Ransomware infections reported worldwide

a reply to: Misterlondon

It's looking like they've hit what many would consider essential services - finance, healthcare, utilities, communications, transport companies etc.

From my own experience it hit the Mediterranean countries then the UK. But the global pattern and damage caused will probably not emerge for hours or even days yet.

originally posted by: mirageman
a reply to: Misterlondon

It's looking like they've hit what many would consider essential services - finance, healthcare, utilities, communications, transport companies etc.

From my own experience it hit the Mediterranean countries then the UK. But the global pattern and damage caused will probably not emerge for hours or even days yet.

Could it possibly be a state sponsored attack then aimed at attacking infastucture.. Under the disguise of ransomware?

a reply to: Misterlondon

I was just wondering the same!!



Maybe Kim Jong Un is throwing a fit because nobody is taking him seriously and all the new sanctions levied against NK?

Possible. But could just be what has been reported. One group going for the one!

The Necurs botnet has been harnessed to fling a new strain of ransomware dubbed "Jaff". Jaff spreads in a similar way to the infamous file-encrypting malware Locky and even uses the same payment site template, but is nonetheless a different monster. Attached to dangerous emails is an infectious PDF containing an embedded DOCM file with a malicious macro script. This script will then download and execute the Jaff ransomware. Locky -- like Jaff -- also used the Necurs botnet and a booby-trapped PDF, security firm Malwarebytes notes.

"This is where the comparison ends, since the code base is different as well as the ransom itself," said Jerome Segura, a security researcher at Malwarebytes. "

Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing." Proofpoint reckons Jaff may be the work of the same cybercriminals behind Locky, Dridex and Bart (other nasty malware) but this remains unconfirmed.

And Forcepoint Security Labs reports that malicious emails carrying Jaff are being cranked out at a rate of 5 million an hour on Thursday

Link

I know that I don't have any proof, but I suspect North Korea may be responsible.

They have been spouting off about tensions on the Korean Peninsula and would stand to gain the most by conducting an attack on what are necessary systems (healthcare, etc). People's lives have been disrupted on a massive scale and some could die.

Here's an excerpt from a CNN report last month that has to do with "Lazarus," a hacking operation that attacked banks in many parts of the world:

North Korea's hacking operations are growing and getting more bold -- and increasingly targeting financial institutions worldwide. North Korea is now being linked to attacks on banks in 18 countries, according to a new report from Russian cybersecurity firm Kaspersky. And the stolen money is likely being spent advancing North Korea's development of nuclear weapons, according to two international security experts.

Banks and security researchers have previously identified four similar cyber-heists attempted on financial institutions in Bangladesh, Ecuador, the Philippines and Vietnam. But researchers at Kaspersky now say the same hacking operation -- known as "Lazarus" -- also attacked financial institutions in Costa Rica, Ethiopia, Gabon, India, Indonesia, Iraq, Kenya, Malaysia, Nigeria, Poland, Taiwan, Thailand, and Uruguay.

Towards the end of the report comes a quote from an expert on Korea who works at Tufts University:

"We tend to patronize North Korea and mock them. But over the past decade, they have shown the world they are... very capable when it comes to cybercrime," he said.

Source

Given the attitude of Lil' Kim as of late, he is my #1 suspect.

a reply to: dianajune

If it turns out this was North Korea i think Lil Kim may have just signed his own death warrant

originally posted by: nickovthenorth
a reply to: dianajune

If it turns out this was North Korea i think Lil Kim may have just signed his own death warrant

I agree. Imo it's too early to tell how many people will be impacted by this. I was reading a report out of the UK about one patient, for example, whose heart surgery had to be postponed because of this issue.

If this was a state-sponsored attack like the one I just posted about, then, imho, it is an act of war and needs to be dealt with accordingly.

originally posted by: roadgravel
tech.slashdot.org...

Attached to dangerous emails is an infectious PDF containing an embedded DOCM file with a malicious macro script. This script will then download and execute the Jaff ransomware.

Yes pdf files are dangerous but it wasn't always so. I used Adobe Acrobat version 5.0 for as long as I could because I knew the newer versions of acrobat had this vulnerability of executing malware, so ever since Acrobat 6.0 came out it really hasn't been safe and from that article it sounds like Adobe acrobat is probably part of the attack vector though they don't mention it by name. If you were still running Acrobat 5.0 it wouldn't know what to do with the script so it would fail to execute and you'd be safe from the described pdf attack.

There are pdf alternatives which are safer than acrobat.

originally posted by: DontTreadOnMe
Isn't there software protections against ransomware, like AVs?

Is there anything one can do to protect themselves?

Yes, don't use adobe acrobat to open pdfs. If you insist on exposing yourself to the risks of acrobat there are still some things you can do:

resources.infosecinstitute.com...

The PDF has ability to deliver rich contents (static and dynamic) . Combined, these elements can deliver a visually appealing, interactive, and portable document. While we have all benefited from this feature-rich information-sharing venue, there exists a darker side. The dynamic PDF capabilities mentioned above can and have been used to house malicious content. In previous years, cybercriminals embedded malicious script to install malware and steal user credentials.

Normally, the PDF malware’s malicious behavior is in a script that is embedded In PDF files. The scripts that are responsible for malicious behavior can be written in a scripting language that PDF supports. JavaScript is the most popular for this purpose...

