- ‘Targeted attack gone wrong’: Was the WannaCry ransomware epidemic an accident? :
The ransomware attack targeting global hospitals, governments and telecoms using a leaked National Security Agency (NSA) exploit may be the result of a “targeted attack gone horribly wrong”, according to a team of well-regarded security researchers. “A part of carefully planned large-scale ransomware attack requires a separate bitcoin address for each victim, guaranteeing the miscreant controlling the operation would later be able to identify the payment and decrypt the correct system,” said security expert John Wetzel . Experts from Recorded Future, a threat intelligence company , say analysis of the hackers’ bitcoin addresses – set up to receive money from infected computers – indicates the attackers were unprepared for such a widespread incident. Security experts, including MalwareTech and Matt Suiche, worked through the weekend (13-14 May) to locate so-called “kill-switches” that could curb the spread of the ransomware. “Such unusual behaviour suggests the current epidemic was never planned by criminals, and resulted from targeted attacks going horribly wrong,” he added. “We expect to see further attacks from variants of this malware,” warned Recorded Future, adding: “The best advice is to update your antivirus on endpoints, to ensure that all Windows systems are fully patched, to configure firewalls to block access to SMB and RDP ports. According to Kaspersky Lab’s Costin Raiu, the malware was still in circulation, but appeared to be less widespread than previously predicted.
- 22 million WannaCry ransomware attack attempts blocked by Symantec:
As the first wave of WannaCry attacks struck computers across the world, Microsoft not only advised Windows users to patch their systems, but also upgrade their anti-virus software which acts as the first line of defence in detecting malware. However, the immediate preventive measure before any more ransomware attacks emerge is upgrade all Windows systems, said the security firm. “The WannaCry ransomware attack is the largest we’ve ever seen,” said Mike Fey, president and chief operating officer at Symantec. Experts have advised users not to pay ransom even if their data is held hostage as it may lead to future cyber-attacks. WannaCry is a ransomware that feeds on a particular Windows exploit and encrypts user data until they pay up. Researchers around the globe have predicted that a second wave of ransomware attacks is likely anytime soon. The company said users of its email service are also fully protected from WannaCry. The company said its advanced exploit protection technology was able to provide real-time threat awareness against the ransomware. Days after the first wave of attacks, no decryption tool has been developed to recover files from systems that are already infected with the malware. Some have already found new variants of ransomware similar to WannaCry but there is no proof that any system has been affected with the new variants so far.
- WannaCry hackers now being hunted by the world’s police:
The NCA is collaborating with other international law enforcement authorities, including the FBI, Europol and Interpol to identify the attackers. DHS has a cadre of cybersecurity professionals that can provide expertise and support to critical infrastructure entities,” the Department of Homeland Security said in a statement. “We are deploying all covert and overt means available to us,” Lynne Owens, Director General of the National Crime Agency (NCA), said in a statement. “We’re trawling through huge amounts of data associated with the attack and identifying patterns,” ZDNet quoted Owens as saying. The attacks, which began over the weekend hit hundreds of thousands of organisations across 150 countries and had the infosec community scrambling to discover more about the attacks to mitigate the scope of the attacks and defend against further attacks. Even as security researchers continue to discover new, destructive WannaCry variants, authorities across the globe have kick-started the hunt for the cybercriminals responsible for the attacks. ” “We are actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally. “Because of the quantity of data involved and the complexity of these kinds of enquiries we need to be clear that this is an investigation which will take time,” said Owens. The hackers behind the massive WannaCry ransomware attacks are now reportedly being hunted by law enforcement authorities across the globe. “But I want to reassure the public that investigators are working round the clock to secure evidence and have begun to forensically analyse a number of infected computers.
