Cyber Attack: Ransomware causing chaos globally – BBC News
Ransomware virus ‘WannaCry’ plagues 100k computers across 99 countries
Ransomware attack takes down LA hospital for hours
WannaCry Ransomware Hits Hospitals
WannaCry Ransomware Used In Global Attacks!
WATCH: Ransomware cyberattack targets Windows users around the world
BREAKING***100 Countries Massive Global Ransomware Attack Used NSA Hacking Tool
What is ransomware and how can I protect myself?
How Ransomware Locks Your PC & Holds Your Data Hostage
Massive Ransomware Outbreak Thanks to NSA – WannaCry Worm Spreading Fast
Ransomware As Fast As Possible
The Truth About Ransomware – Webinar
What is Ransomware, How it Works and What You Can Do to Stay Protected
NSA Whistleblower Bill Binney on Tucker Carlson 03.24.2017
NSA Whistleblower William Binney: The Future of FREEDOM
ROY ORBISON – CRYING – LIVE 1988
Roy Orbison – “Running Scared” from Black and White Night
Roy Orbison – Crying (Monument Concert 1965)
Roy Orbison – It’s Over (Monument Concert 1965)
Roy Orbison – “It’s Over” from Black and White Night
Dozens of countries hit by huge cyberextortion attack
NEW YORK (AP) — Dozens of countries were hit with a huge cyberextortion attack Friday that locked up computers and held users’ files for ransom at a multitude of hospitals, companies and government agencies.
It was believed to the biggest attack of its kind ever recorded.
The malicious software behind the onslaught appeared to exploit a vulnerability in Microsoft Windows that was supposedly identified by the National Security Agency for its own intelligence-gathering purposes and was later leaked to the internet.
Britain’s national health service fell victim, its hospitals forced to close wards and emergency rooms and turn away patients. Russia appeared to be the hardest hit, according to security experts, with the country’s Interior Ministry confirming it was struck.
All told, several cybersecurity firms said they had identified the malicious software, which so far has been responsible for tens of thousands of attacks, in more than 60 countries. That includes the United States, although its effects there didn’t appear to be widespread, at least initially.
The attack infected computers with what is known as “ransomware” — software that locks up the user’s data and flashes a message demanding payment to release it. In the U.S., FedEx reported that its Windows computers were “experiencing interference” from malware, but wouldn’t say if it had been hit by ransomware.
Mikko Hypponen, chief research officer at the Helsinki-based cybersecurity company F-Secure, called the attack “the biggest ransomware outbreak in history.”
Security experts said the attack appeared to be caused by a self-replicating piece of software that enters companies and organizations when employees click on email attachments, then spreads quickly internally from computer to computer when employees share documents and other files.
Its ransom demands start at $300 and increase after two hours to $400, $500 and then $600, said Kurt Baumgartner, a security researcher at Kaspersky Lab. Affected users can restore their files from backups, if they have them, or pay the ransom; otherwise they risk losing their data entirely.
Chris Wysopal of the software security firm Veracode said criminal organizations were probably behind the attack, given how quickly the malware spread.
“For so many organizations in the same day to be hit, this is unprecedented,” he said.
The security holes it exploits were disclosed several weeks ago by TheShadowBrokers, a mysterious group that has published what it says are hacking tools used by the NSA as part of its intelligence-gathering.
Shortly after that disclosure, Microsoft announced that it had already issued software “patches” for those holes. But many companies and individuals haven’t installed the fixes yet or are using older versions of Windows that Microsoft no longer supports and didn’t fix.
By Kaspersky Lab’s count, the malware struck at least 74 countries. In addition to Russia, the biggest targets appeared to be Ukraine and India, nations where it is common to find older, unpatched versions of Windows in use, according to the security firm.
Hospitals across Britain found themselves without access to their computers or phone systems. Many canceled all routine procedures and asked patients not to come to the hospital unless it was an emergency. Doctors’ practices and pharmacies reported similar problems.
Patrick Ward, a 47-year-old sales director, said his heart operation, scheduled for Friday, was canceled at St. Bartholomew’s Hospital in London.
Tom Griffiths, who was at the hospital for chemotherapy, said several cancer patients had to be sent home because their records or bloodwork couldn’t be accessed.
“Both staff and patients were frankly pretty appalled that somebody, whoever they are, for commercial gain or otherwise, would attack a health care organization,” he said. “It’s stressful enough for someone going through recovery or treatment for cancer.”
British Prime Minister Theresa May said there was no evidence patient data had been compromised and added that the attack had not specifically targeted the National Health Service.
“It’s an international attack and a number of countries and organizations have been affected,” she said.
Spain, meanwhile, took steps to protect critical infrastructure in response to the attack. Authorities said they were communicating with more than 100 energy, transportation, telecommunications and financial services providers about the attack.
Spain’s Telefonica, a global broadband and telecommunications company, was among the companies hit.
Ransomware attacks are on the rise around the world. In 2016, Hollywood Presbyterian Medical Center in California said it had paid a $17,000 ransom to regain control of its computers from hackers.
Krishna Chinthapalli, a doctor at Britain’s National Hospital for Neurology & Neurosurgery who wrote a paper on cybersecurity for the British Medical Journal, warned that British hospitals’ old operating systems and confidential patient information made them an ideal target for blackmailers.
He said many NHS hospitals in Britain use Windows XP software, introduced in 2001, and as government funding for the health service has been squeezed, “IT budgets are often one of the first ones to be reduced.”
“Looking at the trends, it was going to happen,” he said. “I did not expect an attack on this scale. That was a shock.
Global ‘WannaCry’ ransomware cyberattack seeks cash for data
LONDON (AP) — A global “ransomware” cyberattack, unprecedented in scale, had technicians scrambling to restore Britain’s crippled hospital network Saturday and secure the computers that run factories, banks, government agencies and transport systems in many other nations.
The worldwide effort to extort cash from computer users spread so widely that Microsoft quickly changed its policy, making security fixes available for free for the older Windows systems still used by millions of individuals and smaller businesses.
A malware tracking map showed “WannaCry” infections popping up around the world. Britain canceled or delayed treatments for thousands of patients, even people with cancer. Train systems were hit in Germany and Russia, and phone companies in Madrid and Moscow. Renault’s futuristic assembly line in Slovenia, where rows of robots weld car bodies together, was stopped cold.
In Brazil, the social security system had to disconnect its computers and cancel public access. The state-owned oil company Petrobras and Brazil’s Foreign Ministry also disconnected computers as a precautionary measure, and court systems went down, too.
Britain’s home secretary said one in five of 248 National Health Service groups had been hit. Home Secretary Amber Rudd said all but six of the NHS trusts back to normal Saturday.
The U.K.’s National Cyber Security Center was “working round the clock” to restore vital health services, while urging people to update security software fixes, run anti-virus software and back up their data elsewhere.
Who perpetrated this wave of attacks remains unknown. Two security firms — Kaspersky Lab and Avast — said they identified the malicious software in more than 70 countries. Both said Russia was hit hardest.
These hackers “have caused enormous amounts of disruption— probably the biggest ransomware cyberattack in history,” said Graham Cluley, a veteran of the anti-virus industry in Oxford, England.
And all this may be just a taste of what’s coming, another cyber security expert warned.
Computer users worldwide — and everyone else who depends on them — should assume that the next big “ransomware” attack has already been launched, and just hasn’t manifested itself yet, Ori Eisen, who founded the Trusona cybersecurity firm in Scottsdale, Arizona, told The Associated Press.
The attack held hospitals and other entities hostage by freezing computers, encrypting data and demanding money through online bitcoin payments. But it appears to be “low-level” stuff, Eisen said Saturday, given the amount of ransom demanded — $300 at first, rising to $600 before it destroys files hours later.
He said the same thing could be done to crucial infrastructure, like nuclear power plants, dams or railway systems.
“This is child’s play, what happened. This is not the serious stuff yet. What if the same thing happened to 10 nuclear power plants, and they would shut down all the electricity to the grid? What if the same exact thing happened to a water dam or to a bridge?” he asked.
“Today, it happened to 10,000 computers,” Eisen said. “There’s no barrier to do it tomorrow to 100 million computers.”
This is already believed to be the biggest online extortion attack ever recorded, disrupting services in nations as diverse as the U.S., Ukraine, Brazil, Spain and India. Europol, the European Union’s police agency, said the onslaught was at “an unprecedented level and will require a complex international investigation to identify the culprits.”
In Russia, government agencies insisted that all attacks had been resolved. Russian Interior Ministry, which runs the national police, said the problem had been “localized” with no information compromised. Russia’s health ministry said its attacks were “effectively repelled.”
The ransomware exploits a vulnerability in Microsoft Windows that was purportedly identified by the U.S. National Security Agency for its own intelligence-gathering purposes. Hackers said they stole the tools from the NSA and dumped them on the internet.
It could have been much worse if not for a young cybersecurity researcher who helped to halt its spread by accidentally activating a so-called “kill switch” in the malicious software.
The 22-year-old Britain-based researcher, identified online only as MalwareTech, explained Saturday that he spotted a hidden web address in the “WannaCrypt” code and made it official by registering its domain name. That inexpensive move redirected the attacks to MalwareTech’s server, which operates as a “sinkhole” to keep malware from escaping.
“Because WannaCrypt used a single hardcoded domain, my registration of it caused all infections globally to believe they were inside a sandbox … thus we initially unintentionally prevented the spread,” the researcher said, humbly and anonymously, in his blog post.
His move may have saved governments and companies millions of dollars and slowed the outbreak before U.S.-based computers were more widely infected.
Indeed, while FedEx Corp. reported that its Windows computers were “experiencing interference” from malware — it wouldn’t say if it had been hit by the ransomware — other impacts in the U.S. were not readily apparent on Saturday.
That said, the threat hasn’t disappeared, the MalwareTech researcher said.
“One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible,” he warned.
The kill switch also couldn’t help those already infected. Short of paying, options for these individuals and companies are usually limited to recovering data files from a backup, if available, or living without them.
Security experts said it appeared to be caused by a self-replicating piece of software that enters companies when employees click on email attachments, then spreads quickly as employees share documents.
The security holes it exploits were disclosed weeks ago by TheShadowBrokers, a mysterious hacking group. Microsoft swiftly released software “patches” to fix those holes, but many users still haven’t installed updates or still use older versions of Windows.
Microsoft had made fixes for older systems, such as 2001′s Windows XP, available only to mostly larger organizations, including Britain’s National Health Service, that paid extra for extended technical support. In light of Friday’s attacks, Microsoft announced that it’s making the fixes free to all.
Cluley said “There’s clearly some culpability on the part of the U.S. intelligence services. Because they could have done something ages ago to get this problem fixed, and they didn’t do it.”
“It’s very, very difficult these days, with encryption, to spy on people,” Cluley added. “But I don’t think that those concerns should hide the fact that ALL of us need to be protected … We’re living an online life, and we all deserve security there.”
Ransomware is a type of malicious software designed to block access to a computer system or data until a ransom is paid. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, and display a message requesting payment to unlock it. More advanced malware encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.[1] The ransomware may also encrypt the computer’s Master File Table (MFT)[2][3] or the entire hard drive.[4] Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files[5] since it is intractable to decrypt the files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file.
While initially popular in Russia, the use of ransomware scams has grown internationally;[6][7][8] in June 2013, security software vendor McAfee released data showing that it had collected over 250,000 unique samples of ransomware in the first quarter of 2013, more than double the number it had obtained in the first quarter of 2012.[9] Wide-ranging attacks involving encryption-based ransomware began to increase through Trojans such as CryptoLocker, which had procured an estimated US$3 million before it was taken down by authorities,[10] and CryptoWall, which was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over $18m by June 2015.[11]
Operation
Typically, modern ransomware uses encryption to deny users’ access to their files. The software encrypts the victim’s files using a symmetric cipher with a randomly generated key, and then deletes the key, leaving only a version of it made inaccessible to the victim using public key cryptography. Only the attacker can then decrypt the symmetric key needed to restore the files.[12]
The symmetric key is randomly generated and will not assist other victims. At no point is the attacker’s private key exposed to victims and the victim need only send a very small ciphertext (the encrypted symmetric-cipher key) to the attacker.
Ransomware attacks are typically carried out using a Trojan, entering a system through, for example, a downloaded file or a vulnerability in a network service. The program then runs a payload, which locks the system in some fashion, or claims to lock the system but does not (e.g., a scareware program). Payloads may display a fake warning purportedly by an entity such as a law enforcement agency, falsely claiming that the system has been used for illegal activities, contains content such as pornography and “pirated” media.[13][14][15]
Some payloads consist simply of an application designed to lock or restrict the system until payment is made, typically by setting the Windows Shell to itself,[16] or even modifying the master boot record and/or partition table to prevent the operating system from booting until it is repaired.[17] The most sophisticated payloads encrypt files, with many using strong encryption to encrypt the victim’s files in such a way that only the malware author has the needed decryption key.[12][18][19]
Payment is virtually always the goal, and the victim is coerced into paying for the ransomware to be removed—which may or may not actually occur—either by supplying a program that can decrypt the files, or by sending an unlock code that undoes the payload’s changes. A key element in making ransomware work for the attacker is a convenient payment system that is hard to trace. A range of such payment methods have been used, including wire transfers, premium-rate text messages,[20] pre-paid voucher services such as Paysafecard,[6][21][22] and the digital currencyBitcoin.[23][24][25] A 2016 census commissioned by Citrix revealed that larger business are holding bitcoin as contingency plans.[26]
History
Encrypting ransomware
The first known malware extortion attack, the “AIDS Trojan” written by Joseph Popp in 1989, had a design failure so severe it was not necessary to pay the extortionist at all. Its payload hid the files on the hard drive and encrypted only their names, and displayed a message claiming that the user’s license to use a certain piece of software had expired. The user was asked to pay US$189 to “PC Cyborg Corporation” in order to obtain a repair tool even though the decryption key could be extracted from the code of the Trojan. The Trojan was also known as “PC Cyborg”. Popp was declared mentally unfit to stand trial for his actions, but he promised to donate the profits from the malware to fund AIDS research.[27]
The notion of using public key cryptography for ransom attacks was introduced in 1996 by Adam L. Young and Moti Yung. Young and Yung critiqued the failed AIDS Information Trojan that relied on symmetric cryptography alone, the fatal flaw being that the decryption key could be extracted from the Trojan, and implemented an experimental proof-of-concept cryptovirus on a Macintosh SE/30 that used RSA and the Tiny Encryption Algorithm (TEA) to hybrid encrypt the victim’s data. Since public key crypto is used, the cryptovirus only contains the encryption key. The attacker keeps the corresponding private decryption key private. Young and Yung’s original experimental cryptovirus had the victim send the asymmetric ciphertext to the attacker who deciphers it and returns the symmetric decryption key it contains to the victim for a fee. Long before electronic money existed Young and Yung proposed that electronic money could be extorted through encryption as well, stating that “the virus writer can effectively hold all of the money ransom until half of it is given to him. Even if the e-money was previously encrypted by the user, it is of no use to the user if it gets encrypted by a cryptovirus”.[12] They referred to these attacks as being “cryptoviral extortion”, an overt attack that is part of a larger class of attacks in a field called cryptovirology, which encompasses both overt and covert attacks.[12]
Examples of extortionate ransomware became prominent in May 2005.[28] By mid-2006, Trojans such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began utilizing more sophisticated RSA encryption schemes, with ever-increasing key-sizes. Gpcode.AG, which was detected in June 2006, was encrypted with a 660-bit RSA public key.[29] In June 2008, a variant known as Gpcode.AK was detected. Using a 1024-bit RSA key, it was believed large enough to be computationally infeasible to break without a concerted distributed effort.[30][31][32][33]
Encrypting ransomware returned to prominence in late 2013 with the propagation of CryptoLocker—using the Bitcoindigital currency platform to collect ransom money. In December 2013, ZDNet estimated based on Bitcoin transaction information that between 15 October and 18 December, the operators of CryptoLocker had procured about US$27 million from infected users.[34] The CryptoLocker technique was widely copied in the months following, including CryptoLocker 2.0 (though not to be related to CryptoLocker), CryptoDefense (which initially contained a major design flaw that stored the private key on the infected system in a user-retrievable location, due to its use of Windows’ built-in encryption APIs),[24][35][36][37] and the August 2014 discovery of a Trojan specifically targeting network-attached storage devices produced by Synology.[38] In January 2015, it was reported that ransomware-styled attacks have occurred against individual websites via hacking, and through ransomware designed to target Linux-based web servers.[39][40][41]
Symantec has classified ransomware to be the most dangerous cyber threat.[46]
Non-encrypting ransomware
In August 2010, Russian authorities arrested nine individuals connected to a ransomware Trojan known as WinLock. Unlike the previous Gpcode Trojan, WinLock did not use encryption. Instead, WinLock trivially restricted access to the system by displaying pornographic images, and asked users to send a premium-rate SMS (costing around US$10) to receive a code that could be used to unlock their machines. The scam hit numerous users across Russia and neighboring countries—reportedly earning the group over US$16 million.[15][47]
In 2011, a ransomware Trojan surfaced that imitated the Windows Product Activation notice, and informed users that a system’s Windows installation had to be re-activated due to “[being a] victim of fraud”. An online activation option was offered (like the actual Windows activation process), but was unavailable, requiring the user to call one of six international numbers to input a 6-digit code. While the malware claimed that this call would be free, it was routed through a rogue operator in a country with high international phone rates, who placed the call on hold, causing the user to incur large internationallong distance charges.[13]
In February 2013, a ransomware Trojan based on the Stamp.EK exploit kit surfaced; the malware was distributed via sites hosted on the project hosting services SourceForge and GitHub that claimed to offer “fake nude pics” of celebrities.[48] In July 2013, an OS X-specific ransomware Trojan surfaced, which displays a web page that accuses the user of downloading pornography. Unlike its Windows-based counterparts, it does not block the entire computer, but simply exploits the behavior of the web browser itself to frustrate attempts to close the page through normal means.[49]
In July 2013, a 21-year-old man from Virginia, whose computer coincidentally did contain pornographic photographs of underaged girls with whom he had conducted sexualized communications, turned himself in to police after receiving and being deceived by ransomware purporting to be an FBI message accusing him of possessing child pornography. An investigation discovered the incriminating files, and the man was charged with child sexual abuse and possession of child pornography.[50]
Leakware (also called Doxware)
The converse of ransomware is a cryptovirology attack that threatens to publish stolen information from the victim’s computer system rather than deny the victim access to it.[51] In a leakware attack, malware exfiltrates sensitive host data either to the attacker or alternatively, to remote instances of the malware, and the attacker threatens to publish the victim’s data unless a ransom is paid. The attack was presented at West Point in 2003 and was summarized in the book Malicious Cryptography as follows, “The attack differs from the extortion attack in the following way. In the extortion attack, the victim is denied access to its own valuable information and has to pay to get it back, where in the attack that is presented here the victim retains access to the information but its disclosure is at the discretion of the computer virus”.[52] The attack is rooted in game theory and was originally dubbed “non-zero sum games and survivable malware”. The attack can yield monetary gain in cases where the malware acquires access to information that may damage the victim user or organization, e.g., reputational damage that could result from publishing proof that the attack itself was a success.
Mobile ransomware
With the increased popularity of ransomware on PC platforms, ransomware targeting mobile operating systems have also proliferated. Typically, mobile ransomware payloads are blockers, as there is little incentive to encrypt data since it can be easily restored via online synchronization.[53] Mobile ransomware typically targets the Android platform, as it allows applications to be installed from third-party sources.[53][54] The payload is typically distributed as an APK file installed by an unsuspecting user; it may attempt to display a blocking message over top of all other applications,[54] while another used a form of clickjacking to cause the user to give it “device administrator” privileges to achieve deeper access to the system.[55]
Different tactics have been used on iOS devices, such as exploiting iCloud accounts and using the Find My iPhone system to lock access to the device.[56] On iOS 10.3, Apple patched a bug in the handling of JavaScript pop-up windows in Safari that had been exploited by ransomware websites.[57]
In 2012, a major ransomware Trojan known as Reveton began to spread. Based on the Citadel Trojan (which itself, is based on the Zeus Trojan), its payload displays a warning purportedly from a law enforcement agency claiming that the computer has been used for illegal activities, such as downloading unlicensed software or child pornography. Due to this behaviour, it is commonly referred to as the “Police Trojan”.[58][59][60] The warning informs the user that to unlock their system, they would have to pay a fine using a voucher from an anonymous prepaid cash service such as Ukash or Paysafecard. To increase the illusion that the computer is being tracked by law enforcement, the screen also displays the computer’s IP address, while some versions display footage from a victim’s webcam to give the illusion that the user is being recorded.[6][61]
Reveton initially began spreading in various European countries in early 2012.[6] Variants were localized with templates branded with the logos of different law enforcement organizations based on the user’s country; for example, variants used in the United Kingdom contained the branding of organizations such as the Metropolitan Police Service and the Police National E-Crime Unit. Another version contained the logo of the royalty collection societyPRS for Music, which specifically accused the user of illegally downloading music.[62] In a statement warning the public about the malware, the Metropolitan Police clarified that they would never lock a computer in such a way as part of an investigation.[6][14]
In May 2012, Trend Micro threat researchers discovered templates for variations for the United States and Canada, suggesting that its authors may have been planning to target users in North America.[63] By August 2012, a new variant of Reveton began to spread in the United States, claiming to require the payment of a $200 fine to the FBI using a MoneyPak card.[7][8][61]In February 2013, a Russian citizen was arrested in Dubai by Spanish authorities for his connection to a crime ring that had been using Reveton; ten other individuals were arrested on money laundering charges.[64] In August 2014, Avast Software reported that it had found new variants of Reveton that also distribute password stealing malware as part of its payload.[65]
Encrypting ransomware reappeared in September 2013 with a Trojan known as CryptoLocker, which generated a 2048-bit RSA key pair and uploaded in turn to a command-and-control server, and used to encrypt files using a whitelist of specific file extensions. The malware threatened to delete the private key if a payment of Bitcoin or a pre-paid cash voucher was not made within 3 days of the infection. Due to the extremely large key size it uses, analysts and those affected by the Trojan considered CryptoLocker extremely difficult to repair.[23][66][67][68]Even after the deadline passed, the private key could still be obtained using an online tool, but the price would increase to 10 BTC—which cost approximately US$2300 as of November 2013.[69][70]
CryptoLocker was isolated by the seizure of the Gameover ZeuSbotnet as part of Operation Tovar, as officially announced by the U.S. Department of Justice on 2 June 2014. The Department of Justice also publicly issued an indictment against the Russian hacker Evgeniy Bogachev for his alleged involvement in the botnet.[71][72] It was estimated that at least US$3 million was extorted with the malware before the shutdown.[10]
CryptoLocker.F and TorrentLocker
In September 2014, a wave of ransomware Trojans surfaced that first targeted users in Australia, under the names CryptoWall and CryptoLocker (which is, as with CryptoLocker 2.0, unrelated to the original CryptoLocker). The Trojans spread via fraudulent e-mails claiming to be failed parcel delivery notices from Australia Post; to evade detection by automatic e-mail scanners that follow all links on a page to scan for malware, this variant was designed to require users to visit a web page and enter a CAPTCHA code before the payload is actually downloaded, preventing such automated processes from being able to scan the payload. Symantec determined that these new variants, which it identified as CryptoLocker.F, were again, unrelated to the original CryptoLocker due to differences in their operation.[73][74] A notable victim of the Trojans was the Australian Broadcasting Corporation; live programming on its television news channelABC News 24 was disrupted for half an hour and shifted to Melbourne studios due to a CryptoWall infection on computers at its Sydney studio.[75][76][77]
Another Trojan in this wave, TorrentLocker, initially contained a design flaw comparable to CryptoDefense; it used the same keystream for every infected computer, making the encryption trivial to overcome. However, this flaw was later fixed.[35] By late-November 2014, it was estimated that over 9,000 users had been infected by TorrentLocker in Australia alone, trailing only Turkey with 11,700 infections.[78]
CryptoWall
Another major ransomware Trojan targeting Windows, CryptoWall, first appeared in 2014. One strain of CryptoWall was distributed as part of a malvertising campaign on the Zedo ad network in late-September 2014 that targeted several major websites; the ads redirected to rogue websites that used browser plugin exploits to download the payload. A Barracuda Networks researcher also noted that the payload was signed with a digital signature in an effort to appear trustworthy to security software.[79] CryptoWall 3.0 used a payload written in JavaScript as part of an email attachment, which downloads executables disguised as JPG images. To further evade detection, the malware creates new instances of explorer.exe and svchost.exe to communicate with its servers. When encrypting files, the malware also deletes volume shadow copies, and installs spyware that steals passwords and Bitcoin wallets.[80]
The FBI reported in June 2015 that nearly 1,000 victims had contacted the bureau’s Internet Crime Complaint Center to report CryptoWall infections, and estimated losses of at least $18 million.[11]
The most recent version, CryptoWall 4.0, enhanced its code to avoid antivirus detection, and encrypts not only the data in files but also the file names.[81]
Fusob
Fusob is one of the major mobile ransomware families. Between April 2015 and March 2016, about 56 percent of accounted mobile ransomwares was Fusob.[82]
Like a typical mobile ransomware, it employs scare tactics to extort people to pay a ransom.[83] The program pretends to be an accusatory authority, demanding the victim to pay a fine from $100 to $200 USD or otherwise face a fictitious charge. Rather surprisingly, Fusob suggests using iTunes gift cards for payment. Also, a timer clicking down on the screen adds to the users’ anxiety as well.
In order to infect devices, Fusob masquerades as a pornographic video player. Thus, victims, thinking it is harmless, unwittingly download Fusob.[84]
When Fusob is installed, it first checks the language used in the device. If it uses Russian or certain Eastern European languages, Fusob does nothing. Otherwise, it proceeds on to lock the device and demand ransom. Among victims, about 40% of them are in Germany with the United Kingdom and the United States following with 14.5% and 11.4% respectively.
Fusob has lots in common with Small, which is another major family of mobile ransomware. They represented over 93% of mobile ransomwares between 2015 and 2016.
In May 2017, the WannaCry ransomware attack spread though the Internet, using an exploit vector that Microsoft had issued a “Critical” patch for (MS17-010) two months before on March 14, 2017. The ransomware attack infected over 75,000 users in over 99 countries, using 20 different languages to demand money from users. The attack affected Telefónica and several other large companies in Spain, as well as parts of the British National Health Service (NHS),[85]FedEx, Deutsche Bahn, as well as the Russian Interior Ministry and Russian telecom MegaFon.[86]
Mitigation
As with other forms of malware, security software might not detect a ransomware payload, or, especially in the case of encrypting payloads, only after encryption is under way or complete, particularly if a new version unknown to the protective software is distributed.[87] If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would stop further damage to data, without salvaging any already lost.[88][89]
Alternately, new categories of security software, specifically deception technology, can detect ransomware without using a signature-based approach. Deception technology utilizes fake SMB shares which surround real IT assets. These fake SMB data shares deceive ransomware, tie the ransomware up encrypting these false SMB data shares, alert and notify cyber security teams which can then shut down the attack and return the organization to normal operations. There are multiple vendors[90] that support this capability with multiple announcements in 2016.[91]
Security experts have suggested precautionary measures for dealing with ransomware. Using software or other security policies to block known payloads from launching will help to prevent infection, but will not protect against all attacks. Keeping “offline” backups of data stored in locations inaccessible to the infected computer, such as external storage drives, prevents them from being accessed by the ransomware, thus accelerating data restoration.[23][92]
There are a number of tools intended specifically to decrypt files locked by ransomware, although successful recovery may not be possible.[2][93] If the same encryption key is used for all files, decryption tools use files for which there are both uncorrupted backups (plaintext in the jargon of cryptanalysis) and encrypted copies; recovery of the key, if it is possible, may take several days.[94]
WannaCry, also known by the names WannaCrypt,[2]WanaCrypt0r 2.0,[3]Wanna Decryptor[4] and other similar names, is a ransomware program targeting Microsoft Windows. In May 2017, a large cyber-attack using it was launched, infecting over 230,000 computers in 99 countries, demanding ransom payments in bitcoin in 28 languages. The attack has been described by Europol as unprecedented in scale.[5]
WannaCry is believed to use the EternalBlueexploit, which was developed by the U.S. National Security Agency[12][13] to attack computers running Microsoft Windows operating systems.[3][14] Although a patch to remove the underlying vulnerability had been issued on 14 March 2017,[15] delays in applying security updates left some users and organisations vulnerable.[16] Microsoft has taken the unusual step of releasing updates for the unsupported Windows XP and Windows Server 2003 and patches for Windows 8 operating systems.[2][17]
A kill switch has been found in the code, which prevents new infections. This has been activated by researchers and should slow or stop the spread. However, different versions of the attack may be released and all vulnerable systems still have an urgent need to be patched.
EternalBlue exploits vulnerability MS17-010[15] in Microsoft‘s implementation of the Server Message Block (SMB) protocol. Microsoft had released a “Critical” advisory, along with an update patch to plug the vulnerability a month before, on 14 March 2017.[15] This patch only fixed Windows Vista and later operating systems but not the older Windows XP.
On 12 May 2017, WannaCry began affecting computers worldwide.[23] After gaining access to the computers, via local area network (LAN), an email attachment, or drive-by download, the ransomware encrypts the computer’s hard disk drive,[24][25] then attempts to exploit the SMB vulnerability to spread to random computers on the Internet,[26] and “laterally” between computers on the same LAN.[27] As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of $300 in bitcoin within three days.
The Windows vulnerability is not a zero-day flaw, but one for which Microsoft had made available a security patch on 14 March 2017,[15] nearly two months before the attack. The patch was to the Server Message Block (SMB) protocol used by Windows.[28] Organizations that lacked this security patch were affected for this reason, although there is so far no evidence that any were specifically targeted by the ransomware developers.[28] Any organization still running the older Windows XP[29] were at particularly high risk because until 13 May,[2] no security patches had been released since April 2014.[30] Following the attack, Microsoft released a security patch for Windows XP.[2]
According to Wired, affected systems will also have had the DOUBLEPULSAR backdoor installed; this will also need to be removed when systems are cleaned up.[31]
Impact
The ransomware campaign was unprecedented in scale according to Europol.[5] The attack affected many NHS hospitals in the UK.[32] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.[7][33] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[29]Nissan Motor Manufacturing UK in Tyne and Wear, one of Europe‘s most productive car manufacturing plants, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.[34][35]
Several hours after the initial release of the ransomware on 12 May 2017, a “kill switch” hardcoded into the malware was discovered. This allowed the spread of the initial infection to be halted by registering a domain name.[52] However, the kill switch appears to be a coding mistake on the part of the criminals, and variants without the kill switch are expected to be created.[53][54]
Reactions
Upon learning about the impact on the NHS, Edward Snowden said that if the NSA “had privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, [the attack] may not have happened”.[55]
British Prime MinisterTheresa May said of the ransomware, “This is not targeted at the NHS. It is an international attack. A number of countries and organizations have been affected.”[56]
Microsoft has created security patches for its now-unsupported versions of Windows, including Windows XP, Windows 8 and Windows Server 2003.[57]
Pronk Palisades 
Leave a comment