The WannaCry Ransomware outbreak started hitting the headlines around the world on May 12th. This is just the latest in a particularly pernicious type of exploit, which typically involves locking or encrypting data to render a computer unusable, and then demanding a ransom to have that encryption removed. Sadly, many victims have felt compelled to pay up, even when there is no guarantee their system will recover, which only encourages criminals to repeat their behavior.
Exploits of this nature are entirely indiscriminate in the way they target their victims, seeking out any unpatched machine or unwary user. Unfortunately this means that even systems crucial to protecting lives can be affected, as was the case with WannaCry. The ransomware hit, among many others, the UK’s National Health Service, causing severe disruption to vital services. This was not the first attack of this kind, and we can be sure it won’t be the last.
This attack serves as a reminder of the importance of keeping our computer systems patched, but human nature being what it is, there will always be systems vulnerable to attack. So what else can we do to protect ourselves? Fortunately, Cisco invests heavily in security technology and boasts the industry’s foremost threat intelligence organization, Talos.
Among the tools maintained by Talos is Snort, the industry leading intrusion detection and prevention technology, which is integrated into every Meraki MX. Snort performs real-time traffic analysis and packet logging in order to identify traffic patterns that match known threats. The good news for Meraki MX customers is that if they have Intrusion Prevention enabled and set to the ‘security’ ruleset on the Threat Protection page, the signatures for WannaCry are already in place, having already been added to the Snort database. For this outbreak we’ve taken the additional measure of adding them to the ‘balanced’ ruleset as well, to protect a broader set of customers against this threat.
We’re proud of our integration of critical Cisco security technologies like Snort and Advanced Malware Protection into our MX platform, ensuring that customers who choose Meraki enjoy world-class protection for their valuable network assets.
As is indicated in the article below, titled: Hackers who infected 200,000 machines have only made $50,000 worth of bitcoin, Bitcoin for ransomware definitely complicates the disaster recovery process! It takes time to get educated on Bitcoin, to learn how and where to obtain Bitcoin. It can sometimes take more than 2 days to just get verified to be able to purchase a few hundred dollars in Bitcoin, which quite often is not enough to meet the ransom required to decrypt the files. We, at Innovativ IT have helped multiple local companies in Houston purchase Bitcoins through third parties, in order to meet the ransom and get their data back. Contact Innovativ IT to purchase large quantities of Bitcoin quickly. We have over 2 years of Bitcoin experience for ransomware recovery.
Hackers who locked files on 200,000 computers globally and asked for a bitcoin ransom payment to unlock them, have only made around $50,000, an industry source told CNBC, despite the large scale of the attack.
On Friday, a virus known as WannaCry infected machines across 150 countries. It’s known as ransomware which is a malicious piece of software that encrypts a user’s files then demands them pay money to unlock them. In this case, the hackers asked for $300 worth of bitcoin.
James Smith, CEO of Elliptic, a London-based start-up that helps law enforcement agencies track criminals using the cryptocurrency, said his company had uncovered that since Friday, around $50,000 worth of bitcoin payments have been made to the hackers by 7 a.m. ET on Monday. This was up from $45,000 at 4 a.m. ET.
“We have seen the number of payments start to go up today,” Smith told CNBC Monday.
After 72 hours from when the attack started on Friday, the hackers said the fine would double to $600, and after seven days, the files would be permanently locked.
“We think over the course of today as we approach the first deadline where fines double we will see a bigger increase (in bitcoin payments),” Smith added.
The amount paid so far is still a small amount despite the global nature and scale of the attack. Security experts and government agencies have been urging people not to pay the ransom.
Why payments have been slow
One of the major reasons for the slow payments is perhaps because many people wouldn’t know how to obtain and pay in bitcoin.
“If a business is told it needs to pay this amount of bitcoin, most companies will be asking what bitcoin is … it’s not straightforward,” Smith explained.
Obtaining large amounts of the cryptocurrency might take some time, and then setting up an account via a bitcoin wallet and exchange would also require a long onboarding process.
At the same time, researchers have seen no evidence that paying the cybercriminals necessarily unlocks your files.
“The decryption process itself is problematic, to say the least,” cybersecurity firm Check Point said in a blog post on Sunday.
“Unlike its competitors in the ransomware market, WannaCry doesn’t seem to have a way of associating a payment to the person making it. Most ransomware … generate a unique ID and bitcoin wallet for each victim and thus know who to send the decryption keys to. WannaCry, on the other hand, only asks you to make a payment, and then … wait.”
Hackers who deploy ransomware often ask for payments in bitcoin as it is often believed to be completely anonymous. But law enforcement agencies, working with companies like Elliptic, have figured out ways to trace this.
