Thousands of ransomware cyberattacks reported worldwide

RT
Published time: 12 May, 2017 17:46
Edited time: 12 May, 2017 20:09
Get short URL (https://on.rt.com/8bi1)


https://cdn.rt.com/files/2017.05/original/5915f657c3618848218b4587.jpg
© intel.malwaretech.com


A ransomware virus is reported to be spreading aggressively around the globe, with over 50,000 computers having been targeted. The virus infects computer files and then demands money to unblock them.

An increase in activity of the malware was noticed starting from 8am CET (07:00 GMT) Friday, security software company Avast reported, adding that it "quickly escalated into a massive spreading."

In a matter of hours, over 57,000 attacks have been detected worldwide, the company said.




https://pbs.twimg.com/profile_images/701489688935137280/VhKvSXnA_normal.jpg Jakub Kroustek @JakubKroustek (https://twitter.com/JakubKroustek)
57,000 detections of #WannaCry (https://twitter.com/hashtag/WannaCry?src=hash) (aka #WanaCypt0r (https://twitter.com/hashtag/WanaCypt0r?src=hash) aka #WCry (https://twitter.com/hashtag/WCry?src=hash)) #ransomware (https://twitter.com/hashtag/ransomware?src=hash) by Avast today. More details in blog post: https://blog.avast.com/ransomware-that-infected-telefonica-and-hns-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today … (https://t.co/PWxbs8LZkk)
7:13 PM - 12 May 2017 (https://twitter.com/JakubKroustek/status/863079654290313217)
https://pbs.twimg.com/card_img/863079656282574852/-ucI0xKe?format=jpg&name=144x144_2
Ransomware that infected Telefonica and HNS hospitals is spreading aggressively, with over 50,000...

Avast reports on WanaCrypt0r 2.0 ransomware that infected NHS and Telefonica.
blog.avast.com (https://t.co/PWxbs8LZkk)Seventy-four countries around the globe have been affected, with the number of victims still growing, according to the Russian multinational cybersecurity and anti-virus provider, the Kaspersky Lab.




https://pbs.twimg.com/profile_images/773129442155761664/XRkgL6y-_normal.jpg Costin Raiu ✔ @craiu (https://twitter.com/craiu)
So far, we have recorded more than 45,000 attacks of the #WannaCry (https://twitter.com/hashtag/WannaCry?src=hash) ransomware in 74 countries around the world. Number still growing fast.
7:01 PM - 12 May 2017 (https://twitter.com/craiu/status/863076786887852032)
The ransomware, known as WanaCrypt0r 2.0, or WannaCry, is believed to have infected National Health Service (NHS) hospitals in the UK and Spain's biggest national telecommunications firm, Telefonica.

Britain and Spain are among the first nations who have officially recognized the attack. In Spain, apart from the telecommunications giant, Telefonica, a large number of other companies has been infected with the malicious software, Reuters reported.

The virus is said to attack computers on an internal network, as is the case with Telefonica, without affecting clients.

Computers at Russia's Interior Ministry have been infected with the malware, the ministry said Friday evening.

Some 1,000 Windows-operated PCs were affected, which is less than one percent of the total number of such computers in the ministry, spokeswoman Irina Volk said in a statement.

The virus has been localized and steps are being taken to eliminate it.

The servers of the ministry have not been affected, Volk added, saying it’s operated by different systems for Russia-developed data processing machines.

Russian telecom giant, Megafon has also been affected.

"The very virus that is spreading worldwide and demanding $300 to be dealt with has been found on a large number of our computers in the second half of the day today," Megafon's spokesperson Pyotr Lidov told RT.


View image on Twitter (https://twitter.com/dabazdyrev/status/863034199460261890/photo/1)
https://pbs.twimg.com/media/C_odBOJW0AAc-Mj.jpg:small (https://twitter.com/dabazdyrev/status/863034199460261890/photo/1)

https://pbs.twimg.com/profile_images/759856520213385216/k7UlZ-pW_normal.jpg Даниил Баздырев @dabazdyrev (https://twitter.com/dabazdyrev)

Вот что появилось на экранах всех рабочих компьютеров Мегафон Ритейл @eldarmurtazin (https://twitter.com/eldarmurtazin)
4:12 PM - 12 May 2017 (https://twitter.com/dabazdyrev/status/863034199460261890)
The internal network had been affected, he said, adding that in terms of the company's customer services, the work of the support team had been temporarily hindered, "as operators use computers" to provide their services.

The company immediately took appropriate measures, the spokesperson said, adding that the incident didn't affect subscribers' devices or Megafon signal capabilities in any way.




https://pbs.twimg.com/profile_images/862297339477860353/MKjxL41p_normal.jpg RT UK ✔ @RTUKnews (https://twitter.com/RTUKnews)
Reports of hackers demanding ransom in #nhscyberattack (https://twitter.com/hashtag/nhscyberattack?src=hash). https://on.rt.com/8bgz (https://t.co/IRciWf0x9q) pic.twitter.com/nKRi1JD70A (https://t.co/nKRi1JD70A)

https://pbs.twimg.com/profile_images/862297339477860353/MKjxL41p_bigger.jpg RT UK‏Verified account @RTUKnews (https://twitter.com/RTUKnews)

Doctors report bitcoin pop-up messages asking users to pay $300 to be able to access their PCs: https://on.rt.com/8bgz (https://t.co/IRciWf0x9q) #nhscyberattack (https://twitter.com/hashtag/nhscyberattack?src=hash)


https://pbs.twimg.com/media/C_opj71XsAIIRN-.jpg
8:08 AM - 12 May 2017 British Prime Minister Theresa May has said the cyberattack on UK hospitals is part of a wider international attack.

In Sweden, the mayor of Timra said "around 70 computers have had a dangerous code installed," Reuters reported.

According to Avast, the ransomware has also targeted Ukraine and Taiwan.

The virus is apparently the upgraded version of the ransomware that first appeared in February. Believed to be affecting only Windows operated computers, it changes the affected file extension names to ".WNCRY."

It then drops ransom notes to a user in a text file, demanding $300 worth of bitcoins to be paid to unlock the infected files within a certain period of time.

While the victim's wallpaper is being changed, affected users also see a countdown timer to remind them of the limited time they have to pay the ransom. If they fail to pay, their data will be deleted, cybercriminals warn.

According to the New York Times, citing (https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html?smprod=nytcore-iphone&smid=nytcore-iphone-share&_r=1) security experts, the ransomware exploits a "vulnerability that was discovered and developed by the National Security Agency (NSA)." The hacking tool was leaked by a group calling itself the Shadow Brokers, the report said, adding, that it has been distributing the stolen NSA hacking tools online since last year.

Updates:

Mass cyberattack strikes computer systems worldwide Live updates (https://www.rt.com/news/388165-mass-cyberattack-strikes-globally/)

RT
Published time: 12 May, 2017 19:25
Get short URL (https://on.rt.com/8bid)


https://img.rt.com/files/2017.05/original/59160bbfc4618857778b45b7.jpg
© Oliver Berg / Global Look Press

Tens of thousands of computers in 74 countries have been infected by a ransomware virus which extorts users by blocking Windows files and demanding payment to restore access.