Protection

Enable automatic updates.
Disable PDF browser integration.
Always install the latest patch/update, even for older Adobe product versions.
Disable JavaScript.
Uncheck “Allow non-PDF file attachments with external applications” to prevent launch action vulnerability.
Use PDF alternatives such as Foxit, Sumatra, PDF XChange.

Personally I like Sumatra and because of the risks I have rarely used any version of Adobe Acrobat more recent than version 5 and am inclined to only use more recent versions inside a "sandbox" which would isolate malware from the rest of the system.

a reply to: dianajune

If this was a state-sponsored attack like the one I just posted about, then, imho, it is an act of war and needs to be dealt with accordingly.

I agree 100% obviously there is a way to go before they will know where this came from but when they do as you say they should be dealt with accordingly.

On a related note just to show a small but inconvenient aspect to this i had taken the afternoon off work today to go and get injections for my upcoming holiday and i had re arrange because the nurse could not access my records as to confirm what injections i was there to get...like i said on the grand scale this is just a minor inconvenience but if i can't even get jabs what about people scheduled for ops and A & E departments etc...

originally posted by: nickovthenorth
a reply to: dianajune

If this was a state-sponsored attack like the one I just posted about, then, imho, it is an act of war and needs to be dealt with accordingly.

I agree 100% obviously there is a way to go before they will know where this came from but when they do as you say they should be dealt with accordingly.

On a related note just to show a small but inconvenient aspect to this i had taken the afternoon off work today to go and get injections for my upcoming holiday and i had re arrange because the nurse could not access my records as to confirm what injections i was there to get...like i said on the grand scale this is just a minor inconvenience but if i can't even get jabs what about people scheduled for ops and A & E departments etc...

Patients with serious health problems have been affected by this:

Anthony Brett was about to have a stent put in his liver to treat his cancer when he was told the procedure could not happen. The 50-year-old from Bow, east London, said: 'I was about to have the operation but then the doctors came round this morning and said all the computers are down because of all the hacking and the procedure can't be done because they can't access my records.

Source

In the same report there was a man who had heart surgery postponed because of the hack.

If NK turns out to be the culprit, then it's game on. If NK did this, then imo it would be more likely they could carry out an emp attack with their satellites if they want. But WWIII belongs in another thread.

i back everything up on external hard drive. if you cannot get into the system files to delete this crap, i would just reformat the hard drive start over. its a 5-8 hour deal to format then start adding back programs, but its good to do every once in a while.

Another rule of thumb is treat spam with PDF attachments as toxic waste. No need to open random files from some unknown source. Good things seldom happen.

Disclaimer:
I do realize that a lot of attacks happen because email seem to be from a known source.

a reply to: Arbitrageur

I suspect (don't know for sure) that a pdf was the route into many systems. A lot of 'big' businesses deal with each other and smaller subsidiaries and suppliers electronically. The pdf is probably the most universal format for invoicing, reporting etc. Although it could have been a word, excel or powerpoint document too!

But it only takes one unwitting employee to open up something that looks genuine and suddenly you can have huge problems.

It's still not clear if this was pure opportunism on a massive scale or whether this was a cold calculating state sponsored cyber attack. In my company the major problems were in Europe not the UK, North America or Asia.

Reports coming through seem to report Spain & Russia as worst hit. NHS England was hit but not Scotland, N.Ireland or Wales (at least not yet). It was reported that NHS computer systems have suffered from cuts to budgets leaving them vulnerable.

So much for a 'strong and stable' IT infrastructure!

originally posted by: nickovthenorth
a reply to: dianajune

If it turns out this was North Korea i think Lil Kim may have just signed his own death warrant

I doubt it has anything to do with NK. They are a proud nation of a technology that was the state of the art 30 something years ago.

originally posted by: Misterlondon
Lots of companies affected.. looks like this is eternal blue. Which is a hack developed for the NSA.. American intelligence services!!

Wilileaks just tweeted:

NOTE: The current hospital 'ransom ware' directly relates to computer viruses produced by the NSA. Not to WikiLeaks' CIA #Vault7 series.

a reply to: Shuye

www.csis.org...

I'm not 100% sure on North Korea's cyber warfare capabilities but according to this they do have previous...if they have got their hands on the leaked hacking tools ...which lets be honest at this time is more likely than not then this may well be within their capabilities...or maybe I'm way off but i think I'm in danger of getting off topic, sorry op.

So, there's a hole for remote access built into computers since 2010 , stolen hacking tools , and now this ?
Oh dear ...

originally posted by: PokeyJoe
Basically it encrypts your hard drive. If you don't pay up, your HDD is basically a complicated paperweight.

It encrypts only some file types, like .doc, .xls, .jpg, .pdf, .txt, etc., it doesn't encrypt system files or programs. There are also several file types it doesn't encrypt, like .xml files.

The only thing I know is that I was called around 11:30 this morning, Portuguese time, to solve the problem on a small accounting company related to the company where I work.

$300 in bitcoin? Thats like 1/6 of a bitcoin, how does that get paid out? So I see the tools are being put to good use now. It could be North Korea, or it could be a false flag to point the fingers at NK??? Its probably just criminal organizations though utilizing the software that was dumped a couple months back.

Well luckily, if my computer did this to me, I would just dump it and move on to computing from my phone I guess. Well I figured this would happen and speculated as much when I wrote about it on April 9th.