The National Security Agency (NSA ) has its hands in the biggest ransomware cyber attack in history. The NSA found holes in the Windows operating systems and instead of alerting Microsoft it chose to exploit those holes for its own benefit.
The problem with such an approach is the NSA is not the only one who can exploit the holes. At least 70 countries have been hit. FedEx, numerous hospitals, the UK National Health Service, Chinese universities, Spanish telecommunication firms, and Nissan are among the targets. The British National Health Service was hit especially hard. Operations had to be canceled. Patients records were encrypted.
The malware encrypts your computer and to get it back one has to pay a $300 ransom, payable in bitcoin only.
Ransom Note
The Intercept reports LEAKED NSA MALWARE IS HELPING HIJACK COMPUTERS AROUND THE WORLD
IN MID-APRIL, an arsenal of powerful software tools apparently designed by the NSA to infect and control Windows computers was leaked by an entity known only as the “Shadow Brokers.” Not even a whole month later, the hypothetical threat that criminals would use the tools against the general public has become real, and tens of thousands of computers worldwide are now crippled by an unknown party demanding ransom.
The malware worm taking over the computers goes by the names “WannaCry” or “Wanna Decryptor.” It spreads from machine to machine silently and remains invisible to users until it unveils itself as so-called ransomware, telling users that all their files have been encrypted with a key known only to the attacker and that they will be locked out until they pay $300 to an anonymous party using the cryptocurrency Bitcoin. At this point, one’s computer would be rendered useless for anything other than paying said ransom. The price rises to $600 after a few days; after seven days, if no ransom is paid, the hacker (or hackers) will make the data permanently inaccessible (WannaCry victims will have a handy countdown clock to see exactly how much time they have left).
Reuters said that “hospitals across England reported the cyberattack was causing huge problems to their services and the public in areas affected were being advised to only seek medical care for emergencies,” and that “the attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems.”
The worm has also reportedly reached universities, a major Spanish telecom, FedEx, and the Russian Interior Ministry. In total, researchers have detected WannaCry infections in over 57,000 computers across over 70 countries (and counting — these things move extremely quickly).
Today’s ongoing WannaCry attack appears to be based on an attack developed by the NSA, code-named ETERNALBLUE. The U.S. software weapon would have allowed the spy agency’s hackers to break into potentially millions of Windows computers by exploiting a flaw in how certain versions of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in government) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them — but from the moment the agency lost control of its own exploit last summer, there’s been no such assurance. Today shows exactly what’s at stake when government hackers can’t keep their virtual weapons locked up. As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, “I am actually surprised that a weaponized malware of this nature didn’t spread sooner.”
Security Experts Scramble
The New York Times reports Hacking Attack has Security Experts Scrambling to Contain Fallout.
Governments, companies and security experts from China to Britain on Saturday raced to contain the fallout from an audacious global cyberattack amid fears that if they do not succeed, companies will lose their data unless they meet ransom demands.
The cyberattackers took over the computers, encrypted the information on them and then demanded payment of $300 or more from users to unlock the devices. Some of the world’s largest institutions and government agencies were affected, including the Russian Interior Ministry, FedEx in the United States and Britain’s National Health Service.
While most cyberattacks are inherently global, this one, experts say, is more virulent than most. Security firms said it had spread to all corners of the globe, with Russia hit the worst, followed by Ukraine, India and Taiwan, said Kaspersky Lab, a Russian cybersecurity firm.
The attack is believed to be the first in which such a cyberweapon developed by the N.S.A. has been used by cybercriminals against computer users around the globe.
While American companies like FedEx said they had also been hit, experts said that computer users in the United States had so far been less affected than others because a British cybersecurity researcher inadvertently stopped the ransomware from spreading.
The hackers, who have yet to be identified, included a way of disabling the malware in case they wanted to shut down the attack. They included code in the ransomware that would stop it from spreading if the virus sent an online request to a website created by the attackers. [Mish note: this paragraph is wrong as explained in snips of the article below]
The 22-year-old British researcher, whose Twitter handle is @MalwareTechBlog and who confirmed his involvement but insisted on anonymity because he did not want the public scrutiny, found the kill switch’s domain name — a long and complicated set of letters. Realizing that the name was not yet registered, he bought the name himself. When the site went live, the attack stopped spreading, much to the researcher’s surprise.