12 May 2017
19:56 GMT Computers at Russia's Interior Ministry have been infected with the malware, the ministry said Friday evening.
Some 1,000 Windows-operated PCs were affected, which is less than one percent of the total number of such computers in the ministry, spokeswoman, Irina Volk said in a statement.
The virus has been localized and steps are being taken to eliminate it.
The servers of the ministry has not been affected, Volk added, saying it’s operated by different systems; for Russia-developed data processing machines.
19:55 GMT Microsoft has been providing additional assistance to its clients in the wake of the attack, a spokesman said on Friday. The company added detection and protection tools to counter the major malicious software, he added.
"Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt," he said.





https://pbs.twimg.com/profile_images/815853993725411328/i5sWZGEr_normal.jpg MalwareTech @MalwareTechBlog (https://twitter.com/MalwareTechBlog)
Something like this is incredibly significant, we've not seen P2P spreading on PC via exploits at this scale in nearly a decade.
6:39 PM - 12 May 2017 (https://twitter.com/MalwareTechBlog/status/863071199093542912)


19:39 GMT In Russia, telecom giant Megafon has been affected.
"The very virus that is spreading worldwide and demanding $300 to be dealt with has been found on a large number of our computers in the second half of the day today," Megafon's spokesperson Pyotr Lidov told RT.
The internal network had been affected, he said, adding that in terms of the company's customer services, the work of the support team had been temporarily hindered, "as operators use computers" to provide their services.
The company immediately took appropriate measures, the spokesperson said, adding that the incident didn't affect subscribers' devices or Megafon signal capabilities in any way.



19:19 GMT Swedish authorities have reported that 70 computers have been infected in the locality of Timra, central Sweden. Victims have seen their computers shut down, then restart, with a message saying their files have been encrypted with access only possible after payment.
"We have around 70 computers that have had a dangerous code installed," Andreaz Stromgren, the mayor of Timra, told Reuters.



19:18 GMT




https://pbs.twimg.com/profile_images/648888480974508032/66_cUYfj_normal.jpg Edward Snowden ✔ @Snowden (https://twitter.com/Snowden)
In light of today's attack, Congress needs to be asking @NSAgov (https://twitter.com/NSAGov) if it knows of any other vulnerabilities in software used in our hospitals.
9:08 PM - 12 May 2017 (https://twitter.com/Snowden/status/863108616773095425)


19:12 GMT According to the New York Times, citing (https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html?smprod=nytcore-iphone&smid=nytcore-iphone-share&_r=1) security experts, the ransomware exploits a "vulnerability that was discovered and developed by the National Security Agency (NSA)." The hacking tool was leaked by a group calling itself the Shadow Brokers, the report said, adding, that it has been distributing the stolen NSA hacking tools online since last year.



18:51 GMT The virus is apparently the upgraded version of the ransomware that first appeared in February. Believed to be affecting only Windows operated computers, it changes the affected file extension names to ".WNCRY."
It then drops ransom notes to a user in a text file, demanding $300 worth of bitcoins to be paid to unlock the infected files within a certain period of time.
While the victim's wallpaper is being changed, affected users also see a countdown timer to remind them of the limited time they have to pay the ransom.



18:50 GMT The ransomware, known as WanaCrypt0r 2.0, is believed to have infected National Health Service (NHS) hospitals in the UK and Spain's biggest national telecommunications firm, Telefonica.
British Prime Minister Theresa May has said the cyberattack on UK hospitals is part of a wider international attack.

21:11 GMT “It would be deeply troubling if the NSA knew about this vulnerability but failed to disclose it to Microsoft until after it was stolen,” Patrick Toomey, a staff attorney with the ACLU National said in a statement.
“These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world. It is past time for Congress to enhance cybersecurity by passing a law that requires the government to disclose vulnerabilities to companies in a timely manner,” he added.





https://pbs.twimg.com/profile_images/861957133583175682/wXbAly9w_normal.jpg ACLU National ✔ @ACLU (https://twitter.com/ACLU)
It would be deeply troubling if the NSA knew Microsoft was vulnerable in this way but waited to disclose. Congress can and should fix this. https://twitter.com/nytimes/status/863089876631248897 … (https://t.co/jdAr6kkB6N)
10:23 PM - 12 May 2017 (https://twitter.com/ACLU/status/863127603422662658)


21:03 GMT Bruno Kramm, the chairman of the Berlin branch of the Pirate Party, said that a lot of vulnerabilities lie in the backdoors built into many, especially outdated, operating systems, and that we must rethink our approach to cybersecurity.
“We should much more work with open-source software, with Linux systems which are open-source, and we have to use encryption, and we have to take more security measures for the more dangerous infrastructure, for example hospitals.” he told RT.
Kramm also believes that the leaked NSA tools helped facilitate the attack.
“But the sad thing is the more we find out [about] the NSA having this software, the more we also know that this software is also of course traded. There is no software which you can keep inside of the system. From the moment the NSA works with the software, you can also get the software, and once you get the software you can use it in your own way. So basically it’s really a problem they have started.”



20:50 GMT One of Russia's largest banks, the state-owned Sberbank, said it had also detected attempts to target its computers but no malware penetrated their systems.



20:46 GMT FedEx Corporation, the American multinational delivery services company, said it is dealing with the same type of cyberattack.
“Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware. We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers,” a FedEx spokesperson told RT.



20:42 GMT The UK National Health Service has been attacked by ransomware as well, presumably by Wanna Decryptor, the NHS said (https://digital.nhs.uk/article/1491/Statement-on-reported-NHS-cyber-attack) in a statement.
“At this stage we do not have any evidence that patient data has been accessed,” the statement said, adding, that the National Cyber Security Centre is assisting in dealing with the malware.



20:37 GMT "Several" computers of Russia's Emergency Ministry had also been targeted, its representative told TASS, adding, that "all of the attempted attacks had been blocked, and none of the computers were infected with the virus."



20:34 GMT In the wake of the attack, WikiLeaks reminded of its release of a series of leaks on the Central Intelligence Agency (CIA), code-named "Vault 7," back in March.
Claiming that "the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans," the whistleblowing site said the lost data "amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA."
"Once a single cyber 'weapon' is 'loose' it can spread around the world in seconds, to be used by rival states, cyber mafia and teenage hackers alike," WikiLeaks warned in their release.



View image on Twitter (https://twitter.com/wikileaks/status/863106977211318278/photo/1)

https://pbs.twimg.com/media/C_pfK3gXoAIVjqe.jpg:small (https://twitter.com/wikileaks/status/863106977211318278/photo/1)


Follow (https://twitter.com/wikileaks)
https://pbs.twimg.com/profile_images/512138307870785536/Fe00yVS2_normal.png WikiLeaks ✔ @wikileaks (https://twitter.com/wikileaks)

If you can't secure it--don't build it: #Vault7 (https://twitter.com/hashtag/Vault7?src=hash) whistleblower warned US cyber weapons are extreme proliferation risk https://wikileaks.org/ciav7p1/ (https://t.co/K7wFTdlC82)
9:01 PM - 12 May 2017 (https://twitter.com/wikileaks/status/863106977211318278)


692 692 Retweets (https://twitter.com/intent/retweet?tweet_id=863106977211318278)
765 (https://twitter.com/intent/like?tweet_id=863106977211318278)



19:56 GMT





Updates here: https://www.rt.com/news/388165-mass-cyberattack-strikes-globally/

Funny.... Didn't that trove of NSA tools get released to the wild not too long ago?

