Ransomeware Hackers Launch Global Assault

Computer systems in dozens of countries were locked down on Friday, in an attack cybersecurity experts said made use of a software vulnerability that the US National Security Agency had allegedly exploited earlier.

Among those caught up in the attacks were American delivery giant FedEx, and the UK’s National Health Service, which reported 16 hospitals or clinics shut down and forced to cancel appointments and divert ambulances as a result. The Russian Ministry of the Interior reportedly had over 1,000 of its PCs infected.

According to Kaspersky Lab ZAO a Russia-based antivirus vendor, the malware hit at least 74 countries at time of writing. Czech antivirus vendor Avast Software S.R.O. said is was “one of the highest peaks for a single ransomeware strain” that they have recorded this year, accoring to Jakub Kroustek, leader of Avast’s virus team.

The attacks were a form of ransomeware, a worm which many DeepDotWeb readers will know operates by encrypting the data on a victims computer in 256-bit AES, and demands payment in order to decrypt the files. The particular string used in Friday’s attacks is know as Wanna Decryptor – or, “WannaCry” – and is designed to target vulnerabilities in Windows operating systems.

Vulnerabilities which, according to the secrets released in Wikileaks’ “Vault 7” files, were well known to Microsoft for some time, but had been intentionally left unfixed at the behest of the NSA. These reports were confirmed with the release of the vulnerabilities by DW shadowbrokers, and any further doubt was settled by yesterday’s widespread attacks. So far, the NSA has declined to comment on the authenticity of either the Vault 7 or shadowbroker files. Public Information Officers for the CIA and the US Office of the Director of National Intelligence declined to comment on Friday’s attack.

Microsoft only released an update patching the weakness on 14 March, after the Vault 7 leaks. However, no such fixes were made for the Windows XP operating system, which Microsoft has stopped issuing updates for since April 2014. Despite this risk, as of April 2017 More than 250 million devices still run on Windows XP, accounting for 4.43% of all users, according to web traffic analysis firm StatCounter. That’s almost as much as Windows 8, Windows Vista, Chrome OS, and all variants of Linux combined.

A FedEx spokesperson said it was “experiencing interference…caused by malware”, but declined to say whether it would effect deliveries with the Mother’s Day holiday coming up on Sunday. In Britain,

the NHS said that there was no evidence so far that patient records have been accessed, and that it was working with the National Crime Agency and the National Cyber Security Center to investigate. Russian Ministry of the Interior spokeswoman Irina Volk said: “At the moment, the virus is localized, technical work is being carried out to destroy it and update the antivirus protection”.

Thankfully, there is some heroics in this story. As reported by the infosec site ARS Technica:

“The virally spreading worm was ultimately stopped when a researcher who uses the Twitter handle MalwareTech and works for security firm Kryptos Logic took control of a domain name that was hard-coded into the self-replicating exploit. The domain registration, which occurred around 6 AM California time, was a major stroke of good luck, because it was possible only because the attackers had failed to obtain the address first. The address appeared to serve as a sort of kill switch the attackers could use to terminate the campaign. MalwareTech’s registration had the effect of ending the attacks that had started earlier Friday morning in other parts of the world. As a result, the number of infection detections plateaued dramatically in the hours following the registration”.

Despite this, it had no effect on Wannacry infections that were initiated through earlier campaigns. As of 7:20pm GMT+0 on Saturday, over 186,000 hosts have been infected, with 152,505 of them still being online. You can check the map as that number changes at https://intel.malwaretech.com/botnet/wcrypt/?t=24hbid=all

As pointed out by Motherboard writer Joseph Cox, a lot of informed individuals in the infosec community saw this attack coming. Twitter user Kevin Beaumont (@GossiTheDog), a Security Architect in Liverpool, tweeted back on 19 April that someone would use the shadowbroker exploitations to write a large-scale ransomeware worm, like Wannacry.

Ransomeware attacks usually infect systems through phishing, getting the target to open a DOS/Command file disguised as a benign document. These attacks come after a highly publicized case last year, when Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 to regain use of its computer systems after being forced to use paper records due to ransomeware, as reported by DeepDotWeb

Author’s note: Given the scale of the attack (150,000 infected users), and the high rates at which victims of ransomeware end up paying their attackers, and the fact that this particular brand of ransomeware seemed to be charging a minimum of ~$300 worth of Bitcoin per host, combined with the 3-7 day timer set before all the files are deleted, I think that it’s possible that this attack will have a pumping effect on Bitcoin prices, given the substantially increased demand.