An NSA-Derived Ransomware Worm Is Shutting Down Computers Worldwide
May 12th, 2017I don’t know what it’s going to take to convince people to stop using abandoned versions of Windows, but if this doesn’t do it, nothing will.
Via: Ars Technica:
A highly virulent new strain of self-replicating ransomware shut down computers all over the world, in part by appropriating a National Security Agency exploit that was publicly released last month by the mysterious group calling itself Shadow Brokers.
The malware, known as Wanna, Wannacry, or Wcry, has infected at least 75,000 computers, according to antivirus provider Avast. AV provider Kaspersky Lab said organizations in at least 74 countries have been affected, with Russia being disproportionately affected, followed by Ukraine, India, and Taiwan. Infections are also spreading through the United States. The malware is notable for its multi-lingual ransom demands, which support more than two-dozen languages.
Wcry is reportedly causing disruptions at banks, hospitals, telecommunications services, train stations, and other mission-critical organizations in multiple countries, including the UK, Spain, Germany, and Turkey. FedEx, the UK government’s National Health Service, and Spanish telecom Telefonica have all been hit. The Spanish CERT has called it a “massive ransomware attack” that is encrypting all the files of entire networks and spreading laterally through organizations.
The virally spreading worm was ultimately stopped when a researcher who uses the Twitter handle MalwareTech and works for security firm Kryptos Logic took control of a domain name that was hard-coded into the self-replicating exploit. The domain registration, which occurred around 6 AM California time, was a major stroke of good luck, because it was possible only because the attackers had failed to obtain the address first.
…
Another cause for concern: wcry copies a weapons-grade exploit codenamed Eternalblue that the NSA used for years to remotely commandeer computers running Microsoft Windows. Eternalblue, which works reliably against computers running Microsoft Windows XP through Windows Server 2012, was one of several potent exploits published in the most recent Shadow Brokers release in mid-April. The Wcry developers have combined the Eternalblue exploit with a self-replicating payload that allows the ransomware to spread virally from vulnerable machine to vulnerable machine, without requiring operators to open e-mails, click on links, or take any other sort of action.
…
People who have yet to install the Microsoft fix—MS17-010—should do so right away. People should also be extremely suspicious of all e-mails they receive, particularly those that ask the recipient to open attached documents or click on Web links.
Thank you.
I think that banks are one of the worst by providing financial penalties for customers who receive paper statements or won’t do online banking. It trains people to click on links. Also, Microsoft itself had a strange way of distributing Windows 10, where they sent out download links via emails to customers. This brought on a wave of ransomeware that imitated the real way Microsoft was asking customers to install their upgrade.
http://www.pcworld.com/article/2955121/security/dont-get-fooled-into-clicking-phony-windows-10-upgrade-emails.html