Funny.... Didn't that trove of NSA tools get released to the wild not too long ago?

Yep, April 9.

See posts #231 & #232 - http://projectavalon.net/forum4/showthread.php?95892-Vault-7/page10

Funny.... Didn't that trove of NSA tools get released to the wild not too long ago?

Yep, April 9.

See posts #231 & #232 - http://projectavalon.net/forum4/showthread.php?95892-Vault-7/page10

we need a sarcasm font... haha

I've been working my ass off to mitigate that "trove of tools" for about a month now @ the debtslave daycare, luckily a lot of it is easily done (vendor patches, closing a port or two).... but not all.

Funny.... Didn't that trove of NSA tools get released to the wild not too long ago?

Yep, April 9.

See posts #231 & #232 - http://projectavalon.net/forum4/showthread.php?95892-Vault-7/page10

we need a sarcasm font... haha

I've been working my ass off to mitigate that "trove of tools" for about a month now @ the debtslave daycare, luckily a lot of it is easily done (vendor patches, closing a port or two).... but not all.

Oh OK haha. Well now there's some background on the SB here anyway.

I wonder how hard it it is to decrypt the files or to get rid of the ransomware off the computers without paying?

* * *

From The Intercept - LEAKED NSA MALWARE IS HELPING HIJACK COMPUTERS AROUND THE WORLD (https://theintercept.com/2017/05/12/the-nsas-lost-digital-weapon-is-helping-hijack-computers-around-the-world/)

From ZeroHedge - "Worst-Ever Recorded" Ransomware Attack Strikes Over 57,000 Users Worldwide, Using NSA-Leaked Tools (http://www.zerohedge.com/news/2017-05-12/massive-ransomware-attack-goes-global-huge)

Ransomeware has been a problem for at least a couple of years that I know of. It's never been as widespread in one hit before though, which is why it's making the news.

Hospitals, clinics, police departments, fire services etc make good targets because they pay up just to keep going.

I've heard a report that one target payed up but still didn't get the files unlocked.

There are quite a few different ones going around. The best, but nothing's perfect, defense is frequent backups to an external storage device. What I've been reading over the last couple of years is that they target work files that have all your data in them, not the operating system. That could easily change at any time.

As this is so widespread, it's a serious risk for anyone, not just organisations. Make a backup right now of every work/data file you have on your computer. Whatever happens in the next few days and weeks, you'll have the backups to get going with again ( even if it's with a new PC ).

*SIGH* Anything to get us to use Windows 10! :facepalm: *kidding* :p

(It would be interesting to know which versions of Windows OS were affected - and what anti-virus systems were in place - amazingly, a large number of govt and Bank operations are still based on XP. :sherlock:

If it continues to spread ... (now, aren't you glad you stayed with a Mac, Bill? (I say that and cringe as I unpack my just-delivered new PC!) Maybe I'll leave it offline for a while ;)

Wcrypt ransomware infections over the last 24 hours - https://intel.malwaretech.com/botnet/wcrypt/?t=24h&bid=all

https://pbs.twimg.com/media/C_qJfYNXYAIryf5.jpg:large

*SIGH* Anything to get us to use Windows 10! :facepalm: *kidding* :p

(It would be interesting to know which versions of Windows OS were affected

This lists all versions. The fix was released in March Rollup, but some people have not updated yet.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Excerpt from - WannaCry ransomware used in widespread attacks all over the world (https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/) By GReAT: Kaspersky Lab's Global Research & Analysis Team (May 12, 2017)

Mitigation and detection information

Quite essential in stopping these attacks is the Kaspersky System Watcher component. The System Watcher component has the ability to rollback the changes done by ransomware in the event that a malicious sample managed to bypass other defenses. This is extremely useful in case a ransomware sample slips paste defenses and attempts to encrypt the data on the disk.

https://cdn.securelist.com/files/2017/05/wannacry_14.png

Mitigation recommendations:

1. Make sure that all hosts are running and have enabled endpoint security solutions.
2. Install the official patch (MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)) from Microsoft, which closes the affected SMB Server vulnerability used in this attack.
3. Ensure that Kaspersky Lab products have the System Watcher component enabled.
4. Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Once again, make sure MS17-010 patches are installed.

Samples observed in attacks so far:

4fef5e34143e646dbf9907c4374276f5
5bef35496fcbdbe841c82f4d1ab8b7c2
775a0631fb8229b2aa3d7621427085ad
7bf2b57f2a205768755c07f238fb32cc
7f7ccaa16fb15eb1c7399d422f8363e8
8495400f199ac77853c53b5a3f278f3e
84c82835a5d21bbcf75a61706d8ab549
86721e64ffbd69aa6944b9672bcabb6d
8dd63adb68ef053e044a5a2f46e0d2cd
b0ad5902366f860f85b892867e5b1e87
d6114ba5f10ad67a4131ab72531f02da
db349b97c37d22f5ea1d1841e3c89eb4
e372d07207b4da75b3434584cd9f3450
f529f4556a5126bba499c26d67892240

Kaspersky Lab detection names:

Trojan-Ransom.Win32.Gen.djd
Trojan-Ransom.Win32.Scatter.tr
Trojan-Ransom.Win32.Wanna.b
Trojan-Ransom.Win32.Wanna.c
Trojan-Ransom.Win32.Wanna.d
Trojan-Ransom.Win32.Wanna.f
Trojan-Ransom.Win32.Zapchast.i
PDM:Trojan.Win32.Generic

Kaspersky Lab experts are currently working on the possibility of creating a decryption tool to help victims. We will provide an update when a tool is available.

For more, including their full analysis of the attack and links, see source (https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/).

I wonder how hard it it is to decrypt the files or to get rid of the ransomware off the computers without paying?


Depending on the level of encryption, easy to very hard to practically impossible...

however, you'll notice a timer normally exists on these things, which effectively negates the chances of the data being decrypted for most people (you can take the hard drive out of the computer and work on it separately, but who's set up to do that?)

Encryption can always be broken, the question is: how long will it take. Usually the answer is far too long to be useful.

Don’t WannaCry? 5 easy tips to protect yourself from ransomware (https://www.rt.com/viral/388189-wannacry-ransomware-virus-protection/)

RT
Published time: 13 May, 2017 01:00
Edited time: 13 May, 2017 06:12
Get short URL (https://on.rt.com/8bj1)


https://cdn.rt.com/files/2017.05/original/59164f17c4618857778b4613.jpg
© jaberalre / Instagram


An aggressive new strain of ransomware is shutting down Windows operating computers all over the world. Although the virus known as WannaCry has already infected over 75,000 PCs in 99 countries, it is actually not that hard to secure your digital data.

The latest ransomware employs asymmetric encryption to hold the target's information for ransom, using a pair of keys uniquely generated by the attacker for the victim. The attacker makes the private key available to the victim only after the ransom is paid – or very likely does not.

Here are some easy steps to protect your machine and secure your files from falling hostage to online scammers.

#0 Patch!
Security experts advise to install the Microsoft fix (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)—MS17-010—right away. Following the installation, make sure to reboot the system.