“The kill switch is why the U.S. hasn’t been touched so far,” said Matthieu Suiche, founder of Comae Technologies, a cybersecurity company in the United Arab Emirates. “But it’s only temporary. All the attackers would have to do is create a variant of the hack with a different domain name. I would expect them to do that.”
How to Accidentally Stop a Global Cyber Attacks
MalwareTech explains How to Accidentally Stop a Global Cyber Attacks.
So finally I’ve found enough time between emails and Skype calls to write up on the crazy events which occurred on Friday, which was supposed to be part of my week off (I made it a total of 4 days without working, so there’s that). You’ve probably read about the WannaCrypt fiasco on several news sites, but I figured I’d tell my story.
I woke up at around 10 AM and checked onto the UK cyber threat sharing platform where I had been following the spread of the Emotet banking malware, something which seemed incredibly significant until today. There were a few of your usual posts about various organizations being hit with ransomware, but nothing significant…yet. I ended up going out to lunch with a friend, meanwhile, the WannaCrypt ransomware campaign had entered full swing.
When I returned home at about 2:30, the threat sharing platform was flooded with posts about various NHS systems all across the country being hit, which was what tipped me off to the fact this was something big. Although ransomware on a public sector system isn’t even newsworthy, systems being hit simultaneously across the country is (contrary to popular belief, most NHS employees don’t open phishing emails which suggested that something to be this widespread it would have to be propagated using another method). I was quickly able to get a sample of the malware with the help of Kafeine, a good friend and fellow researcher. Upon running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which I promptly registered. …..
[MalwareTech explains why the kill switch thesis is wrong].
I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments [protected sites used to analyze viruses], then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registration of it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware. Of course, now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.
One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible.
Protect Yourself
His story is long, complicated, and technical. Nonetheless, it’s an interesting read. I corrected a few typos. He concludes with some thanks to companies and organizations who helped him, including Microsoft for releasing “out of bounds patches for unsupported operating systems so people would not have to upgrade on the spot.
If you have anything to patch, patch it. If you need a guide, this one is being regularly updated: Protecting your organization from ransomware.
Now I should probably sleep.
75,000 Cases in 99 Countries
The BBC reports Massive Ransomware Infection Hits Computers in 99 Countries.
A massive cyber-attack using tools believed to have been stolen from the US National Security Agency (NSA) has struck organizations around the world.
Cyber-security firm Avast said it had seen 75,000 cases of the ransomware – known as WannaCry and variants of that name – around the world.There are reports of infections in 99 countries, including Russia and China. Among the worst hit was the National Health Service (NHS) in England and Scotland.
The BBC understands about 40 NHS organizations and some medical practices were hit, with operations and appointments canceled.In Spain, a number of large firms – including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural – were also hit, with reports that staff at the firms were told to turn off their computers.
People tweeted photos of affected computers including a local railway ticket machine in Germany and a university computer lab in Italy.
France’s carmaker Renault, Portugal Telecom, the US delivery company FedEx and a local authority in Sweden were also affected.The NSA tools were stolen by a group of hackers known as The Shadow Brokers, who made it freely available in April, saying it was a “protest” about US President Donald Trump.
A patch for the vulnerability was released by Microsoft in March, which would have automatically protected those computers with Windows Update enabled.
Microsoft said on Friday it would roll out the update to users of older operating systems “that no longer receive mainstream support”, such Windows XP (which the NHS still largely uses), Windows 8 and Windows Server 2003.
Critical Microsoft Server Update
If you are running Microsoft servers it is critical to apply Microsoft Security Bulletin MS17-010 – Critical released in March.
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
Pertinent Tweets
Questions Abound
- Just how stupid was the NSA to get hacked itself?
- Just how stupid was the NSA for attempting to utilize the hole instead of informing Microsoft?
- Did the NSA demand that backdoor?
- Do we thank the folks who hacked the NSA for publicizing the backdoor necessitating the need to patch the hole?
Bonus fifth question: When does the Congressional investigation start?
Mike “Mish” Shedlock
Mish – you are factually wrong. NSA did notify Microsoft about the vulnerability and Microsoft issued a patch. You are letting your bias mislead your readers.
Gary Bowser
When Gary?
After they used it for a while?
After the leak?