It traces so-called bitcoin addresses back to people. These addresses are required to make payments to other people or organizations. At the moment, Elliptic is working on trying to trace the payments, but Smith said this would become clearer when the hackers try to withdraw their bitcoin in fiat currency.
“The attackers haven’t moved it. In previous cases we have been able to work with law enforcement to see where the funds move because ultimately the attacker wants to turn it back into a currency they want to spend,” Smith explained.
Security experts will tell you that one of the best ways to protect yourself from a malware infection or security breach is to keep your software up-to-date. Running outdated versions that cybercriminals can compromise is simply a bad idea. So, why would anyone put off installing a Windows update that Microsoft considered critical, like the one that fixed a vulnerability exploited by the WannaCry ransomware?
Sometimes it’s because system administrators fear that some part of the update process could go awry and lead to service interruptions. Even when things do go as planned, there can still be unwanted complications. That’s the reality five Australian hospitals are dealing with this week.
In the wake of the WannaCry outbreak, Queensland Health moved quickly to ensure that the proper protections were put in place. In addition to Windows, Citrix and clinical workflow software from Cerner was also patched. While the updates “protected the integrity of [hospital] systems and data,” they have also made it difficult for some staff to access medical record systems.
Just two months passed from Wikileaks’ revelation of the EternalBlue exploit to when WannaCry began spreading. That isn’t a lot of time to test and update every piece of computer equipment that needs to be patched, especially in an incredibly complex environment like a hospital. There’s far more to worry about than just desktop computers or laptops. Windows computers are also embedded into medical imaging and diagnostic equipment, and some were vulnerable to the attack.
When fixes need to be applied in a hurry, there’s always a chance that there will be side effects. Still, patching against WannaCry and any future copycat malware was important enough for Queensland Health to take the risk.
In the past, this could’ve been a tough sell. In 2017, however, the “if it ain’t broke, don’t fix it” mentality can’t be applied to computer systems. Advice from the United States Computer Emergency Readiness Team (US-CERT) is very clear: “Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.”
Yes, Queensland Health is coping with some issues accessing their systems. Trouble logging in or accessing records is, however, a huge step up from having an entire network ransomed, servers full of critical data lost, and surgical procedures interrupted.
Friday’s cyber-attack has affected more than 200,000 victims in 150 countries, Europol chief Rob Wainwright says.
He told the BBC the act was “unprecedented in its scale” and warned more people could find themselves affected on Monday morning.
The virus took control of users’ files, demanding payments; Russia and the UK were among the worst-hit countries.
Experts say another attack could be imminent and have warned people to ensure their security is up to date.
Mr Wainwright said that the ransomware – software that blocks access to data until a ransom is paid – was combined with a worm application – a program that replicates itself in order to spread to other computers.
This, he said, was allowing the “infection of one computer to quickly spread across the networks”.
He added: “That’s why we’re seeing these numbers increasing all the time.”
‘Patch before Monday’
Although a temporary fix earlier slowed the infection rate, the attackers had now released a new version of the ransomware, he said.
Companies need to make sure they have updated their systems and “patched where they should” before staff arrived for work on Monday morning, the EU law enforcement agency head said.
In England, 48 National Health Service (NHS) trusts reported problems at hospitals, GP surgeries or pharmacies, and 13 NHS organisations in Scotland were also affected.
What occurred was an “indiscriminate attack across the world on multiple industries and services”, Mr Wainwright said, including Germany’s rail network Deutsche Bahn, Spanish telecommunications operator Telefonica, US logistics giant FedEx and Russia’s interior ministry.
However, he said that so far “remarkably” few payments had been made by victims of the attack.
BBC analysis of three accounts linked with the global attack suggests the hackers have been paid the equivalent of £22,080.
If you are following the news, by now you might be aware that a security researcher has activated a “Kill Switch” which apparently stopped the WannaCry ransomware from spreading further.
But it’s not true, neither the threat is over yet.
However, the kill switch has just slowed down the infection rate.
Updated: Multiple security researchers have claimed that there are more samples of WannaCry out there, with different ‘kill-switch’ domains and without any kill-switch function, continuing to infect unpatched computers worldwide (find more details below).
So far, over 237,000 computers across 99 countries around the world have been infected, and the infection is still rising even hours after the kill switch was triggered by the 22-years-old British security researcher behind the twitter handle ‘MalwareTech.’
For those unaware, WannaCry is an insanely fast-spreading ransomware malware that leverages a Windows SMB exploit to remotely target a computer running on unpatched or unsupported versions of Windows.
Once infected, WannaCry also scans for other vulnerable computers connected to the same network, as well scans random hosts on the wider Internet, to spread quickly.
The SMB exploit, currently being used by WannaCry, has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself “The Shadow Brokers” over a month ago.
“If NSA had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened,” NSA whistleblower Edward Snowden says.
Kill-Switch for WannaCry? No, It’s not over yet!
In our previous twoarticles, we have put together more information about this massive ransomware campaign, explaining how MalwareTech accidentally halted the global spread of WannaCry by registering a domain name hidden in the malware.
The above-mentioned domain is responsible for keeping WannaCry propagating and spreading like a worm, as I previously explained that if the connection to this domain fails, the SMB worm proceeds to infect the system.
Fortunately, MalwareTech registered this domain in question and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system. (read his latest blog post for more details)
Updated: Matthieu Suiche, a security researcher, has confirmed that he has found a new WannaCry variant with a different domain for kill-switch function, which he registered to redirect it to a sinkhole in an effort to slows down the infections.
The newly discovered WannaCry variant works exactly like the previous variant that wreaked havoc across the world Friday night.
But, if you are thinking that activating the kill switch has completely stopped the infection, then you are mistaken.
Since the kill-switch feature was in the SMB worm, not in the ransomware module itself., “WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant,” MalwareTech told The Hacker News.
You should know that the kill-switch would not prevent your unpatched PC from getting infected, in the following scenarios:
If you receive WannaCry via an email, a malicious torrent, or other vectors (instead of SMB protocol).
If by chance your ISP or antivirus or firewall blocks access to the sinkhole domain.
If the targeted system requires a proxy to access the Internet, which is a common practice in the majority of corporate networks.
If someone makes the sinkhole domain inaccessible for all, such as by using a large-scale DDoS attack.
MalwareTech also confirmed THN that some “Mirai botnet skids tried to DDoS the [sinkhole] server for lulz,” in order to make it unavailable for WannaCry SMB exploit, which triggers infection if the connection fails. But “it failed hardcore,” at least for now.
WannaCry 2.0, Ransomware With *NO* Kill-Switch Is On Hunt!
Initially, this part of story was based on research of a security researcher, who earlier claimed to have the samples of new WannaCry ransomware that comes with no kill-switch function. But for some reason, he backed off. So, we have removed his references from this story for now.
However, shortly after that, we were confirmed by Costin Raiu, the director of global research and analysis team at Kaspersky Labs, that his team had seen more WannaCry samples on Friday that did not have the kill switch.
“I can confirm we’ve had versions without the kill switch domain connect since yesterday,” told The Hacker News.
Updated: WannaCry 2.0 is Someone Else’s Work
Raiu from Kaspersky shared some samples, his team discovered, with Suiche, who analysed them and just confirmed that there is a WannaCrypt variant without kill switch, and equipped with SMB exploit that would help it to spread rapidly without disruption.
What’s even worse is that the new WannaCry variant without a kill-switch believed to be created by someone else, and not the hackers behind the initial WannaCry ransomware.
“The patched version matt described does attempt to spread. It’s a full set which was modified by someone with a hex editor to disable the kill switch,” Raiu told me.
Updated: However, Suiche also confirmed that the modified variant with no kill switch is corrupted, but this doesn’t mean that other hackers and criminals would not come up with a working one.
“Given the high profile of the original attack, it’s going to be no surprise at all to see copycat attacks from others, and perhaps other attempts to infect even more computers from the original WannaCry gang. The message is simple: Patch your computers, harden your defences, run a decent anti-virus, and – for goodness sake – ensure that you have secure backups.” Cyber security expert Graham Cluley told The Hacker News.
Expect a new wave of ransomware attack, by initial attackers and new ones, which would be difficult to stop, until and unless all vulnerable systems get patched.
“The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it’ll continue to spread,” Matthew Hickey, a security expert and co-founder of Hacker House told me.
“We will see a number of variants of this attack over the coming weeks and months so it’s important to patch hosts. The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success.”
Even after WannaCry attacks made headlines all over the Internet and Media, there are still hundreds of thousands of unpatched systems out there that are open to the Internet and vulnerable to hacking.
“The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host,” Microsoft says.
Believe me, the new strain of WannaCry 2.0 malware would not take enough time to take over another hundred of thousand vulnerable systems.
Video Demo of WannaCry Ransomware Infection
Hickey has also provided us two video demonstrations, showing packet traces that confirm the use of Windows SMB vulnerability (MS17-010).
And Second one…
Since WannaCry is a single executable file, it can also be spread through other regular exploit vectors, such as spear phishing, drive-by-download attack, and malicious torrent files download, warned Hickey.
Get Prepared: Upgrade, Patch OS & Disable SMBv1
MalwareTech also warned of the future threat, saying “It’s very important [for] everyone [to] understand that all they [the attackers] need to do is change some code and start again. Patch your systems now!”