- ‘Larger than WannaCry’: Leaked NSA exploits used to spread cryptocurrency mining tool:
Two leaked NSA hacking tools that enabled the spread of a global ransomware attack have also been used by hackers to mine cryptocurrency for weeks, according to security experts who claim the scope of the infection could be “larger in scale” than WannaCry. Proofpoint, as described in a blog post by cybersecurity researcher ‘Kafeine’, said analysis suggests the scale of the attacks – which potentially date back as early as 24 April – may be more widespread than WannaCry, earning the hackers tens of thousands of dollars. On 15 May, researchers from US cybersecurity firm Proofpoint released evidence that “EternalBlue” and “DoublePulsar” – two US cyberweapons – were helping to spread a “large-scale attack” that installed a strain of Monero mining software called “Adylkuzz. he same tools were utilised by unknown hackers to spread malware across hundreds of thousands of unpatched Windows computers late last week (12 May. Kafeine suggested the existence of the Adylkuzz miner may have actually “limited the spread” of the notorious ransomware worm because it shuts down SMB networking (the specific Microsoft system being exploited) to prevent infection from other malware. In this case, the hackers were using the multiple exploits to mine Monero – an ultra-anonymous form of digital currency. It later spread to 150 countries, experts said. Once found, the victim is exploited using the ‘EternalBlue’ tool and infected with the ‘DoublePulsar’ backdoor. The cyberattack is reportedly launched from private servers which are actively scanning the web for potential targets. As reported, victims of the cyber attack included telecommunications giant Telefonica and the UK health services.
- WannaCry: Businesses could face lawsuits for not updating Windows-based computer systems:
Christopher Dore, a lawyer at Edelson PC, said companies hit by the ransomware since they did not have the Microsoft update or were using the older Windows version could face lawsuits. Microsoft says the affected Windows computers did not have security patches or were running the older Windows XP system that is no longer supported by the company. Scott Vernick, a data security lawyer at Fox Rothschild, said businesses that failed to update their software could face scrutiny from the US Federal Trade Commission. Data privacy lawyer Edward McAndrew from Ballard Spahr told Reuters that businesses could be sued if they failed to deliver services because of the attack. Businesses that failed to update their Windows-based computer systems, making them vulnerable to the massive WannaCry ransomware attack over the weekend, could face lawsuits over their lax cybersecurity, claim legal experts. Dore said: “Using outdated versions of Windows that are no longer supported raises a lot of questions. The FTC previously sued companies for misrepresenting their data privacy measures. “There is this stream of liability that flows from the ransomware attack,” he said. “That’s liability to individuals, consumers and patients. It would arguably be knowingly negligent to let those systems stay in place.
- WannaCry: What happens when you pay the ransom? :
Once the user has decided to pay up, three situations are likely to occur:-
Situation 1 – You don’t get your data despite paying the ransom Several victims have claimed that they have been unable to access their files despite paying the full amount. In case you have paid the ransom and still do not have access to your files, it is highly advisable that you do not make a second attempt to pay the ransom.
Situation 2 – Negotiate the ransom amount Some users, particularly from lower economic backgrounds and students, have reportedly negotiated with the hackers and, in many cases their negotiations have worked. Europol, White House, police agencies and cybersecurity experts have all strongly recommended users to not pay the ransom amount. The malware then changes the background on the virtual machine’s desktop, locks all of test files, and leaves a text document explaining to the user how to decrypt the files. As there is no decryption tool for the malware until now, users have no choice but to pay up to get back their data. While there are no official figures, researchers say many users and companies have managed to get back their files after paying the ransom. “A manual human operator must activate decryption.
Situation 3 – You get all your files back While most victims hope they get their data back after paying the WannaCry ransom, the percentage of those are extremely low. Tom Bossert, assistant to the US president for homeland security and counterterrorism, has said that less than $70,000 has been paid to the hackers, and that he was not aware of any payments that led to data recovery.
- WannaCry 2.0? New ransomware variant without kill switch emerges:
The first wave of attacks were stopped by a 22-year-old British security researcher, known as MalwareTech, who activated the kill switch in the original WannaCry ransomware variant after registering the malware’s domain. The new malware variant comes without a kill switch, indicating that cybercriminals are working tirelessly to create new and harder-to-kill versions to renew their global onslaught. According to security researchers at Cyphort who discovered the new WannaCry strain, merely registering the malware’s domain would not help to stop the attacks this time. ” The discovery of this new strain of WannaCry indicates that cybercriminals are working to renew their global onslaught, as previously warned by experts. “It seems that the cyber criminals found a smarter way to evade sandbox detection by checking on a site that researchers cannot sinkhole,” Hahad said. The researchers also noted that the variant was unlikely to have been created by a researcher as a test case as it has been found in four different countries. Cyphort researcher Mounir Hahad told IBTimes UK that the new strain is “live in the wild” and infecting systems in Australia, Denmark, Germany and South Korea. A new and potentially more destructive variant of the WannaCry ransomware has been uncovered in four countries, indicating that the world may be at the cusp of another wave of destructive cyberattacks like the one that struck over the weekend. “This discovery clearly shows the threat actors have a pulse on the progress of their campaign and are able to quickly turn around enhancements to work around the security industry. It also shows they are confident of their steps: instead of backing off and hide after causing so much damage, they boost their campaign,” Hahad quoted.
