going too fast to read. Every time I refresh it it’s another 99 notifications.”

Proofpoint’s Ryan Kalember said the British researcher gets “the accidental hero award of the day”. “They didn’t realise how much it probably slowed down the spread of this ransomware”.

The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organisations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.

The kill switch won’t help anyone whose computer is already infected with the ransomware, and it’s possible that there are other variants of the malware with different kill switches that will continue to spread.

The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA): https://www.theguardian.com/technology/2016/aug/16/shadow-brokers-hack-auction-nsa-malware-equation-group

Ransomware is a type of malware that encrypts a user’s data, then demands payment in exchange for unlocking the data. This attack used a piece of malicious software called “WanaCrypt0r 2.0” or WannaCry, that exploits a vulnerability in Windows: https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20
Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the “payment will be raised” after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.

“This was eminently predictable in lots of ways,” said Kalember. “As soon as the Shadow Brokers dump came out everyone [in the security industry] realised that a lot of people wouldn’t be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.”

Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 74 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefónica were infected: https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.


---

For the end, one more important thing... "Microsoft took the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone. The software giant said in a statement: “We know some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here:http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

---

Protect yourselves !!! :police:

CRU

  • SCF Newbie
  • *
  • Posts: 8
  • KARMA: 4
  • Gender: Male
Re: New WanaCrypt0r ransomeware spreading at an alarming rate
« Reply #2 on: 16. May 2017., 01:43:30 »
Thanks for the link to the KB, Samker.  Boss man had us proactively working on this today.  The KB install doesn't appear when checking for new updates on Server 2003.  Had to install it manually.  One good thing that came out of this is he realized just how many servers need to be updated or replaced.  He thought there was only a handful.  It's closer to 50.

Samker

  • SCF Administrator
  • *****
  • Posts: 7456
  • KARMA: 312
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: New WanaCrypt0r ransomeware spreading at an alarming rate
« Reply #3 on: 17. May 2017., 20:15:58 »
Thanks for the link to the KB, Samker.  Boss man had us proactively working on this today.  The KB install doesn't appear when checking for new updates on Server 2003.  Had to install it manually.  One good thing that came out of this is he realized just how many servers need to be updated or replaced.  He thought there was only a handful.  It's closer to 50.

You're welcome Pal... maybe your boss will conclude now that it's time for a raise of wage. :)

A41202813GMAIL

  • SCF VIP Member
  • *****
  • Posts: 504
  • KARMA: 32
  • Gender: Male
  • XPOCALYPSE FOREVER !
RANSOMWARE.
« Reply #4 on: 17. May 2017., 23:03:26 »
( This Rant Is Not Intended For The Casual User )

---

I Do Not Get It Why People Are So Freaked Out About Any Type Of RansomWare - I Really Do Not.

What Is The Difference Between RansomWare And Your Hard Drive Suddenly Being Damaged Beyond Any Kind Of Recovery ? - Absolutely Freaking None.

Either You Have Several External Complete Backups Of Everything You Own, Or You Do Not.

Any Company ( And Their Respective IT Personnel ) That Do(es) Not Take Backups Seriously, Deserve(s) To Be Out Of Business, Period.

Good Riddance.

---

Samker

  • SCF Administrator
  • *****
  • Posts: 7456
  • KARMA: 312
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: New WanaCrypt0r ransomeware spreading at an alarming rate
« Reply #5 on: 27. May 2017., 21:47:16 »
FYI, "WannaCry Ransomware Decryption Tool Released": http://scforum.info/index.php?topic=13320.0

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising