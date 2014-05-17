from the mouse-and-cat dept.
Previously: "Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS.
tl;dr: If you have not already patched your Windows computer(s), you may be at risk from a new variant of the WannaCrypt ransomware worm which lacks a kill switch and was seen over the weekend. Sysadmins are preparing for a busy Monday when countless other users return to work and boot up their PC.
WannaCrypt (aka WCry), is a ransomware worm that wreaked havoc across the internet this past weekend. It disabled Windows computers at hospitals, telecoms, FedEx, and banks (among many others). Files on user's machines were encrypted and the worm demanded $300 or $600 worth of Bitcoin to decrypt (depending on how quickly you responded). Reports first surfaced Friday night and were stopped only because a researcher discovered a domain name in the code, which when registered, caused the malware to stop infecting new machines.
We're not out of the woods on this one. Not surprisingly, a variant has been seen in the wild over the weekend which has removed the domain check. Just because you may not have been hit in the initial wave of attacks does not necessarily mean you are immune.
Back in March, Microsoft released updates to Windows to patch vaguely-described vulnerabilities. Approximately one month later, a dump of purported NSA (National Security Agency) hacking tools were posted to the web. The WannaCrypt ransomware appears to be based on one of those tools. Surprisingly, the Microsoft patches blocked the vulnerability that was employed by WannaCrypt.
In a surprising move, Microsoft has just released emergency patches for out-of-mainstream-support versions of Windows (XP, 8, and Server 2003) to address this vulnerability.
Sources: Our previous coverage linked above as well as reports from the BBC Ransomware cyber-attack threat escalating - Europol, Motherboard Round Two: WannaCrypt Ransomware That Struck the Globe Is Back, and Ars Technica WCry is so mean Microsoft issues patch for 3 unsupported Windows versions.
What actions, if any, have you taken to protect your Windows machine(s) from this threat? How up-to-date are your backups? Have you tested them? If you are a sysadmin, how concerned are you about what you will be facing at work on Monday?
Related Stories
NSA-created cyber tool spawns global ransomware attacks
From Politico via Edward Snowden via Vinay Gupta:
Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.
The unique malware causing the attacks - which has spread to tens of thousands of companies in 99 countries, according to the cyber firm Avast - have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.
The source of the world-wide digital assault seems to be a version of an apparent NSA-created hacking tool that was dumped online in April by a group calling itself the Shadow Brokers. The tool, a type of ransomware, locks up a company's networks and holds files and data hostage until a fee is paid. Researchers said the malware is exploiting a Microsoft software flaw.
Thoughts on a similar scenario were published by the Harvard Business Review two days before this incident.
One or more anti-virus companies may have been hacked prior to WannaCrypt infecting 75000 Microsoft Windows computers in 99 countries. First, anti-virus software like Avast fails to make HTTP connections. Second, five million of ransomware emails are rapidly sent. Although many centralized email servers were able to stem the onslaught, many instances of anti-virus software had outdated virus definitions and were defenseless against the attack. Indeed, successful attacks were above 1%. Of these, more than 1% have already paid the ransom. Although various governments have rules (or laws) against paying ransom, it is possible that ransoms have been paid to regain access to some systems.
Also, file scrambling ransomware has similarities to REAMDE by Neal Stephenson. Although the book is extremely badly written, its scenarios (offline and online) seem to come true with forceful regularity.
Further sources: BBC (and here), Russia Today, DailyFail, Telegraph, Guardian.
Telefónica reportedly affected. NHS failed to patch computers which affected US hospitals in 2016. 16 divisions of the UK's NHS taken offline with aid of NSA Fuzzbunch exploit. The fun of a public blockchain is that ransom payments of £415,000 have been confirmed. Cancellation of heart surgery confirmed. Doctors unable to check allergies or prescribe medication. Patient access to emergency treatment denied in part due to hospital telephone exchange being offline.
It also appears that one of the affected parties refused to answer a Freedom of Information request in Nov 2016 about cyber-security due to impact on crime detection. Similar parties provided responses to the same request.
(Score: 2) by MichaelDavidCrawford on Monday May 15, @12:55AM (2 children)
this is a common problem: when I tell windows update to do its thing, it says "Checking for Updates" then never finishes checking.
I've tried several of the reported workarounds.
I figure I'll have to reinstall windows anyway, so I'll just wait until some manner of ransomware 0wnz0r5 me.
we have a ... crazy person (MDC), that regularly posts more coherent and interesting things than do these racist trolls
Reply to This
(Score: 2) by butthurt on Monday May 15, @01:18AM
Back in the days of Windows XP, it used to be possible to run Microsoft Baseline Security Analyzer, get from that a list of missing patches, then download and install them (most came in the form of self-installing executables) without running Windows Update.
In November 2013 MBSA 2.3 was released. This release adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 2000 will no longer be supported [...]
-- https://en.wikipedia.org/wiki/Microsoft_Baseline_Security_Analyzer [wikipedia.org]
Did you try WSUS Offline Update?
Using WSUS Offline Update, you can update any computer running Microsoft Windows safely, quickly and without an Internet connection.
-- http://www.wsusoffline.net/ [wsusoffline.net]
Reply to This
Parent
(Score: 0) by Anonymous Coward on Monday May 15, @01:36AM
It's probably because there are so many updates that have been installed. I had the same problem for the first one of these stupid monthly security updates. I had to use WSUS offline update to install enough of the patches that the official installer would work.
Reply to This
Parent
(Score: 1) by butthurt on Monday May 15, @01:28AM (1 child)
What does it say about the NSA, if [a] lone security researcher finds and activates a kill switch before they do?
-- divec
Reply to This
(Score: 0) by Anonymous Coward on Monday May 15, @01:34AM
What does it say about the NSA, if [a] lone security researcher finds and activates a kill switch before they do?
Hmm ... you know, that guy sure sounds like he had some inside information. I bet he's guilty ... let's hack into his system.
Reply to This
Parent
(Score: 0) by Anonymous Coward on Monday May 15, @01:28AM
I've hired a man with a backhoe to dig a hole in the backyard, and tomorrow morning we'll drop all the Windows machines in there. This is not the same side of the yard where I've hidden all the bodies, so I won't have to kill the backhoe operator.
Reply to This