Please inform the Intercept and Snowden they are wrong
Gary,
Can you provide a link to backup your assertion the NSA played the WhiteHat and informed Microsoft?
https://sputniknews.com/science/201705131053566236-nsa-microsoft-warning/
Why would NSA warn Microsoft if they planned to use the vulnerability?
That is reality, as is the fact that even when Microsoft were informed as the exploit became public, and created a patch, it was not successfully applied
Obviously we would expect a government agency to cooperate in protecting all relevant private systems as soon as an exploit was found, but you would, in the case of NSA , be asking it to stop its intelligence activity, and more than obviously, that is not going to happen.
They only informed Microsoft after the leak happened. Microsoft fixed the vulnerability two months ago but many companies didn’t apply the patch. Had they informed Microsoft when they found the vulnerabilities they would have been fixed earlier and this would not have happened.
https://rusreality.com/2017/05/13/snowden-the-nsa-is-indirectly-to-blame-for-the-cyber-attack-that-struck-computers-in-74-countries/
Bottom line is that NSA claims that they work to protect good people from terrorists and the like. But how exactly does the NSA not disclosing the vulnerabilities to tech companies as soon as they find them protect the good people? We can clearly see that the result is exactly the opposite.
I think that your bias is to assume that the government actually works for the people.
linux & apple
no
problemo
If you mean to imply that you’re safe if you use Apple OSs, not so. Wikileaks about the CIA’s Apple efforts:
“Despite iPhone’s minority share (14.5%) of the global smart phone market in 2016, a specialized unit in the CIA’s Mobile Development Branch produces malware to infest, control and exfiltrate data from iPhones and other Apple products running iOS, such as iPads. CIA’s arsenal includes numerous local and remote “zero days” developed by CIA or obtained from GCHQ, NSA, FBI or purchased from cyber arms contractors such as Baitshop. The disproportionate focus on iOS may be explained by the popularity of the iPhone among social, political, diplomatic and business elites.”
I have no doubt that the NSA is doing that much… times ten, since cyber is their primary mission.
I have no doubt whatsoever that there are any number of ways to exploit Linux, too, and that they are taking advantage of those.
Isn’t the proper word “colluded” as in the NSA colluded with Microsoft on the….
LOL
And Microsoft released a patch for XP and Windows 8.1 yesterday.
– Small correction: It was for XP and Windows 8.1. NOT Windows 8.
– Small correction #2: It was for XP and Windows 8. NOT Windows 8.1.
NSA wrote the code. Someone inside NSA released the code a month ago. 57,000 hits took years of advance planning. Seventy percent of the hits were on Russian government files. It is intuitively obvious to the most casual observer that NSA perpetrated the crime.
Unlikely that this required advanced planned, as they way this malware spreads does not require any user intervention. Once inside a vulnerable network it will spread automatically to all other vulnerable machine in the network, each of which will in turn attempt to find and infect vulnerable systems. In other words, once in a vulnerable network it will take it over very rapidly.
#1 suspect in my opinion? NSA’s cousin…CIA.
Geez…no U.S. computer systems affected? How convenient.
Nice revenue generation tool for “off-the-books” and never-ending black budget needs.
There will be no CONgressional investigation due to the convenient foresight to exempt F*USA computer systems. It’s a “foreign problem”.
The fact that it originated with a domestic alphabet-soup intel agency? “Chit happens.” Mere foreign “collateral damage”. The Empire is above the law.
As former Nixon administration Secretary of the Treasury John Connolly allegedly told the French after Nixon closed the gold window in August, 1971, “It may be our dollar, but it’s your problem.”
Fast forward to May, 2017: “It may be our virus, but it’s your problem.”
Best site for such topics always with links to very technical analysis of such threats. This guy is so good that his site was hit very early on with a MASSIVE DDOS attack enabled by the latest huge threat – turning IMO stupid IOT devices into zombies. Black Hat hackers hate his guts:
https://krebsonsecurity.com/2017/05/global-wana-ransomware-outbreak-earned-perpetrators-26000-so-far/
Excerpt:
“But according to a review of the Bitcoin addresses hard-coded into Wana, it appears the perpetrators of what’s being called the worst ransomware outbreak ever have made little more than USD $26,000 so far from the scam.”
Mish et. al. —This is prescient…Read the commentary by Ray Blanco entitled”The Beginning of the End for Bitcoin,” dated May 4,2017 at the Daily Reckoning.com.