- Chinese hackers try to take control of WannaCry ransomware kill switch:
Cyber experts including the researcher who activated the kill switch have, however, warned that more such attacks could take place with different versions of the ransomware. “New variants today are now spreading with a modified kill-switch domain,” Chris Doman, security researcher at AlienVault, told IBTimes UK. One is just count how many victims there are around the world or just easily create another variant of this worm which doesn’t have this kill switch or checks for a different domain and they will achieve the same effect,” Costin Raiu, director of global research and analysis at cyber security company Kaspersky Lab, told the Independent. Anonymous hackers from China attempted to take control of a kill switch that was created to prevent the WannaCry ransomware attacks. The kill switch is said to have prevented the attacks from spreading, saving millions of computers from being affected. Some researchers have already uncovered two new variants of the ransomware, which hint at the possibility of further attacks. Two days after thwarting the attacks, he says some hackers from China are trying to get hold of the kill switch. This allowed a kill switch to take effect, stopping the spread of the attacks.”Someone, likely different to the original attackers, made a very small change to the malware so it connects to a slightly different domain.” There is no decrypting tool for the systems already affected but others who have not been subject to the ransomware attack can take preventive measures.
- Has the global ransomware attack given bitcoin its bad name back?:
Just a day after reaching a new record of over $1,800 (£1,390) per coin, the bitcoin cryptocurrency plunged by $200 in the wake of its involvement with the WannaCry global ransomware attack. “But to look too closely at bitcoin’s ties with the ransomware attack is to miss the point, says cryptocurrency and cyber security expert Andreas Antonopoulos, who tweeted: “Ransomware attacks used the leaked NSA tools to compromise computers.” While it is still true that bitcoin is used by dark web marketplaces which sell Class A drugs and guns, bitcoin’s legal usefulness has grown significantly since the turbulent days of 2013 and 2014. CryptoCoinsNews suggested: “If the attackers are motivated by making a fast profit, they could be trying to manipulate the bitcoin price with the intention of shorting the currency. With the days of online heists, its use by the Silk Road illegal drug site and the implosion of the Mt Gox currency exchange behind it, it seemed that bitcoin’s Wild West reputation was coming to an end. The New York Times stuck the knife into bitcoin as the ransomware spread, describing it as “an anonymous digital currency preferred by criminals”, while the Telegraph said it is “popular among cybercriminals because it is decentralised, unregulated and practically impossible to trace. But being the currency of choice for a ransomware attack which struck 200,000 organisations in over 100 countries, the murky image the bitcoin community had done well to polish away in recent years was poised to return. But since the ransomware spread like wildfire on 13 May, paralysing the computer systems of the NHS and quickly becoming a global epidemic, it didn’t take long for speculation to mount of bitcoin being used as more than just a means of payment.
- Who is Marcus Hutchins, the 22-year old cyber hero who stopped the WannaCry attacks?
The WannaCry ransomware that struck thousands of Windows systems across the globe could have been worse had it not been stopped by a 22-year-old cyber hero who accidentally activated a kill switch. ” Hutchins, who was known as MalwareTech, told earlier that he accidentally stumbled across the kill switch while analysing a sample of the malicious code and noticed it was linked to an unregistered web address. A keen surfer and pizza lover, Hutchins works with LA-based cybersecurity firm Kryptos Logic and is reluctant to take the title of a hero. Hutchins knew that revealing his identity could lead cyber criminals to attack him anytime and it should not be difficult for them to get details of where he and his family live. Known as MalwareTech in the cybersecurity community, the young British researcher has finally revealed his real identity. Hutchins says he is willingly helping out the National Cyber Security Centre in Britain to tackle such threats and is part of a global community that constantly watches out for such attacks. This in turn allowed the kill switch to take effect, thus stopping the spread of the ransomware attacks. Identity revealed After news of his heroic deed spread, many tabloids started making random assumptions as to who MalwareTech could be. It was only after Hutchins requested the media to stop harassing her did they realise that it was not her. People even created fake accounts under the MalwareTech brand to try and establish themselves as the founder of the kill switch.