In mid-April we learned powerful software tools, reportedly designed by the NSA to infect and control computers, was leaked by an entity known only as the “Shadow Brokers”.
And Friday, we saw it in action.
Tens of thousands of computers worldwide were crippled by hackers demanding ransom.
The malware goes by the names “WannaCry” or “Wanna Decryptor”. It remains invisible until it unveils itself as ransomware, telling users to pay $300 in the cryptocurrency Bitcoin if they want their files unencrypted.
Users are also (obviously) locked out of their computers. It’s useless for anything other than paying the ransom.
After a few days, the price goes up to $600; in seven days, if no ransom has been paid, the hacker makes the files permanently inaccessible.
If you have the malware WannaCry, the hackers were kind enough to provide you with a countdown clock so you know just how much time is left.
These aren’t new attacks. Usually personal computers are hit and it a giant pain in the butt for anyone. But this attack was on such a massive scale and it wasn’t just home computers that were hit.
Health care, communications infrastructure, logistics, and government entities were all on the list of places that were hacked.
Reuters said that “hospitals across England reported the cyberattack was causing huge problems to their services and the public in areas affected were being advised to only seek medical care for emergencies,” and that “the attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems.”
Operations were also cancelled due to the attack.
This hack went from a mild inconvenience, to massive amounts of personal information being threatened, to people’s lives because they could not receive the necessary care.
Thankfully, no one has reported any tragedies because of this attack (except for computers, of course).
A ransomware spreading in the lab at the university pic.twitter.com/8dROVXXkQv
— １２Ｂ (@dodicin) May 12, 2017
According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind. The security researcher who tweets and blogs as MalwareTech told The Intercept, “I’ve never seen anything like this with ransomware,” and “the last worm of this degree I can remember is Conficker.” Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over 9 million computers in nearly 200 countries.
Most importantly, unlike previous massively replicating computer worms and ransomware infections, today’s ongoing WannaCry attack appears to be based on an attack developed by the NSA, code-named ETERNALBLUE. The U.S. software weapon would have allowed the spy agency’s hackers to break into potentially millions of Windows computers by exploiting a flaw in how certain versions of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in government) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them — but from the moment the agency lost control of its own exploit last summer, there’s been no such assurance. Today shows exactly what’s at stake when government hackers can’t keep their virtual weapons locked up. As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, “I am actually surprised that a weaponized malware of this nature didn’t spread sooner.”
An “accidental hero” did manage to stop the spread of the ransomeware by registering a garbled domain name hidden in the malware. But that doesn’t mean the threat is over.
The spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a “kill switch” in the malicious software.
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
— MalwareTech (@MalwareTechBlog) May 13, 2017
The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who lives with his parents and works for Kryptos logic, an LA-based threat intelligence company.
“I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit,” he told the Guardian. “I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”
But he warned people: “This is not over. The attackers will realize how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”