The patch that closes the backdoor used by WannaCry to penetrate the system was released by Microsoft on March 14 – apparently shortly after the NSA became aware that its exploit has been stolen, and roughly a month before the Shadow Brokers hacking group exposed (https://on.rt.com/8biz) it to the world.




https://pbs.twimg.com/profile_images/827557385338224640/JqD4leeG_normal.jpg Ryan Naraine @ryanaraine (https://twitter.com/ryanaraine)
Regarding today's ransomware nightmare, it's very bad. Apply MS17-010 immediately, and urgently!
6:09 PM - 12 May 2017 (https://twitter.com/ryanaraine/status/863063657462325249)
In general, patching your system and installing regular Microsoft updates should secure an average PC user from unwanted vulnerabilities.

#1 Beware!
Just as with many other ransomware, the virus can penetrate the system not only through a Windows vulnerability, but also through the “spray-‘n’-pray” phishing attack, which involves spamming users with emails that carry a malicious attachment. The attackers can also lure a victim to click on a URL where malware will be ready to crawl into your machine.


View image on Twitter (https://twitter.com/RT_com/status/863188238500057088/photo/1)
https://pbs.twimg.com/media/C_qpHf0XkAAH-iM.jpg:small (https://twitter.com/RT_com/status/863188238500057088/photo/1)

Follow (https://twitter.com/RT_com)
https://pbs.twimg.com/profile_images/819870660507955202/aIKukPJE_normal.jpg RT ✔ @RT_com (https://twitter.com/RT_com)

NSA developed #WannaCry (https://twitter.com/hashtag/WannaCry?src=hash) 'dangerous attack tools' - Snowden analysis of #WanaCrypt0r (https://twitter.com/hashtag/WanaCrypt0r?src=hash) #WCry (https://twitter.com/hashtag/WCry?src=hash) exploit https://on.rt.com/8biz (https://t.co/KwuBdpA92T)
2:24 AM - 13 May 2017 (https://twitter.com/RT_com/status/863188238500057088) Because ransomware targets everyday Internet users, businesses and public service providers, any individuals or organizations that needs continuous access to its systems should be especially careful what sites they visit and which attachments they open up.

#2 Backup!
It is highly advised, in order to protect yourself from being held hostage to data thieves, to create secure backups of important data on a regular basis. Simply backing up is not enough though, as physically disconnecting the storage device is required to avoid it being infected with ransomware as well. Cloud storage is another option to use, but it makes your data vulnerable to all other kinds of attacks.

#3 Don’t pay ransom!
This one is quite simple – there’s no guarantee that victims will get their data back even if they caught up cash cyber crooks demand from them. Plus there is no guarantee that the attackers won’t strike you again or demand more.

#4 Install antivirus (at least a trial version)!
Make use of your antivirus software’s ransomware removal tool, which should scan for and wipe out any ransomware attempts found on your computer.

Most paid subscriptions use real-time protection to keep their clients. Even if ransomware gets past your antivirus, chances are good that within a short while an automatic antivirus update will clear the intruder from your system. Most antivirus companies offer trial versions free of charge to test before subscribing for a paid service, which should be enough if one needs to urgently remove a stray malware.
Ransomware known as WannaCry, Wanna, or Wcry went on a global cyber infection rampage on Friday, infecting at least 75,000 computers in at least 99 countries. The malware adopted to a multi-lingual platform has caused complete data paralysis at banks, hospitals and telecommunications service providers, most notably in the UK, Spain, and Germany.

The virus demands a ransom of $300 to $600 in bitcoin by May 15 to unlock access to data held hostage. The malware is widely believed to have been developed based on the National Security Agency’s zero-day exploit which was leaked last month by the Shadow Brokers hacker group.

LIVE UPDATES: Mass cyberattack strikes computer systems worldwide (https://www.rt.com/news/388165-mass-cyberattack-strikes-globally/)


Related:
Leaked NSA exploit blamed for global ransomware cyberattack (https://www.rt.com/usa/388187-leaked-nsa-exploit-ransomware/)


----------------------------------------------------



Microsoft releases urgent OS patch in wake of #WannaCry ransomware blitz (https://www.rt.com/news/388233-virus-ransomware-microsoft-wannacry/)

RT
Published time: 13 May, 2017 10:58
Get short URL (https://on.rt.com/8bk9)

Microsoft has taken the “highly unusual” step of securing early operating systems in the wake of a massive ransomware attack that wreaked havoc on global computer networks, including the UK’s National Health Service.

Microsoft XP received the new security patch three years after the computer giant discontinued support for the OS.

The patch release comes after a virus known as ‘WannaCry’ ransomware, which encrypts files and demands users pay for their release, infected more than 100,000 computers worldwide on Friday.

Malware Tech reports (https://intel.malwaretech.com/botnet/wcrypt/?t=24h&bid=all) that approximately 124,000 computers have now been affected by the virus, with parts of the UK’s National Health Service, including patient records and other administrative data, debilitated by the sudden attack.




https://pbs.twimg.com/profile_images/765820808006623233/8PrTRSBa_normal.jpg NHS Digital @NHSDigital (https://twitter.com/NHSDigital)
Our statement on the reported ransomware issues: https://digital.nhs.uk/article/1491/Statement-on-reported-NHS-cyber-attack … (https://t.co/Pt47dvpbiR) #nhscyberattack (https://twitter.com/hashtag/nhscyberattack?src=hash)
5:29 PM - 12 May 2017 (https://twitter.com/NHSDigital/status/863053477794258946)

Statement on reported NHS cyber attack

A number of NHS organisations have reported to NHS Digital that they have been affected by a ransomware attack which is affecting a number of different organisations.
digital.nhs.uk
(https://t.co/Pt47dvpbiR)“Seeing businesses and individuals affected by cyberattacks, such as the ones reported today [Friday], was painful,” a Microsoft statement (https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/) read.


“We are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.”

An investigation is currently underway to determine the source of the cyberattack. According to the European Cybercrime Centre, Europol is “working closely” with countries affected by the blitz to identify the culprits.

NSA exploit codes (https://www.rt.com/usa/384082-shadow-brokers-nsa-password-trump/) were released by The Shadow Brokers, a hacking group, this year. The US government cyber weapons were later offered at auction for billions of dollars in bitcoin (https://www.rt.com/usa/356081-hackers-nsa-spying-tools/).

Earlier this year, Microsoft created a patch called MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) to guard against the virus. But older, unsupported operating systems were not included in the update.

“WannaCrypt’s spreading mechanism is borrowed from well-known public SMB exploits, which armed this regular ransomware with worm-like functionalities, creating an entry vector in machines still unpatched even after the fix had become available,” Microsoft said (https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?platform=hootsuite).




https://pbs.twimg.com/profile_images/815853993725411328/i5sWZGEr_normal.jpg MalwareTech @MalwareTechBlog (https://twitter.com/MalwareTechBlog)
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
2:20 AM - 13 May 2017 (https://twitter.com/MalwareTechBlog/status/863187104716685312)
Elsewhere, a Twitter user posting under the name of @malwaretechblog is being hailed an unlikely hero after they registered a domain name referenced in the virus code. The domain registry acts as a kill switch in the code, halting the ransomware.


Darien Huss, a security research engineer who reportedly helped find the loophole, explained: “WannaCry propagation payload contains previously unregistered domain, execution fails now that domain has been sinkholed.”




