Ransomware infections reported worldwide

Watch how the attack is spreading live provided by Intel

originally posted by: ZIPMATT
a reply to: ArMaP

So the nsa got microsoft to build in a hole which allows remote access and control , which was put in all chips for all computers made from 2010 in secret , and now the nsa has been hacked and stolen from , allowing remote access through the hole they put there together , to presumably anyone with hacking knowledge because the tools were available (dumped) on line , in a an apparent protest about trump by a group called the shadow brokers .

lol out loud ! its a proper story already , its nothing to do with me , except my good old dad is hospital right now , that's no so amusable
And..... where's the Americans ? Isn't this thread veeery quiet ?

There are holes everywhere at all levels. The best way to visualize these is to compare the PC to the operation of a downtown office block. Network ports are like loading bays for trucks, the BIOS, AMT, UEFI, kernel, device drivers are like the sub-level basements for the utility companies. Applications and system libraries are like the rented office space and public spaces above ground level. Having separate processors like GPU's and AMT are like having service levels only accessible through particular stairwells.

Then it becomes very easy to find open doors and windows to get spyware into squirrelly places where they watch data coming and going. Even easier to misconfigure services so that they don't require passwords and data can just be exported.

a reply to: stormcell

exactly so, also it's good to mention that very skilled attackers can exploit how a computer system system works and the very core by overflowing memory buffers.

Boatloads of questions.

Getting bitcoins means somebody or something is getting funded. One person or a group? The banner of Anon, IS or other? Some lucky skiddy?

A test, a threat, a punishment or a repercussion?

a reply to: heineken

thanks for sharing but this is a strange thread it could non be non fact in entirety , for all I know . Its been a couple of hours and is there something else going on I am wondering that ! Its not like its not worth finding out but it s a bit worrying for sure . pretty shocking actually , whatsa thread called again cyber stike on UK hospitals , thats a clanger given the other apparent , developments *pours more drink* , "It's good to talk " , BT taught us that

originally posted by: Noncents
Boatloads of questions.

Getting bitcoins means somebody or something is getting funded. One person or a group? The banner of Anon, IS or other? Some lucky skiddy?

A test, a threat, a punishment or a repercussion?

An opportunist move with a short window for success.

Patches have been released; the bad guys were probably scrambling to get this virus working and out into the wild before the big companies get the patch passed through their testing systems and rolled out.

Chance are it's just good old fashioned criminals, just like all the other ransomware.

I live in the UK. This is actually quite terrifying. Several local hospitals have been hit. Waiting for the press tomorrow.

From what I'm aware more than 99+ countries have been 'infected'.

In my country DOZENS of hospitals have been hit already.

www.theguardian.com...

Aintree university hospitals
Barnsley hospital
Birmingham community
Burton hospitals
Central Manchester university hospitals
Cumbria partnership foundation
East Cheshire
Hampshire hospitals
Ipswich hospital
Liverpool community health
London North West
North Staffordshire
Northumbria healthcare
Sherwood Forest hospitals
Royal Liverpool and Broadgreen hospitals
West Hertfordshire hospitals

Hull and East Yorkshire hospitals

East Lancashire hospitals

North Lincolnshire and Goole NHS

Lancashire teaching hospitals

Derbyshire community health services

Burton hospitals NHS

United Lincolnshire hospitals

Colchester general hospital

Basildon and Thurrock university hospitals

George Eliot hospital

Mid Essex hospital services

University hospitals of North Midlands

Liverpool women’s

North Cumbria university hospitals

Wrightington, Wigan and Leigh

Cheshire and Wirral partnership

Nottinghamshire healthcare

Plymouth hospitals

This software is not 'deliberately' targeting the NHS per se, more so it's using a hunter type code to find and abuse vulnerabilities on all sorts of networks and servers, of which the NHS just so happens to have been another victim of shoddily implemented IT and network support. Not through a fall of its own either. More so New Labour and the Tories failure to support the NHS after providing 60+ years of dedicated, free healthcare and saving millions and millions of lives.

Politics aside, they've been hit by by malicious ransomware code - demanding X amount of money within a time frame. Failure to commit to the time frame increases the amount 'to be paid'. Effectively locking out the systems used by the NHS to safely run itself.

From what I'm reading on various forums and some word of mouth, this has caused a # load of problems to innocent sick, injured and disabled people. People on waiting lists. People with crucial medicinal requirements. People with requirements.

Now apparently in some places the networks were switched off or maybe even not affected, but we're talking dozens of genuinely infected systems all across the regions....

www.theguardian.com...

And this is effectively the first day.