This article is sub posted under “Ray Blanco: Angry and Right on the Money.”
Scroll deep…
I think poor Ray….forgot that Japan just made Bitcoin a form of ‘legal tender’…lolol
It is not unusual for new technology to gain early popularity among folks engaged in illegal or unapproved activity. After cars were invented, they became popular among bank robbers. During the early years of the world wide web, it was largely a marketplace for pornographers. Bitcoin provides a level of pseudonymity that only wealthy criminals previously enjoyed through the use of shell corporations, foreign bank accounts, etc. Most Bitcoin users and investors do not use BTC for criminal activity, A government crackdown on BTC would hasten the adoption of other cryptocurrencies (especially by criminals) which provide greater anonymity than Bitcoin, such as Monero.
Here’s an excellent video on Bitcoin’s likely role in the world’s currency wars: https://www.youtube.com/watch?v=6ZCVQHtD2l4&t
Another suggested bonus question: When does the mainstream media start blaming the Russians for this?
Mark Udden Executive Broker Healthcare Solutions Team 1900 S. Highland Ave Suite 203 Lombard, IL 60148
Cell: 763-607-5928
________________________________
Chrome & Apple.
Chrome has a couple quirks but is inexpensive, both are bulletproof, fast starting and running without constant cat and mouse with updates and supplemental security packages.
Decade-old versions of Chrome and MacOS are as vulnerable to attacks without patches.
How stupid is the NSA, you ask? It is a government agency. ‘Nuff said.
Insist the NSA pay all the ransom demands!
AKA US Tax Payer?
Would you pay for this?
Just another Worldwide day filled with Copious amounts of Ambient ‘Skullduggery’…..lololol
When you ride the technology donkey sometimes it doesn’t want to do what you ask but other times it turns around and bites you. Quit complaining, this is the price of being interconnected. A group of teenagers will occasionally shut you down. Get used to it.
At least self-driving cars aren’t running Windows, would be a real fuss if the country woke up one morning and were asked ‘Please insert coin’.
I’m pretty certain you don’t work in tech.
So you are saying self-driving software is offline and/or unbreachable on scale?
I am pretty certain you work in tech.
The self-driving software will be hacked. C/C++ is simply subject to buffer overflows so long as it’s written by humans. C# is similarly subject to NullReferenceExceptions, but at least they don’t result in hacks. Now if the people writing self-driving cars used something like Rust instead there might be a chance of keeping it secure.
The NSA or the like will likely find holes and again not inform people – they’ll simply use it for assassinations until their hacks leak publicly.
Those companies/people with backups will not have to worry.
The internet would be secure if every transmission were encrypted with a new randomly selected set of PGP keys. Overhead would be a millisecond. NSA prefers to spy on every internet transmission.
– Microsoft issued a Security Patch for this problem in March of 2017. But it was only for Windows 7, Vista (support ended in april (!!!) 2017), Windows 8.1 and Windows 10.
– Users of Windows 8 (NOT Windows 8.1 !!!!) and XP are vulnerable because Microsoft didn’t issue a patch for these Operating Systems.
– But Microsoft issued today a security patch for XP and Windows 8. The name of this Security Patch is KB 4012598
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
– I DO know that the NSA has its own “Security Research” department that tries to find vulnerabilities in Microsoft’s Operating systems (plural). But these are not (always) shared with Microsoft and/or the public. This info is kept secret to allow the NSA to hack computers all around the world.
– But (large parts of) the NHS is still using Windows XP with all the dangers attached. Seems the NHS doesn’t have the means to update their systems to say Window 7 or so.
NHS should pull these obsolete computers off the Internet. They should be fine if stay within the local area network.
After Obamacare mandated electronic on line medical records I no longer share confidential information with my physician. He cannot be trusted until I see him taking notes with pencil and paper.
#7 when will the lawsuits against the NSA begin?
#8 when will the NSA start paying compensation to affected parties out of the fund they set up for that pupose? They HAVE set up a fund, right? LOL
– The NSA was a bit sloppy because they forgot to remove the software that they used to one or more computers and that was one way one or more of those hacking tools were discovered.
https://www.darknet.org.uk/2017/04/shadow-brokers-release-dangerous-nsa-hacking-tools/
Remember the Sci-fi book Dune? They didn’t use computers. Now you know why. A neighbor works for a cyber security firm. He uses the internet as little as possible to minimize his risk.
