Symantec and FireEye have linked the recent WannaCry ransomware attacks to North Korea:
Cybersecurity researchers at Symantec Corp. and FireEye Inc. have uncovered more evidence tying this month's WannaCry global ransomware attacks to North Korea.
The cyberattack that infected hundreds of thousands of computers worldwide was "highly likely" to have originated with Lazarus, a hacking group linked to the reclusive state, Symantec said. The software used was virtually identical to versions employed in attacks earlier this year attributed to the same agency, the company said in a report late Monday. FireEye on Tuesday agreed WannaCry shared unique code with malware previously linked to North Korea. "The shared code likely means that, at a minimum, WannaCry operators share software development resources with North Korean espionage operators," Ben Read, a FireEye analyst, said in an emailed statement.
[...] The initial attack was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts said the hackers were likely to mount a second attack because so many users of personal computers with Microsoft operating systems couldn't or didn't download a security patch released in March labeled "critical."
Also at NYT, Reuters, Ars Technica, and The Hill. Symantec blog (appears scriptwalled).
Here's a screenshot of Wana Decrypt0r 2.0. Note the Wikipedia licensing section.
Previously: Security In 2017: Ransomware Will Remain King
"Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS
WannaCrypt Ransomware Variant -- Lacking Kill Switch -- Seen in Wild [Updated]
Decryption Utility for WannaCry is Released
Related Stories
According to an article on DarkReading.com, ransomware will remain king in 2017.
2016 was the year of ransomware, with hackers focusing their attentions on exploiting Internet users and businesses around the world for profit. According to the FBI, cyber-extortion losses have skyrocketed, and ransomware was on track to become a $1 billion a year crime in 2016.
Our research shows no sign of this security nightmare slowing down in 2017. Hackers are becoming more advanced, and ransomware remains an incredibly easy, lucrative way for them to make money. Unfortunately, the security community has only started to develop defenses that can protect Internet users from ransomware.
With the new year around the corner, security researchers at Malwarebytes Labs have compiled a list of predictions for new ransomware threats, developments, and opportunities that they expect consumers and businesses will face in 2017.
NSA-created cyber tool spawns global ransomware attacks
From Politico via Edward Snowden via Vinay Gupta:
Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.
The unique malware causing the attacks - which has spread to tens of thousands of companies in 99 countries, according to the cyber firm Avast - have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.
The source of the world-wide digital assault seems to be a version of an apparent NSA-created hacking tool that was dumped online in April by a group calling itself the Shadow Brokers. The tool, a type of ransomware, locks up a company's networks and holds files and data hostage until a fee is paid. Researchers said the malware is exploiting a Microsoft software flaw.
One or more anti-virus companies may have been hacked prior to WannaCrypt infecting 75000 Microsoft Windows computers in 99 countries. First, anti-virus software like Avast fails to make HTTP connections. Second, five million of ransomware emails are rapidly sent. Although many centralized email servers were able to stem the onslaught, many instances of anti-virus software had outdated virus definitions and were defenseless against the attack. Indeed, successful attacks were above 1%. Of these, more than 1% have already paid the ransom. Although various governments have rules (or laws) against paying ransom, it is possible that ransoms have been paid to regain access to some systems.
Also, file scrambling ransomware has similarities to REAMDE by Neal Stephenson. Although the book is extremely badly written, its scenarios (offline and online) seem to come true with forceful regularity.
Further sources: BBC (and here), Russia Today, DailyFail, Telegraph, Guardian.
Telefónica reportedly affected. NHS failed to patch computers which affected US hospitals in 2016. 16 divisions of the UK's NHS taken offline with aid of NSA Fuzzbunch exploit. The fun of a public blockchain is that ransom payments of £415,000 have been confirmed. Cancellation of heart surgery confirmed. Doctors unable to check allergies or prescribe medication. Patient access to emergency treatment denied in part due to hospital telephone exchange being offline.
It also appears that one of the affected parties refused to answer a Freedom of Information request in Nov 2016 about cyber-security due to impact on crime detection. Similar parties provided responses to the same request.
[Update at 20170515_022452 UTC: Instructions for what to do on each affected version of Windows can be found at: https://www.askwoody.com/2017/how-to-make-sure-you-wont-get-hit-by-wannacrywannacrypt/ -- I've had excellent luck in the past following his advice on when and how to update Windows. Clear, hands-on instructions are a big win in my book. --martyb]
Previously: "Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS.
tl;dr: If you have not already patched your Windows computer(s), you may be at risk from a new variant of the WannaCrypt ransomware worm which lacks a kill switch and was seen over the weekend. Sysadmins are preparing for a busy Monday when countless other users return to work and boot up their PC.
WannaCrypt (aka WCry), is a ransomware worm that wreaked havoc across the internet this past weekend. It disabled Windows computers at hospitals, telecoms, FedEx, and banks (among many others). Files on user's machines were encrypted and the worm demanded $300 or $600 worth of Bitcoin to decrypt (depending on how quickly you responded). Reports first surfaced Friday night and were stopped only because a researcher discovered a domain name in the code, which when registered, caused the malware to stop infecting new machines.
We're not out of the woods on this one. Not surprisingly, a variant has been seen in the wild over the weekend which has removed the domain check. Just because you may not have been hit in the initial wave of attacks does not necessarily mean you are immune.
Back in March, Microsoft released updates to Windows to patch vaguely-described vulnerabilities. Approximately one month later, a dump of purported NSA (National Security Agency) hacking tools were posted to the web. The WannaCrypt ransomware appears to be based on one of those tools. Surprisingly, the Microsoft patches blocked the vulnerability that was employed by WannaCrypt.
In a surprising move, Microsoft has just released emergency patches for out-of-mainstream-support versions of Windows (XP, 8, and Server 2003) to address this vulnerability.
Sources: Our previous coverage linked above as well as reports from the BBC Ransomware cyber-attack threat escalating - Europol, Motherboard Round Two: WannaCrypt Ransomware That Struck the Globe Is Back, and Ars Technica WCry is so mean Microsoft issues patch for 3 unsupported Windows versions.
What actions, if any, have you taken to protect your Windows machine(s) from this threat? How up-to-date are your backups? Have you tested them? If you are a sysadmin, how concerned are you about what you will be facing at work on Monday?
Various news outlets report the release of
Wannakey, a decryption utility for files encrypted by the WannaCry ransomware. According to the author of the software, it "has only been tested and known to work under Windows XP."
From the Wired article noted below:
Now one French researcher says he's found at least a hint of a very limited remedy. The fix still seems too buggy, and far from the panacea WannaCry victims have hoped for. But if Adrien Guinet's claims hold up, his tool could unlock some infected computers running Windows XP, the aging, largely unsupported version of Microsoft's operating system, which analysts believe accounts for some portion of the WannaCry plague.
[...] Guinet says he's successfully used the decryption tool several times on test XP machines he's infected with WannaCry. But he cautions that, because those traces are stored in volatile memory, the trick fails if the malware or any other process happened to overwrite the lingering decryption key, or if the computer rebooted any time after infection.
Coverage:
Previous stories:
"Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS
WannaCrypt Ransomware Variant -- Lacking Kill Switch -- Seen in Wild [Updated]
A report suggests that North Korean hackers are looking for money to steal as harsher sanctions are implemented against the country:
North Korean hackers are increasingly trying to steal cash rather than secrets, a South Korean government-backed report suggests. Cyber-criminals are targeting financial institutions as Pyongyang faces tough nuclear sanctions, the Financial Security Institute (FSI) claims. Suspected hacking attempts were until recently thought to be aimed at causing disruption or accessing data.
North Korea has routinely denied involvement in cyber-attacks. The FSI analysed cyber-attacks between 2015 and 2017. The impoverished country is now facing even tougher international sanctions aimed at stopping the flow of money that would support the development of its weapons programme.
Attacks cited include the "WannaCry" ransomware attacks, an attack on the Bangladeshi central bank, attacks by a group called "Andariel", and the 2015 attacks against South Korean banks that led to the formation of the Financial Security Institute.
Also at Reuters. FSI's website.
Previously: WannaCry Ransomware Attack Linked to North Korea by Symantec
A derivative of Microsoft Windows ransonware, Wannacry, has hit a Boeing production plant in Charleston, South Carolina. An internal memo from Mike VanderWel, chief engineer of Boeing Commercial Airplane production engineering, warned that the company's production systems and airline software were "at risk".
Wannacry was based on Microsoft Windows' CVE 2017-0144 which is used in the EternalBlue exploit kit. EternalBlue was initially utilized in apparent coordination with Microsoft's long delay in patching. Despite massive media spin, Wannacry was found to have hit all recent versions of Microsoft Windows.
From:
The Verge: Boeing production plant hit with WannaCry ransomware attack
The New York Times: Boeing Possibly Hit by ‘WannaCry’ Malware Attack
The Daily Express: Vital Boeing computer network INFECTED with WannaCry VIRUS - is it safe to fly?.
Previously: UK Blames North Korea for WannaCry Attacks, Says NHS Didn't Follow Cybersecurity Guidelines
WannaCry Ransomware Attack Linked to North Korea by Symantec
(Score: 0) by Anonymous Coward on Tuesday May 23 2017, @11:37PM (3 children)
That thing had the most impact in Russia, a supposed Nork's ally.
(Score: 3, Funny) by takyon on Tuesday May 23 2017, @11:41PM (1 child)
Their Bitcoins are as good as anybody's :D
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @12:14AM
I can just imagine the Rusky cybergoons chuckling:
"Damn, gooks, yous pulled a doozy. Give it up - high five!"
(Score: 2) by Jeremiah Cornelius on Wednesday May 24 2017, @03:19PM
Yeah. The attribution method is dubious. It contains more NSA code than NK code. This was cobbled together from available parts.
Symantec is done, as a trustworthy analyst. Bluecoat aquired them and went private. They peddle for various big gov customers. It's a shame, really.
You're betting on the pantomime horse...
(Score: 5, Insightful) by Gaaark on Tuesday May 23 2017, @11:45PM (5 children)
What... is North Korea the American bad guy now, or is Russia? China??
Or was Symantec told to take America's eyes/entertainment lobes off of Russia and put it back onto North Korea???
Man, it's so hard to stay focused on who the bad guy is anymo---
--oooh, look! Kardashians! Heee heee, soooo shiny!!!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 4, Insightful) by takyon on Tuesday May 23 2017, @11:48PM (2 children)
The world's superpower can have multiple enemies???!
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by Gaaark on Wednesday May 24 2017, @12:33AM (1 child)
No: you need to focus the plebs on one enemy at a time! Hence the Jews in Nazi-land... "It's a small Jew world after all, it's a small Jew world uber alles"
It's like marketing: one message hammered home again and again. It's the Jews, or it's the Russians or it's the Chinese, but NEVER all at the same time!
--Yes, this is all sarcasm/joke--
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @07:50AM
in their hate, thanks to World 2.0 and the dramatic changes it has offered through digital content production values, Humans v2.0 can now be multi-minded in their ability to hate others! No longer must a single organization, group, race, gender, or religion be hated upon by them, but rather all can be hated upon with the full power of Humans v2.0 via their unique new Time-sharing Hate System (THS (TM)).
Thanks to this unique system, brought about in part by research and development done through years upon years of painstaking R&D and refinements from visits to the Player Hater's Ball, KKK meetings, and Fundamental Synagogues, Churches, and Mosques, we have finally managed to produce people who can multi-facet their hate, providing the full power of their hate at any victim at any time provided a sufficient slice of time.
(Score: 5, Insightful) by kaszz on Tuesday May 23 2017, @11:50PM
Symantec - Mountain View, California, USA
FireEye - Milpitas, California, USA
Add some special letter soup letter.
And you get whatever the master says! :-)
Do I need to say more? :p
(Score: 3, Insightful) by butthurt on Wednesday May 24 2017, @12:59AM
"Oceania was at war with Eastasia. Eurasia was an ally."
(Score: -1, Offtopic) by Anonymous Coward on Tuesday May 23 2017, @11:46PM (4 children)
Unless you've had dealings with these slanteyed godless fucks, you have no idea
just how different they are from decent western people.
The US should have destroyed China, Korea, and all the rest of the hordes of
dog-eating yellow people, while it was possible to do so without nuclear retaliation.
(Score: 3, Insightful) by butthurt on Wednesday May 24 2017, @01:09AM (3 children)
Your wish nearly came true:
-- https://en.wikipedia.org/wiki/Korean_War [wikipedia.org]
--
http://www.airspacemag.com/military-aviation/how-korean-war-almost-went-nuclear-180955324/ [airspacemag.com]
(Score: 3, Informative) by Jeremiah Cornelius on Wednesday May 24 2017, @04:09PM (2 children)
Conventional bombing and incendiaries - under the direction of Curtis LeMay - wiped out 20% of the civilian population of the Korean peninsula. This is a war crime, unfortunately not without parallel, but still in the greatest order of magnitude. The USA is no better than Stalin's USSR in this regard, other than ideological justification for the extermination of tens of millions of innocents.
LeMay, you may note, was responsible for the incineration of the cultural, non-military targets of Dresden and Kyoto. The former made famous by Kurt Vonnegut in "Slaughterhouse 5". LeMay was the great villain of that novel, and portrayed accurately as unrepentant. His airwar was more reprehensible and criminal than Goering's. Yet he never saw a Nuremburg-style prosecution.
When you see a US or UK flag, the proper response should be abject disgust.
You're betting on the pantomime horse...
(Score: 2) by butthurt on Wednesday May 24 2017, @04:23PM (1 child)
You may be thinking of Tokyo.
https://en.wikipedia.org/wiki/Bombing_of_Tokyo_in_World_War_II [wikipedia.org]
Kyoto was considered as an A-bomb recipient but lost out.
https://www.quora.com/Is-it-true-that-Kyoto-Japan-was-nearly-bombed-in-WWII [quora.com]
(Score: 2) by Jeremiah Cornelius on Wednesday May 24 2017, @04:53PM
Yes, you're right. Tokyo. And Ira C Whittaker was LeMay's strategist, responsible for targets and methods in WWI.
You're betting on the pantomime horse...
(Score: 2) by Grishnakh on Wednesday May 24 2017, @03:22AM
This is what people get for using Windows for their critical data.
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @04:09AM (2 children)
I'm surprised there's not more scrutiny over this sort of incredibly lazy security "analysis" here. False attribution is a regular part of any sort of digital criminal activity. What these "analysts" and the 'it's the Russkies!' crew before them are doing fundamentally comes down to "He said It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity... therefore it must be Charles Dickens." Oh... he's dead? Oh dear... Well I guess it's POSSIBLE somebody else might have somehow gotten access to his words. Seriously, it's like all you have to do is to keep some string values in Korean and that's enough for these "security experts" to brilliantly declare it must be North Korea.
There's also this constant self contradiction that nobody seems to pick up on. On the one hand the software is often described as sophisticated clearly indicative of a state level entity. And then you have things like them storing a 'kill switch' domain name in plain text in this case or similarly completely amateur issues in former malware or hacks attributed to state level entities.
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @04:17AM (1 child)
Reminds me of CNN's "security analyst" discussing, Who is this hacker known as 4chan? [youtube.com] "He may have been just a systems administrator who knew his way around and how to hack things."
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @06:16PM
Its still unbelievable to me that these organizations tried to push a "fake news" meme.
(Score: 1, Insightful) by Anonymous Coward on Wednesday May 24 2017, @08:30AM (2 children)
The dangerous parts were leaked from the NSA. The NSA needed something to "prove" that leaking their exploits helps the enemy rather than helping fixing our own security. What better way than a false flag operation, creating some shoddily written malware that infects a lot of computers.
I expected them to blame Russia (like the recent election), but North Korea makes it even more obvious that it was a false flag operation.
Does anyone here actually believe that malware attacking Windows could come out of a country where computers (all three of them) were invented by Kim Jong Un. As far as I know, Microsoft never ported Windows to Kim Jong Un hardware.
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @10:39AM
actually, this is not that unbelievable.
the bit with the movie a couple of years ago was just plain stupid, and I doubt North Korea was actually involved, but I do believe the North Koreans would be capable of extortion/"data kidnapping" or whatever you want to call it.
they definitely need the cash, and they have enough resources to develop the capability.
and they don't really have anything to lose.
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @04:33PM
The elites have cell phones and computers. It's shocking how little americans know about north korea. Which absolutely is a massive threat and who we will probably go to war with.
The irony is that the people first to say "well we don't know what's REALLY going on over there" over and over in an effort to look deep and woke also make the least effort to educate themselves. You could easily google information on north korea and you could just as easily talk to chinese who live on that border to verify such information is correct.
(Score: 2) by sjames on Wednesday May 24 2017, @11:37PM
So, what they're saying is the NSA flubbed so badly that they ended up helping (however inadvertently) the world's biggest kook attack the U.S. and others? Pretty much the opposite of their mission? Short of stubbing a cigar out on the big red button, could they screw up any worse?