Now multiply this by an ever-growing amount of countries infected.... People just waking up to this in Asia, New Zealand, etc

--

Some are using this (below) to monitor live tracking of that specific malware. I have no idea of how legit it is, maybe someone can validate it for me?

But from what 'm seeing lots of countries are being hit worldwide.

intel.malwaretech.com...

--

From CNN

money.cnn.com...

The ransomware, called "WannaCry," is spread by taking advantage of a Windows vulnerability that Microsoft released a security patch for in March. But computers and networks that haven't updated their systems are at risk. The exploit was leaked last month as part of a trove of NSA spy tools.

--

Here's a decent link to someone on Reddit with some various updated info.

www.reddit.com...

--
Technical stuff from Kaspersky

securelist.com...

Earlier today, our products detected and successfully blocked a large number of ransomware attacks around the world. In these attacks, data is encrypted with the extension “.WCRY” added to the filenames.

Our analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.

Unfortunately, it appears that many organizations have not yet installed the patch.

---

Some useful info from Symantec

www.symantec.com...

What has happened?

On May 12, 2017 a new strain of the Ransom.CryptXXX (WannaCry) strain of ransomware began spreading widely impacting a large number of organizations, particularly in Europe.

WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name:

.lay6
.sqlite3
.sqlitedb
.accdb
.java
.class
.mpeg
.djvu
.tiff
.backup
.vmdk
.sldm
.sldx
.potm
.potx
.ppam
.ppsx
.ppsm
.pptm
.xltm
.xltx
.xlsb
.xlsm
.dotx
.dotm
.docm
.docb
.jpeg
.onetoc2
.vsdx
.pptx
.xlsx
.docx

I will update more soon.

There is no antivirus or firewall that will completely protect you. A dedicated hacker will get in if he wants to bad enough. It used to be that the average person didn't really have to worry about things like that because hacking was targeted and took time and resources to accomplish. Hackers went after high potential payoffs and left the average Joe alone. Now scripts are so much more sophisticated and spread so much faster a hacker can demand a ransom from anyone at any time. You don't even have to do anything. If you are on the mailing list of someone who gets hacked you are at risk.

As for fixing the problem once it happens, system restore does not work. Most decent attacks include planting the virus in the restore points so you re-install it when you restore your system. The best thing you can do is also one of the easiest and cheapest. Make a back-up of your drive while its in good shape. Burn a rescue disk with all your files on it and the problem is solved. The only thing you would lose are any new files you created since your last burn. If you stay current with your back-ups you have little or nothing to lose in the event your system is hijacked.

While no antivirus or firewall offers complete protection, some are better than others. Every year there is a banking technology group that issues a report showing the comparison ratings for the bigger name antivirus programs. This report is the basis on which the banking industry chooses its software defense systems. Unfortunately, some of the most recognizable names are the worst programs. McAfee catches almost nothing while Kaspersky passes in every category with flying colors. The Avast free version is also quite effective and has a great analysis tool that spots performance issues and system vulnerabilities, the stuff more expensive software packages charge extra for.

So continuing on with Symantec

What are best practices for protecting against ransomware?

New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.
Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to “roll back” to the unencrypted form.

--

A list of updated or not updated statuses of antivirus

virustotal.com...

--

From the Reddit link (courtesy of best_of_badgers)

The worm is spreading via leaked NSA cyber-weapons (ETERNALBLUE and maybe DOUBLEPULSAR) that were leaked by the Shadow Brokers. The vulnerability was patched by Microsoft in a critical patch update in March 2017. The NSA software was not originally a worm, but was modified.
There appears to be more than one variant of the worm (so far, appears to be four five eight). The biggest ransomware on the scene is called Wcry / WannaCry / WannaCryptor, which was rarely seen until today.
(UPDATE 4:08) - The ransomware aspect will still work, even if you aren't susceptible to the worm, so, as usual, be careful what you click on and execute. That hasn't changed. What's new here is the ability to spread to un-patched Windows computers without requiring user interaction.

www.reddit.com...

--

All unpatched Windows versions up through Windows 10 are affected. If you have automatic Windows Update turned on, you're probably safe from being automatically infected. Windows XP and other outdated systems were not patched and will remain vulnerable forever.
Odds are that if you're infected by this malware, you will not be able to recover your files without paying. You should always have an offline backup for this reason.

Wow that's pretty damn serious. You will not be able to recover your files without paying. That's some serious world changing blackmail. Especially to hospitals.

--
Real time view of the malware (?)
intel.malwaretech.com...

--

www.nytimes.com...

