ransomware Archives - ITBlogSec.com

WannaCry ransomware: researcher halts its spread by registering domain for $10.69

admin — Wed, 17 May 2017 12:01:53 +0000

WannaCry ransomware: researcher halts its spread by registering domain for $10.69

Last year the Internet was taken down by cyber criminals through a massive Distributed Denial of Service Attack (DDoS) attack using the infamous Mirai malware. But last Friday afternoon, almost 99 countries including Russia, UK, USA and Australia became victims of a worldwide mass cyber-attack WannaCry ransomware that has been reported to have caused major disruptions to systems that were being used by hospitals, companies, and other institutions.

| ALSO READ: WannaCry ransomware – hitting world right now uses NSA windows exploit

The Shadow Brokers and the NSA

An unknown hacking group launched ransomware attack to a number of computers worldwide that is seemingly powered by a hacking tool developed by the National Security Agency for spying purposes. The tool got leaked online by the “Shadow Brokers” group as part of their agenda to accumulate hacking tools developed by the agency. The tool is apparently given the name “Eternal Blue” and it exploits a vulnerability in Microsoft Windows.

What does the vulnerability to do?
According to experts, the vulnerability in Microsoft’s flagship operating system can be exploited by Eternal Blue which blocks access to a computer completely. What is more, is that the hacking group demanded a sum of $600 from the victims if they wanted to re-access their systems and de-encrypt the files accordingly.

https://twitter.com/fendifille/status/862997621039878145?ref_src=twsrc%5Etfw&ref_url=https%3A%2F%2Fwww.hackread.com%2Fwannacry-ransomware-researcher-halts-spread-by-registering-domain%2F

Who has been affected?

Up till now, almost 75,000 computers have been reported to have become the victim of the cyber-attack. Moreover, over 40 NHS organizations had been affected initially on Friday in the UK, disrupting the entire health system of the country. Experts say that the ransomware was spreading at an exponential rate of five million emails per hour resulting in the virus affecting a number of other countries as well, including Australia, Germany, Mexico, Italy, Belgium, France and Russia.

Also, FedEx, one of the world’s leading courier organizations, had its entire system brought down. The German rail system also had its ticketing system hijacked by the ransomware.

However, none of these were as big as the disruption which took place in Spain’s major telecommunication company, Telefonica. This was accompanied by attacks made on the power firm, Iberdrola, and the utility firm Gas Natural.

How was the attack carried out and stopped?

A security researcher going by the online handle of @MalwareTechBlog told AFP that the ransomware was spreading due to being connected to an unregistered domain. The researcher, therefore, said that the spread can be stopped by registering the domain and updating the systems immediately.

According to The Guardian, @MalwareTechBlog with the assistance of Darien Huss from security firm Proofpoint found and activated a “kill switch” in the malicious software. The switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.

“I saw it wasn’t registered and thought, ‘I think I’ll have that.” The purchase cost him $10.69. Immediately, the domain name was registering thousands of connections every second. They get the accidental hero award of the day,” said Proofpoint’s Ryan Kalember. “They didn’t realize how much it probably slowed down the spread of this ransomware.”

I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.

— MalwareTech (@MalwareTechBlog) May 13, 2017

The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organizations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.

Also, many NHS organizations had Windows XP installed on their computers. Microsoft long stopped supporting the old version of Windows and hence the ransomware took advantage of this and was able to spread so conveniently. The old operating system did not alert the users of any viruses and did not have updates against such threats.

Microsoft’s take on the situation

A Microsoft’s spokesperson said that those who had enabled updates and had the company’s free antivirus software installed were not affected. Also, the company released an update earlier today which detects this threat as Ransom: Win32/WannaCrypt.

Microsoft has made the patch for MS17-010 available for XP and 2k3. Patch over the weekend. It's worth the overtime. https://t.co/XqXjprWtC1

— Jake Williams (@MalwareJake) May 13, 2017

The NHS system was the most badly hit

Soon after the attack, various hospitals postponed non-urgent appointments and ambulances changed routes. The systems were made to shut down altogether with doctors complaining about the major delays that occurred as a result. Up till now, all that is known is that various organizations have paid the demanded amount in Bitcoin. However, since all bitcoin transactions are recorded in a public ledger, it is hard to tell specifically which organizations paid the ransom.