View image on Twitter (https://twitter.com/darienhuss/status/863083680528576512/photo/1)
https://pbs.twimg.com/media/C_pJ_3EXYAA0LAu.jpg:small (https://twitter.com/darienhuss/status/863083680528576512/photo/1)


Follow (https://twitter.com/darienhuss)
https://pbs.twimg.com/profile_images/664803905436413952/93kIykpm_normal.jpg Darien Huss @darienhuss (https://twitter.com/darienhuss)

#WannaCry (https://twitter.com/hashtag/WannaCry?src=hash) propagation payload contains previously unregistered domain, execution fails now that domain has been sinkholed
7:29 PM - 12 May 2017 (https://twitter.com/darienhuss/status/863083680528576512)


Related:
Ransomware virus plagues 100k computers across 99 countries (https://www.rt.com/news/388153-thousands-ransomeware-attacks-worldwide/)

wonder how many people were dumb enough to pay the ransom

I use a disconnected, full backup. THis way even operating files are replaceable. It means that now and then I must buy a larger disk drive to accommodate my growing size of total files. This technique will only allow me to return my computer to the date of the last backup so I should backup frequently. I also frequently make an additional backup of data files to a separate, device. I also use an attached disk for very frequent auto backups, but that will not help fight some malware. My paranoia stems from fifteen years as a database specialist for large commercial systems.

Safe for now... but patch regularly anyway... That's literally 60% of my job (patching).


'Accidental hero' halts ransomware attack and warns: this is not over


The “accidental hero” who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted.
The ransomware used in Friday’s attack wreaked havoc on organisations including FedEx and Telefónica, as well as the UK’s National Health Service (https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack) (NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.
But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog (https://twitter.com/MalwareTechBlog), with the help of Darien Huss (https://twitter.com/darienhuss) from security firm Proofpoint, found and inadvertently activated a “kill switch” in the malicious software.

https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

Interesting accidental flipping of the kill-switch :)


[...]




https://pbs.twimg.com/profile_images/815853993725411328/i5sWZGEr_normal.jpg MalwareTech @MalwareTechBlog (https://twitter.com/MalwareTechBlog)
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
2:20 AM - 13 May 2017 (https://twitter.com/MalwareTechBlog/status/863187104716685312)




Elsewhere, a Twitter user posting under the name of @malwaretechblog is being hailed an unlikely hero after they registered a domain name referenced in the virus code. The domain registry acts as a kill switch in the code, halting the ransomware.
[...]

Hmmmm. What are the odds? How convenient.

Does this imply that whenever something like this happens, all that needs to be done to defeat it is register codes?

For those, like me, who prefer listening to reading, Lisa Haven video blogs her version of the news. She points out that the biggest cluster of hits is in Russia. I noticed myself last night that China doesn't look bady hit, but that might be because most of China doesn't even have computers yet?


z5a1dAkoSck


and..... if you've got a British chuckle bone....

0DS5IhtbgY8

[ but someone should tell him the nukes are still being run off 5 1/4" floppies ]

Just in: The british nuclear Subs are working with Windows XP. Wonder if they also got the Ransomware? ;)

https://www.privateinternetaccess.com/blog/2017/05/prudent-ask-britains-nuke-subs-also-hit-ransomware/
Britain’s hospitals have been brought to a standstill because of ransomware infecting obsolete and unpatched Windows XP systems. The same obsolete operating system is powering Britain’s nuclear weapons arsenal. Is it prudent to ask if the British nuclear weapons submarines have been patched against this ransomware, or even hit by it?
https://www.privateinternetaccess.com/blog/wp-content/uploads/2017/05/HMS-Vanguard-S28-photo-by-UK-government-photo-under-open-government-license.jpg
HMS-Vanguard

Microsoft... NSA...... hmm

the US gov is one of microsoft's biggest customers.. its almost a symbiosis.

Because of that, I distrust this situation... ESPECIALLY IF ITS TARGETING WINDOWS XP! (what a CONVENIENT thing for microsoft eh?)


Microsoft president blasts NSA for its role in 'WannaCry' computer ransom attack

A Microsoft executive sharply criticized a U.S. spy agency Sunday for its role in weaponizing a weakness in Windows and allowing it to be stolen by hackers and used to launch history’s largest ransomware attack.
"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," Brad Smith, president and chief legal officer at Microsoft, wrote in the wake of the “WannaCry” computer virus attack, which crippled computers worldwide.
He compared it to the U.S. military having some of its Tomahawk missiles stolen. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action,” he added.
Smith’s criticism comes as the virus continues to spread around the globe, despite the efforts of companies, governments and security experts. Europe’s leading police agency said Sunday that the computer virus had reached an "unprecedented level," claiming 200,000 victims and spreading to at least 150 countries.
With employees returning to work Monday, there were fears that more infections will be discovered. And there were also reports that new variations of the virus were appearing.
In an interview with Britain's ITV, Europol Director Rob Wainwright said a cross-border investigation would be necessary to track down the culprits.
"It is unlikely to be just be one person, I think," he told ITV.
The fast-moving virus, which first hit Friday (http://www.latimes.com/world/la-fg-global-computer-virus-20170513-story.html), exploits a vulnerability in the Windows operating system that had been discovered by the U.S. National Security Agency (http://www.latimes.com/topic/politics-government/defense/security-measures/national-security-agency-ORGOV0000104-topic.html). That information was stolen by hackers and published online.
In his response, Smith highlighted the work Microsoft has done to improve the security of its products, long a target of criticism in the security community. He said the company now has 3,500 security engineers, many of whom now act as “first responders” in such cases.
The company had released a security update this year to address the vulnerability that the NSA found. But that leads to the next culprit on Smith’s list.
He noted that customers, particularly large organizations and companies, are groaning under the burden of hugely complex systems that have evolved over decades and can be difficult to maintain and upgrade.
“The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect,” he wrote. “As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.”
Indeed, Britain’s National Health Service suffered one of the worst attacks because, in part, many of its systems were running Windows XP, an older version of the operating system that Microsoft had stopped supporting long ago. Over the weekend, the company took the extraordinary step of releasing security updates for XP and other versions it no longer supported.
But Smith saved his harshest words for the NSA and called on international governments and policymakers to rethink their approaches to cybersecurity and cyberspying. In doing so, he joined a chorus of critics who had been pointing fingers all weekend at the NSA.
“The governments of the world should treat this attack as a wake-up call,” Smith said. “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
In February, Microsoft had called for a “Digital Geneva Convention,” to reach a new international agreement that would push spy agencies to report vulnerabilities to vendors, rather than trying to exploit them for surveillance purposes.
Even with the recent patches, security experts say the makers of the WannaCry virus are still able to target millions of PCs that have not been updated. And while two waves of the attack have been blocked, researchers say it may be impossible to stop new waves.
When the virus finds its way into a PC, data are encrypted and users are told they must pay $300 in electronic money known as bitcoin to receive a key to decrypt it.
On its website, Europol said it is “working closely with affected countries’ cybercrime units and key industry partners to mitigate the threat and assist victims.”
It also said: “The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits.”
James R. Clapper (http://www.latimes.com/topic/politics-government/government/jarmes-r.-clapper-PEPLT0009071-topic.html), who was President Obama’s director of national intelligence, noted on ABC’s “This Week with George Stephanopoulos” that more victims of the attack could surface Monday, when people return to work.
“Well, that's the concern,” he said. He added that it was “a very serious, serious problem” and that more such attacks can be expected.
The 200,000 victims included more than 100,000 organizations, Europol spokesman Jan Op Gen Oorth told the Associated Press. He said it was too early to say who was behind the onslaught and what the motivation was, aside from the obvious demand for money. So far, he said, not many people have paid the ransom demanded by the malware.
The effects were felt across the globe, with Britain's National Health Service, Russia's Interior Ministry and companies including Spain's Telefonica, FedEx Corp. in the U.S. and French carmaker Renault all reporting disruptions.
Chinese media reported Sunday that students at several universities were hit, blocking access to their thesis papers and dissertation presentations. The People’s Daily reported that one student, identified only by the surname Tang, said his computer was hit Friday night and that the ransom note was in several languages, including Chinese, Korean, Japanese and English.

http://www.latimes.com/world/europe/la-fg-europe-computer-virus-20170514-story.html

Second even bigger global cyber attack may already be underway (https://www.rt.com/news/388749-wannacry-adylkuzz-worldwide-cyberattack-nsa/)

RT (https://www.rt.com/news/388749-wannacry-adylkuzz-worldwide-cyberattack-nsa/)
Wed, 17 May 2017 21:07 UTC


https://www.sott.net/image/s19/396496/large/591cb263c461882c4d8b45d1.jpg (https://www.sott.net/image/s19/396496/full/591cb263c461882c4d8b45d1.jpg)
© Silas Stein / DPA / Global Look Press


As the world reels from the WannaCry ransomware attack, it's now emerged that a second, potentially larger attack, is already under way. It seems the widespread proliferation of military-grade cyberweapons has ushered in a new era of digital crime.

Cyber bandits have again deployed both the EternalBlue and DoublePulsar exploits developed and used by the NSA which were released by the ShadowBrokers hackers back in April.

"Initial statistics suggest that this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week's WannaCry infection," wrote (https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar) a security researcher who goes by the alias Kafeine at cybersecurity company Proofpoint.
This latest attack uses the two exploits to install the cryptocurrency miner Adylkuzz over corporate Local Area and wireless networks but, rather curiously, may actually have helped slow the spread of WannaCry.

However, in an apparent case of "picking your poison," the Adylkuzz miner dramatically slows PC and server performance as it extracts cryptocurrency but it does not lock users out of their machines and data, as WannaCry did.

Researchers at Proofpoint estimate that the Adylkuzz attack may have begun as early as April 24 but was subsequently overshadowed in the hysteria that followed the WannaCry ransomware attacks.

The attack is launched from multiple virtual private servers which scour the internet for vulnerabilities to install the Adylkuzz miner.

The malware infection occurs as follows:

The EternalBlue exploit opens the door for infection with DoublePulsar on a target machine. DoublePulsar then downloads and runs Adylkuzz on the computer.

Adylkuzz then stops any preexisting versions of itself on a target machine, while also blocking SMB network communications with other machines to prevent any further malware infections from disrupting its operations. It initially prevents cybersecurity professionals from identifying that there is a problem.

Once the door has been held open and detection risks have been minimized, Adylkuzz then downloads mining instructions, the cryptocurrency miner itself and a variety of cleanup tools to mask its activities.

While the term cryptocurrency is typically associated with Bitcoin (https://www.rt.com/business/388440-bitcoin-rally-fears-asset-bubble/), Adylkuzz actually mines Monero (https://getmonero.org/home), a similar but more heavily encrypted digital currency. Monero recently saw a significant uptick in usage after it was adopted in the AlphaBay (https://www.rt.com/usa/385081-dark-web-drug-bust-heroin/) market on the Dark Web.

As with other cryptocurrencies, Monero expands in market cap through self-proliferation via digital mining. One monero is roughly equivalent (https://coinmarketcap.com/currencies/monero/) to $27 at current exchange rates (https://www.worldcoinindex.com/coin/monero).

During its research, Proofpoint identified three addresses which had already generated $7,000, $14,000 and $22,000 respectively, before being shut down.

To cover their tracks, whoever is behind the attack regularly changes the online payment address to avoid attracting too much attention.

As in the case of the WannaCry attack, hackers have leveraged the NSA's weaponized exploits of legacy Microsoft operating systems to infect hundreds of thousands of machines worldwide with malware. Since the Shadow Brokers' leak of these NSA exploits there have been two high profile attacks with many more expected in the future.

What are some precautions we can take?
They may not be fool proof, but there must be some things we can do.

Malwarebytes?
Disconnect from the internet when not needed?

What are some precautions we can take?
They may not be fool proof, but there must be some things we can do.

Malwarebytes?
Disconnect from the internet when not needed?

SUPER easy to fix:

patch, windows update, March's patch (MS17-010 is the patch that fixes it 100% fool proof for the WannaCry ransomeware & Adylkuzz attack )

If you want to be super safe (and have the ability)

These are the IP's we are blocking (DoD):
197.231.221.221
128.31.0.39
149.202.160.69
46.101.166.19
91.121.65.179
2.3.69.209
146.0.32.144
50.7.161.218
217.79.179.177
213.61.66.116
81.30.158.223
79.172.193.32
38.229.72.16


Best advice is to let windows patch itself, and often... that will fix 90% of the "bad stuff" out htere.. (and it will fix 99% of the NSA released tool attack vectors).

These are the IP's we are blocking (DoD):
Can you explain what those IP's are and why we might consider blocking them ?

These are the IP's we are blocking (DoD):
Can you explain what those IP's are and why we might consider blocking them ?

That's where the beacons in the WannaCry attack point to.

We aren't allowed to retaliate, we are allowed to defend.

That's where the beacons in the WannaCry attack point to.

We aren't allowed to retaliate, we are allowed to defend.
Three of those IP's. perhaps more, look like TOR nodes to me.

By "beacon" do you mean that the WannaCry software sends out messages to these IP addresses, I suppose to get instructions and updates, to record the decryption key you'd be ask to buy back later, and to allow the attacker to monitor the attack's progress?

If so, then is the theory that by blocking packets from these IP addresses, you would not need to block the original beacon out from your about to be infected PC, but you would at least need to block the reply back from that IP, and that would suffice to stop the attack?

(Well, I suppose that you could also block the initial outgoing IP, but that might require more expertise with the network routing stack on your computer than most people have, unless Windows firewall programs make that easy, and in any case doesn't seem necessary here.)

===

I can see two reasons to use TOR:

If you're a common crook, ordinary serf, or just a privacy motivated user, then using TOR keeps other ordinary serfs and web server admins from seeing where you're coming from, however it doesn't protect you from the Deep State.
If you're part of the Deep State's Alphabet (https://abc.xyz/) soup agencies, then using TOR helps to hide your employer's identify from us ordinary serfs.

However (in my view) TOR is not useful if you're a serf doing something that the Deep State will likely take an interest in, such as leaking the incriminating email of powerful insiders to Wikipedia or shutting down a quarter million computers world-wide, many of them in large institutions.

Therefore, if the above is accurate, the perpetrator of WannaCry is either (1) a stupid serf, or (2) connected with the Deep State.

Guess which one my money would be on, if I were a betting man.

(And since China, with its many copies of stolen Windows XP, has been hardest hit by WannaCry, I'd guess it's not them.)

(Well, I suppose that you could also block the initial outgoing IP, but that might require more expertise with the network routing stack on your computer than most people have, unless Windows firewall programs make that easy, and in any case doesn't seem necessary here.)

We blocked those on outbound traffic, easy to do with nearly any "corporate" level firewall or even some advanced IDS set ups. You can set up a Linux router to do the same for practially free (it will run on basically anything that turns on and has 2 NICs)



However (in my view) TOR is not useful if you're a serf doing something that the Deep State will likely take an interest in, such as leaking the incriminating email of powerful insiders to Wikipedia or shutting down a quarter million computers world-wide, many of them in large institutions.

Therefore, if the above is accurate, the perpetrator of WannaCry is either (1) a stupid serf, or (2) connected with the Deep State.

Guess which one my money would be on, if I were a betting man.

(And since China, with its many copies of stolen Windows XP, has been hardest hit by WannaCry, I'd guess it's not them.)


My vote is stupid serf.

We've broken down the code, and really it's just taking advantage of a security hole that other NSA tools leveraged; once you know the back door is unlocked you have all kinds of options on what your next move is.


However, I think this was allowed to happen (possibly encouraged due to the rapid chain of events), it fits the narrative of "we need to police the internet" so necessarily more "cyber terrorist" events must happen for the Hegelian dialect to fully mature.

and the list of victims is (so far) interesting.

Latest scan shows I missed only 10 machines out of the 900 or so assets I manage (a lot of users have laptops that miss patches or don't get connected to the network often).

This really is an easy fix if everything cooperates.


*UPDATE*

Use Group Policy to DISABLE SMB1... this is very important additional mitigation step we are just discovering.

My vote is stupid serf.

We've broken down the code, and really it's just taking advantage of a security hole that other NSA tools leveraged; once you know the back door is unlocked you have all kinds of options on what your next move is.


However, I think this was allowed to happen (possibly encouraged due to the rapid chain of events), it fits the narrative of "we need to police the internet" so necessarily more "cyber terrorist" events must happen for the Hegelian dialect to fully mature.

and the list of victims is (so far) interesting.

Hah - good points.

Sounds like a digital variation on Fast and Furious ... a United States Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) operation in which the ATF "purposely allowed licensed firearms dealers to sell weapons to illegal straw buyers, hoping to track the guns to Mexican drug cartel leaders and arrest them".

One difference being that we already have plenty of laws about guns and drugs on the books (*), so Fast and Furious was justified as a way to guide further enforcement of those laws.

In the eyes of our overlords, we don't have enough laws over the Wild and Woolly Web (WWW) yet, so this operation will be useful in justifying more such laws and law enforcement agencies, on a global scale.

Yes - your suspicion that it's a stupid serf makes sense to me now. This is typical law enforcement modus operandi ... set up some dispensible serfs to be the "point of the spear".

===

(*) P.S. -- Of course, they never miss a good opportunity to add a few more laws and regulations when they can. You can never have too many of those :).

Note the SMB1 block via policy (http://www.grouppolicy.biz/2017/03/how-to-disable-smb-1-on-windows-7-via-group-policy/)... very important.

Texas national guard is stuck on my island until I finish scanning all their laptops... Maybe I should stretch it out till monday; I bet they'd thank me... haha

lots of panic happening over this on my side.. I didn't think it was that big of a deal till i started reading my emails.

(also strangely suspicious, we haven't gone this nuts over a vulnerability in a long time.. heartbleed didn't even cause this type of chaos)

Note the SMB1 block via policy (http://www.grouppolicy.biz/2017/03/how-to-disable-smb-1-on-windows-7-via-group-policy/)... very important.yes :)

WannaCry Decryption Tools Provide Limited Success


Although a decryption key became available recently for WannaCry victims, the success rate is minimal. WannaKey (https://thehackernews.com/2017/05/wannacry-ransomware-decryption-tool.html?m=1), is the free tool available to unlock files that were encrypted due to the global ransomware attack that hit on May 12, 2017. However, this decryption tool is only successful if the computer has not been rebooted after being infected and the associated memory has not been allocated and erased by some other process.
Although, there is still some hope. Another decryption key, WanaKiwi, has simplified the process that WannaKey provided. WanaKiwi is available here (https://github.com/gentilkiwi/wanakiwi/releases). WanaKiwi may not work for all encrypted files, but has been proved effective for Windows XP, Vista and 7 users.


https://techtalk.pcpitstop.com/2017/05/22/wannacry-decryption-tool-available/?wannacrykeys=&ad_id=505050&share-ad-id=1




Another Global Cyber Attack is in the Works…

Miroslav Stampar, a Croatian tech security adviser for the country’s Computer Emergency Response Team (CERT), believes another global cyber attack is coming soon. To date, all that is known about this unnamed malware variant is, it uses seven different NSA exploits (http://www.trunews.com/article/malware-bigger-than-wannacry)leaked by ShadowBrokers, and it functions in a two-part series. The initial part of execution is to simply worm its way into endpoints. To do so, it will use at least one of the following exploits:


EternalSynergy
EternalBlue
EternalRoman
EternalChampion
SMBTouch
Architouch
DoublePulsar

Once the malware has found its way onto a device, it sits idle to avoid detection. At some point, malicious actions will be taken. However, the time frame remains unknown. Stampar believes the primary goal at this time is to spread the malware to as many devices as possible; then, when the time is right, execute the malicious activity.


http://www.trunews.com/article/malware-bigger-than-wannacry

Cyberattack disruptions reported in Ukraine, Europe and the U.S.

IB1q1kgY6gw

Published on 27 Jun 2017

CNET reporter Alfred Ng joins CBSN as reports of a massive cyberattack spead
across the globe. The ransomware attack has hit many countries, with officials
in Ukraine calling it the worst in their history.

===================================================
===================================================

Massive cyberattack hits Ukraine, Europe

https://www.youtube.com/watch?v=KaUL-YQk7jM

Published on 27 Jun 2017
A massive cyberattack is spreading through Europe, affecting computer systems of
government institutions, banks, airports and businesses. Ukraine was hit
particularly hard, with officials calling this the worst such attack in the country's
history. Cybersecurity expert Chris Hadnagy, the CEO of Social-Engineer Inc., joins
CBSN with more.

====================================================
====================================================

http://static.bbci.co.uk/frameworks/barlesque/3.21.17/orb/4/img/bbc-blocks-dark.png

Global ransomware attack causes chaos
1 hour ago

Companies across the globe are reporting that they have been struck by a major
ransomware cyber-attack.

British advertising agency WPP is among those to say its IT systems have been
disrupted as a consequence.

read more..

http://www.bbc.co.uk/news/technology-40416611

Cyberattack goes global, hits companies in at least 10 countries worldwide

JLxZMz_-qgk

Published on 27 Jun 2017
A huge cyberattack has hit firms in at least 10 different countries – from India
to the United States. It was first reported in Ukraine and Russia, which have
been worst hit. Miguel Francis Santiago reports.

===============================================
===============================================

Latest hack sends jitters through cyberspace

https://www.youtube.com/watch?v=0I2SKQxMUQo

Published on 27 Jun 2017
France 24

================================================
================================================

Ransomware attack strikes major company in the U.S.

https://www.youtube.com/watch?v=kH-95DcKywQ

Published on 27 Jun 2017
Fortalice Solutions Managing Editor, Max Everett weighs in on the latest
ransomware attack that spread across the globe and hit a major company in the
United States.