Animated map of infected computers worldwide.

originally posted by: subfab
a reply to: mirageman

i heard about this this morning.
i'm sure it will be a short matter of time before a resolution to the mess is developed.
question to anyone savvy with computers; if a personal computer gets attacked like this, will installing a fresh operating system clear it up?
wipe the hard drive clean and start over?

It depends on what is infected and where. If your entire system is on one hard drive, you can format the system, lose everything, reinstall an OS and go on your day. If however you do what most people do these days, which is have the OS on one drive and files on another, wiping the OS will still leave the infected files on your system and you'll reinfect yourself when you run the file.

A very intriguing tread and terrifying.
How does this affect me, a pre-geriatric user, and what can I do to prevent these dire consequences?
Could I unknowingly spread this?
The inside jargon is difficult to comprehend so pardon me.

originally posted by: DontTreadOnMe
Isn't there software protections against ransomware, like AVs?

Is there anything one can do to protect themselves?

Don't companies have firewalls, etc to prevent such disruptions?

Anti Virus software is very fickle.

Without going into too much technical detail, at a basic level anti virus software works by matching a program to a copy of a program known to be malware. If you're at all familiar with the concept of anti plagarism software most schools, universities, etc use... anti virus software essentially does the exact same thing. Just like with spoken languages there's an infinite number of ways to express the same concept in machine language. So when anti virus software goes to match something up, if it doesn't hit on an already known virus you won't be protected.

If a malware author is dedicated and good at their craft, they can get past pretty much any anti virus.

originally posted by: vinifalou
Wilileaks just tweeted:

NOTE: The current hospital 'ransom ware' directly relates to computer viruses produced by the NSA. Not to WikiLeaks' CIA #Vault7 series.

I'll wait to know more (still reading this thread, and I'm sure more information will come out in the coming days) but if these reports are accurate it's yet another very good indication that the NSA is directly harming rather than helping US security by developing these exploits. We probably need to be developing exploits and then releasing them publicly with patches to secure rather than infiltrate systems.

It seems that every security reseracher on the planet, except for the ones at the NSA agree. We shouldn't rely on obscurity. If we know of an exploit that can harm US interests (or worse, we engineer those exploits), they need to be known.

originally posted by: worldstarcountry
$300 in bitcoin? Thats like 1/6 of a bitcoin, how does that get paid out?

Fractions of a bitcoin are like fractions of a dollar. You can pay out 75 cents for example even though the measurement is a dollar.

originally posted by: mirageman
So much for a 'strong and stable' IT infrastructure!

I have a low opinion of IT and IT workers, but stepping back from that for a moment... they do have a difficult job.

If things go wrong, companies and governments ask why they're being paid if things are breaking.
If things go right, companies and governments ask why they're being paid if nothing is going on.

It's like the saying goes, "If you do things right, people won't be sure you've done anything at all". Accountants tend to not think like that though.

I put a hot-swap drive bay in my system. Hard drives are still the best and safest way to store data. All I have to do to back up my files is flip the locking lever down on the drive bay and copy the files over. Once that is done I just flip the lever up and the bay is deactivated and safe in the event of an attack.

Drive bays like the one I use are inexpensive, usually around $15. You can use old hard drives you may have laying around or spend a few bucks on one just for your back-ups. Burning a cd of your files is probably the easiest way for most people to protect their files but if you want to keep your back-ups current more often than you would want to burn cd's then the hot swap drive bay is the way to go.

Swapable drive bays are easy to install and operate. They fit in the same size slot as a cd burner, and connect the same way as a hard drive. You lift the locking lever and slide the tray out. Put a hard drive in, connecting the bus cable and power plug as you normally would, then slide the tray back in the bay. Lock the lever down and your drive is now accessible. Copy your files over and simply lift the locking lever when you are done. This turns the drive off and cuts the power to it making it invulnerable to any attack that may occur. The virus wont even see the extra drive let alone infect it.

Here's a scary thought:

This could be the start of a much worse scenario than a demand for money. The WW3 forum here at ATS has been very busy. Imho it's only a matter of time before all-out war breaks out, short of a miracle from the Lord Jesus Himself.

What would be a good way of defeating an enemy and make it harder for them to retaliate in war? Cyber attacks. Get them in such a way they can't use their defense systems, all of which are computerized.

This is one reason an EMP attack can be deadly. Take out a country's ability to defend itself and it's a sitting duck.

I think this could be where we're headed, but hopefully I am wrong. Just speculating at this point.