“Informed NCSC, FBI, etc. I’ve done as much as I can do currently, it’s up to everyone to patch,” he added.
As we notified today, Microsoft took an unusual step to protect its customers with an unsupported version of Windows — including Windows XP, Vista, Windows 8, Server 2003 and 2008 — by releasing security patches that fix SMB flaw currently being exploited by the WannaCry ransomware.
Even after this, I believe, many individuals remain unaware of the new patches and many organizations, as well as embedded machines like ATM and digital billboard displays, running on older or unpatched versions of Windows, who are considering to upgrade their operating system, would take time as well as it’s going to cost them money for getting new licenses.
So, users and organizations are strongly advised to install available Windows patches as soon as possible, and also consider disabling SMBv1 (follow these steps), to prevent similar future cyber attacks.
For god sake: Apply Patches. Microsoft has been very generous to you.
Almost all antivirus vendors have already been added signatures to protect against this latest threat. Make sure you are using a good antivirus, and keep it always up-to-date.
Moreover, you can also follow some basic security practices I have listed to protect yourself from such malware threats.
WannaCry has Hit Over 200,000 Systems in 150 Countries, Warned Europol
Update: Speaking to Britain’s ITV, Europol chief Rob Wainwright said the whole world is facing an “escalating threat,” warning people that the numbers are going up and that they should ensure the security of their systems is up to date.
“We are running around 200 global operations against cyber crime each year, but we’ve never seen anything like this,” Wainwright said, as quoted by BBC.
“The latest count is over 200,000 victims in at least 150 countries. Many of those victims will be businesses, including large corporations. The global reach is unprecedented.”
Above map is showing the WannaCry ransomware infection in just 24 hours.
This story is still updating, stay tuned to our Twitter page for more up-to-date information.
The malware spread quickly on Friday, with medical staff in the UK reportedly seeing computers go down “one by one”.
NHS staff shared screenshots of the WannaCry program, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer.
Throughout the day other, mainly European countries, reported infections.
Some reports said Russia had seen more infections than any other single country. Domestic banks, the interior and health ministries, the state-owned Russian railway firm and the second largest mobile phone network were all reported to have been hit.
Russia’s interior ministry said 1,000 of its computers had been infected but the virus was swiftly dealt with and no sensitive data was compromised.
In Spain, a number of large firms – including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural – were also hit, with reports that staff at the firms were told to turn off their computers.
Coincidentally, finance ministers from the Group of Seven wealthiest countries have been meeting in Italy to discuss the threat of cyber-attacks on the global financial system.
They are expected to release a statement later in which they pledge greater co-operation in the fight against cyber-crime, including spotting potential vulnerabilities and assessing security measures.
How does the malware work and who is behind it?
The infections seem to be deployed via a worm – a program that spreads by itself between computers.
Most other malicious programs rely on humans to spread by tricking them into clicking on an attachment harbouring the attack code.
By contrast, once WannaCry is inside an organisation it will hunt down vulnerable machines and infect them too.
Some experts say the attack may have been built to exploit a weakness in Microsoft systems that had been identified by the NSA and given the name EternalBlue.
The NSA tools were stolen by a group of hackers known as The Shadow Brokers, who made it freely available in April, saying it was a “protest” about US President Donald Trump.
At the time, some cyber-security experts said some of the malware was real, but old.
A patch for the vulnerability was released by Microsoft in March, which would have automatically protected those computers with Windows Update enabled.
Microsoft said on Friday it would roll out the update to users of older operating systems “that no longer receive mainstream support”, such Windows XP (which the NHS still largely uses), Windows 8 and Windows Server 2003.
The number of infections seems to be slowing after a “kill switch” appears to have been accidentally triggered by a UK-based cyber-security researcher tweeting as @MalwareTechBlog.
He was quoted as saying he noticed the web address the virus was searching for had not been registered – and when he registered it, the virus appeared to stop spreading.
But he warned this was a temporary fix, and urged computers users to “patch your systems ASAP”.
Why do companies still use Windows XP? By Chris Foxx, technology reporter
Many jobs can be done using software everyone can buy, but some businesses need programs that perform very specific jobs – so they build their own.
For example. a broadcaster might need specialist software to track all the satellite feeds coming into the newsroom, and a hospital might need custom-built tools to analyse X-ray images.
Developing niche but useful software like this can be very expensive – the programming, testing, maintenance and continued development all adds up.
Then along comes a new version of Windows, and the software isn’t compatible. Companies then face the cost of upgrading computers and operating system licenses, as well as the cost of rebuilding their software from scratch.
So, some choose to keep running the old version of Windows instead. For some companies, that is not a huge risk. In a hospital, the stakes are higher.