At the time of publishing this article, the attacks were stopped. The @MalwareTechBlog also released in-depth details highlighting how he was able to accidentally stop the attack which can be read here.

source: https://www.hackread.com/

The post WannaCry ransomware: researcher halts its spread by registering domain for $10.69 appeared first on ITBlogSec.com.

WannaCry ransomware – hitting world right now uses NSA windows exploit

admin — Sat, 13 May 2017 06:40:55 +0000

WannaCry ransomware – hitting world right now uses NSA windows exploit

Earlier today, a massive ransomware campaign hit computer systems of hundreds of private companies and public organizations across the globe – which is believed to be the most massive ransomware delivery campaign to date. The Ransomware in question has been identified as a variant of ransomware known as WannaCry ransomware (also known as ‘Wana Decrypt0r,’ ‘WannaCryptor‘ or ‘WCRY‘).

Like other nasty ransomware variants, WannaCry also blocks access to a computer or its files and demands money to unlock it. Once infected with the WannaCry ransomware, victims are asked to pay up to $300 in order to remove the infection from their PCs; otherwise, their PCs render unusable, and their files remain locked.

In separate news, researchers have also discovered a massive malicious email campaign that’s spreading the Jaff ransomware at the rate of 5 million emails per hour and hitting computers across the globe.

| ALSO READ: WannaCry ransomware: researcher halts its spread by registering domain for $10.69

Ransomware Using NSA’s Exploit to Spread Rapidly

What’s interesting about this ransomware is that WannaCry attackers are leveraging a Windows exploit harvested from the NSA called EternalBlue, which was dumped by the Shadow Brokers hacking group over a month ago.

Microsoft released a patch for the vulnerability in March (MS17-010), but many users and organizations who did not patch their systems are open to attacks. The exploit has the capability to penetrate into machines running unpatched version of Windows XP through 2008 R2 by exploiting flaws in Microsoft Windows SMB Server. This is why WannaCry campaign is spreading at an astonishing pace.

Once a single computer in your organization is hit by the WannaCry ransomware, the worm looks for other vulnerable computers and infects them as well.

Infections from All Around the World

In just a few hours, the ransomware targeted over 45,000 computers in 74 countries, including United States, Russia, Germany, Turkey, Italy, Philippines and Vietnam, and that the number was still growing, according to Kaspersky Labs.

According to a report, the ransomware attack has shut down work at 16 hospitals across the UK after doctors got blocked from accessing patient files. Another report says, 85% of computers at the Spanish telecom firm, Telefonica, has get infected with this malware.

Another independent security researcher, MalwareTech, reported that a large number of U.S. organizations (at least 1,600) have been hit by WannaCry, compared to 11,200 in Russia and 6,500 in China.

Screenshots of the WannaCry ransomware with different languages, including English, Spanish, Italian, were also shared online by various users and experts on Twitter. Bitcoin wallets seemingly associated with WannaCry were reportedly started filling up with cash.

The Spanish computer emergency response organization (CCN-CERT) has even issued an alert that warns users of the “massive attack of ransomware” from WannaCry, saying (translated version):

“The ransomware, a version of WannaCry, infects the machine by encrypting all its files and, using a remote command execution vulnerability through SMB, is distributed to other Windows machines on the same network.”

It is unclear how the WannaCry ransomware is infecting systems, but obvious attack vector can be phishing emails or victims visiting a website containing malware.

“Power firm Iberdrola and utility provider Gas Natural were also reported to have suffered from the outbreak.,” according to BBC.

How to Protect Yourself from WannaCry

First of all, if you haven’t patched your Windows machines and servers against EternalBlue exploit (MS17-010), do it right now.

To safeguard against such ransomware infection, you should always be suspicious of uninvited documents sent an email and should never click on links inside those documents unless verifying the source.

To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Moreover, make sure that you run an active anti-virus security suite of tools on your system, and most importantly, always browse the Internet safely.

source: http://thehackernews.com

The post WannaCry ransomware – hitting world right now uses NSA windows exploit appeared first on ITBlogSec.com.