When does the Congressional Investigation start?
After they pay $300.
I think the 300 is per computer which is a lot of money on huge networks. None the less while I do not think I would have been a target my windows had the patch installed via my automatic updates. Am I missing something here or were some of the IT departments at those hospitals asleep at the wheel by not having the patch installed?
The Hospitals in the UK were still on XP!
Microsoft did an emergency patch today
MicroSoft will benefit by flushing away pirate copies of operating systems. Only authentic licences get updates.
Most hospitals banks etc haven’t a clue how to protect their data. They rely on ineffective virus protection that tries to keep up with the latest viruses etc. there are no secrets anymore. It is all accessible if it is online. No matter how hard you try to protect it.
Just another example of how our government is looking out for us.
NOT!
Such episodes will happen with or without NSA/CIA tools. Today’s computers are always vulnerable.
Kudos you guys, this website (blogsite?) has some of the best commenters; a good addendum to Mish.
Stop the international War on Cash, as an all digital money transaction system is very vulnerable. NHS equivalent response would be: No spending except in emergencies. GDP would tank. Perhaps that is what the NSA had in mind, and why Russia has been targeted. Obama did say he would get revenge on Russia for the election loss, and this could be a covert USA.gov black op with some international collateral damage thrown in for confusion and concealment. Would not put it past USA.gov, as drone death collateral damage is business as usual.
Also a good reason to immediately replace the proprietary Microsoft operating system with Open Source. Being a hostage to Microsoft is what we have here. Microsoft is the Achilles heel. Very bad for national security. Wait until “Cloud” services get hit. But on the plus side, a potential big growth industry and a good fund-raising mechanism for modern day pirates, spook agencies, et al.
You may want to read Winston’s comment above. Maybe you should not be using ANY computers and mobile phones today.
Actually, got rid of the mobile phone a decade and a half ago. Sometimes traveling (business) I have had to rent a mobile phone for a month or two, but otherwise good riddance. Saved a ton of money, and only been a handful of times when I missed having it. I figure with 90% of the population having mobile phones, there is always someone around with one to use in a pinch. At $50/month, that is $600 per year saved or $9,000 available for me to invest or save. After Snowden revelations, not anxious to go back. Mainly enjoy that I can go out and not be bothered. Much more relaxing. As to computer, it has become a business necessity and improved my productivity, whereas no so for mobile phone in my case.
The malware was apparently originally created by the NSA, so maybe they put the ‘kill switch’ in there, as insurance in case this very situation occurred. Then, maybe they let some British guy know where to look for the ‘kill switch’ when the ‘SHTF’. Just maybe….
Speculative and definitely untrue.
Just more justification for virtualization and the return of the dumb terminal. Your phone is 90% of the way there already. The other day my iPhone wouldn’t connect to the Exchange server. I had no local contacts, calendar, notes or email for a day although I could still look up phone numbers on my PC. The apps were still functional but the data was gone.
As for malware encrypting your hard drive, make sure you have a backup and use it regularly. The best justification for a Mac is Time Machine on a network storage device, preferably located on your local network. Screw things up bad enough and just go back. Get a new machine and just restore from the old machine’s backup. Apple “genius” wipes out your hard drive? No problem. Yea, it’s basically just rsync with a nice GUI, but the fact that it is baked in to the OS and not some add-on subscription makes it much more valuable.
Microsoft has released patches for unsupported Operating Systems including Windows XP, Server 2003 and Windows 8 (8.1 is still supported).
This is not a backdoor that the NSA demanded – it’s a flaw in SMB v1, which is an ancient protocol for moving files – and it should be disabled in modern environments to enhance security (but, of course, isn’t).
When I worked at my previous employer, their customer DEMANDED all computers accessing the company network / internet run Windows 7. We had a 20 year old computer running Windows 95!. I tried to perform a code port to Windows 7 / C#; but the employer had no documents describing how data files were generated, what was the official version of source code, or anyway to contact the original programmer since he had passed away.
The decision made 20 years to save money documenting work has potentially cost the company a lot of money. The company still insists on the least expensive solution NOW despite long term risks. The present workaround is to run the Windows 95 computer off the network and store files on a local hard drive. Eventually the hard drive will crash and there will be no replacement drive due to technical obsolescence.