System restore will often work unless you have restarted since becoming infected. I've restored many users data running system restore on their documents folders, etc. Keep in mind system restore won't fix encrypted files, but it can effectively remove the virus. But if you right-click on data folders and select "restore previous version," you can get personal data back as well. Viruses typically are backed up during a system restore. Viruses often just turn off system restore, which effectively removes restore points.

Sophos intercept X will stop ransomware, and then actually decrypt files that it encrypted. Nice product.

Just get an external SSD drive. Make a little batch file to back up data to it. I use this as a quick fix for many users, who are too busy to back their stuff up, as they travel quite a bit. I create a c:data folder, put their data in that, and put a shortcut to that folder on their desktop. User profiles are not a great place for data (I've had people's corrupted profile cause them to lose all data). Then just make this batch file and put a shortcut of it on their desktop. All they have to do is: 1. plug the drive in - 2. double click the shortcut. As it only backs up new and changed data, only takes a few seconds to run. Unless you store PST files (email archives).. then takes longer, as pst files once opened in Outlook, always are considered changed:

Create a new text file on your c: drive called backup.bat. Edit it and enter (or copy-pasta) this:

@echo.
@echo.
@echo Backing up data!
@echo.
@echo.
xcopy c:data*.* e:data /e /y /d (e: = whatever your external drive is.. always want it to be the same for this to work)
@echo.
@echo.
@echo Data backup complete!
@echo.
@echo.
@pause

You can make more powerful stuff in powershell, but the above is just a dead-simple way to easily back up your stuff with a double click on an icon. If backups are not simple, I've found people simply don't do them, at least not regularly.

This virus is much worse for businesses. For home networks, you pretty much have to: 1. don't visit super dodgy sites with loads of popups (or use a popup add-on in Firefox or something along those lines), and 2. think at least 3 times before opening an attachment in an email you receive. Usually these are delivered in a .zip file. Usually people never actually receive .zip files in email. So it still boggles my mind people blithely open .zip files they receive.

I have a low opinion of IT and IT workers, but stepping back from that for a moment... they do have a difficult job.

Curious why you have a low opinion of IT workers.. : )

originally posted by: fleabit

I have a low opinion of IT and IT workers, but stepping back from that for a moment... they do have a difficult job.

Curious why you have a low opinion of IT workers.. : )

The grunts are just doing their jobs so I don't fault them, but the leaders in the field had a choice to create a security nightmare or not, and they chose to create a security nightmare.

They could have avoided it via two main avenues:
1. By not placing such an emphasis on developing web technology that relied on remote execution of scripts (which may or may not be malicious), and
2. By setting up all their corporate web browsers to not allow the remote execution of scripts which could be potentially malicious. If they were blocked by the majority of users, then developers wouldn't develop such dangerous technology for such a small share of the web market.

So because of their failure, where are we at now? Here's the 2017 report looking at what happened in 2016 and it's a security disaster that rests squarely on the shoulders of the IT leaders that put us in this bad situation:

New research reveals that 30 percent of malware attacks are zero day exploits

Thirty percent of malware can be classified as new or zero-day because it cannot be caught by legacy antivirus solutions, according to research published today in WatchGuard’s first Quarterly Internet Security Report, which explores the latest computer and network security threats affecting SMBs and distributed enterprises. The results from Q4 2016, confirm that cyber criminals’ capability to automatically repack or morph their malware has outpaced the AV industry’s ability to keep up with new signatures. This means that without advanced threat prevention, companies could be missing up to a third of malware.

The WatchGuard report also shows that old threats are reappearing and macro-based malware is still prevalent. Spear-phishing attempts still rely on malicious macros hidden in files including Microsoft’s new document format, while attackers also still use malicious web shells to hijack web servers. It appears that PHP shells are alive and well, as nation-state attackers have been evolving this old attack technique with new obfuscation methods.

Other findings in the WatchGuard Q4 2016 report include:

-JavaScript is a popular malware delivery and obfuscation mechanism with a rise in malicious JavaScript, both in email and over the web.

-Most network attacks were aimed at web services and browsers, with 73 percent of the top attacks targeting web browsers in drive-by download attacks.

This is a disaster but it was completely predictable based on the dumb decisions made by IT leaders to make remote code execution on the web rampant, all because they think people were too lazy to click another button on their browser when they wanted more content delivered, so they created scripts to deliver it without clicking the button, and guess what, sometimes what's delivered is malicious, far too often according to that report, and antivirus can't keep up so it's pretty worthless.

If I have to click another button to avoid running malicious scripts that will steal my passwords and lock up my files in ransomware, I'm happy to click it and if the web was designed that way we wouldn't have this problem.