=================================================
=================================================


Global cyber attack 'most likely started with a single email'

https://www.youtube.com/watch?v=iwwTofThmW0

Published on 27 Jun 2017


A powerful cyber attack has spread across the world hitting banks, government I.T,
systems and energy firms. Greg Sim, CEO of international security company
Glasswall Solutions, speaks to Ian King.

===================================================
===================================================


Ransomware suspected in global cyberattack

https://www.youtube.com/watch?v=IolC3I7EBCs

Published on 27 Jun 2017
Ransomware appears to be targeting government and business computer systems
in a global cyberattack. ZDNet security editor Zack Whittaker joins CBSN to discuss
ransomware and the impact of this cyberattack.


===================================================
===================================================

Massive Cyberattack Spreads Disruption Across Europe: Data Being Held Hostage For Ransom | TIME

https://www.youtube.com/watch?v=V01tPfFOUcY

Published on 27 Jun 2017
A new and highly virulent outbreak of malicious data-scrambling software appears
to be causing mass disruption across Europe, hitting Ukraine especially hard.

http://static.bbci.co.uk/frameworks/barlesque/3.21.17/orb/4/img/bbc-blocks-dark.png


'Vaccine' created for huge cyber-attack

Security researchers have discovered a "vaccine" for the huge
cyber-attack that hit organisations across the world on Tuesday.

read more....

http://www.bbc.co.uk/news/technology-40427907
=====================================
=====================================

Global cyberattack exploited U.S. government-made security backdoor

https://www.youtube.com/watch?v=aHoAM7KoZhk

Published on 27 Jun 2017
On Tuesday, computers in at least six countries -- including the United
States -- were locked down during a massive ransomware cyberattack.
The same government-made backdoor was exploited in May's WannaCry
attack. Wired editor-in-chief Nick Thompson spoke to CBSN about the cyberattack.

=====================================
=====================================

Tracing the ransom payments in latest global cyber attack

https://www.youtube.com/watch?v=uMPZ59-JENA

Published on 28 Jun 2017
France 24 now:

====================================
====================================

Cyber attack hits companies across the globe

https://www.youtube.com/watch?v=hq-p0Vi8qHo

Published on 28 Jun 2017
While the liberal mainstream media serve up an endless menu of Trump bashing
and ‘Russiagate’, the Democratic Party and the so-called resistance continue to lose
elections. Are the attempts to destroy Trump at all costs destroying the Democrats
and undermining the credibility of the liberal mainstream media?

====================================
====================================

Cyber Attack: Should the NSA have warned Microsoft of its vulnerability?

https://www.youtube.com/watch?v=91EaiIJl2N0

Published on 28 Jun 2017
France 24 now:

Wannacry more: How vulnerable are we to cyber attacks?

https://www.youtube.com/watch?v=mr86TTWPryI

Published on 28 Jun 2017
France 24 now:

Courage statement on MalwareTech arrest (August 3, 2017)

Courage is very concerned about the FBI’s arrest of MalwareTech as he was boarding his plane to leave the United States after attending Defcon. In May this year, WannaCry malware closed hospitals in the UK, becoming the first ransomware attack to represent an actual threat to life. In halting the spread of WannaCry before the US woke up, MalwareTech did the world an enormous service – and to American businesses in particular.

No information was released about MalwareTech’s arrest for 24 hours after it happened. He has still not been able to speak to his family or legal representation. As testimony given in Lauri Love’s extradition case last year showed, the US treats hackers far worse than other countries do, with much longer prison sentences, a dearth of vital health care and rampant solitary confinement.Security research in the public interest needs to be properly recognised and we will be watching this case closely.

Source. (https://couragefound.org/2017/08/courage-statement-on-malwaretech-arrest/)

Updated: MalwareTech released on bail; supporters to meet Wednesday (August 7, 2017)

Update: MalwareTech has now been released on bail. His arraignment has been rescheduled for 10am on Monday, 14 August in Milwaukee.

MalwareTech, the cyber security researcher who halted the WannaCry ransomware virus earlier this year and was arrested in Las Vegas last week, will be released on bail today and will travel directly to Milwaukee for a court appearance tomorrow in the Eastern District of Wisconsin – After 24 hours of no information about his arrest, and a flurry of international news coverage, it was reported that MalwareTech, who lives in the UK and who was in the US for Defcon, was not a flight risk and will be allowed out on $30,000 bail.


The US Department of Justice released on indictment with six counts, accusing MalwareTech and an unidentified co-defendant of writing and selling the banking malware Kronos between 2014 and 2015.

A number of activists, lawyers and researchers working in this field have commented on the importance of MalwareTech’s work, some already questionable aspects of his charges, and the danger of having a UK suspect arrested and potentially tried in the United States. See here for brief background on MalwareTech and the immediate issues with his treatment.

See source (https://couragefound.org/2017/08/malwaretech-released-on-bail-supporters-to-meet-wednesday) for full update.

The NY Times, Seattle Times and a few other news outlets reported yesterday that Boeing suspects it was attacked by the WannaCry virus.

From NY Times (https://www.nytimes.com/2018/03/28/technology/boeing-wannacry-malware.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=first-column-region&region=top-news&WT.nav=top-news):

Boeing said on Wednesday that it was hit by a cyberattack that some Boeing executives identified as the same WannaCry computer virus that struck thousands of computer systems in more than 70 countries around the world last year.

In an internal memo, Mike VanderWel, chief engineer of Boeing Commercial Airplane production engineering, said the attack was “metastasizing” and he worried it could spread to Boeing’s production systems and airline software.

From Seattle Times (https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/):

“We’ve done a final assessment,” said Linda Mills, the head of communications for Boeing Commercial Airplanes. “The vulnerability was limited to a few machines. We deployed software patches. There was no interruption to the 777 jet program or any of our programs.”

Mike VanderWel, chief engineer at Boeing Commercial Airplane production engineering, sent out an alarming alert about the virus calling for “All hands on deck.”

“It is metastasizing rapidly out of North Charleston and I just heard 777 (automated spar assembly tools) may have gone down,” VanderWel wrote, adding his concern that the virus could hit equipment used in functional tests of airplanes ready to roll out and potentially “spread to airplane software.”

VanderWel’s message said the attack required “a batterylike response,” a reference to the 787 in-flight battery fires in 2013 that grounded the world’s fleet of Dreamliners and led to an extraordinary three-month-long engineering effort to find a fix.

“We are on a call with just about every VP in Boeing,” VanderWel’s memo said.

It took until late Wednesday afternoon before Boeing issued a statement dialing back the fears.

“It took some time for us to go to our South Carolina operations, bring in our entire IT team and make sure we had the facts,” Mills said.

Even then, the afternoon statement was short on detail.

“Our cybersecurity operations center detected a limited intrusion of malware that affected a small number of systems,” it said. “Remediations were applied and this is not a production and delivery issue.”

Speaking Wednesday evening, Mills said the speculation in VanderWel’s message that some 777 production equipment might have gone down turned out not to be true.

She added that the attack was limited to computers in the Commercial Airplanes division and that the military and services units were not affected.

“To the best of our knowledge,” she said, the crisis is over and the attack did no significant damage.