Results 1 to 6 of 6

Thread: Massive Ransomware Infestation Going Round, Based Upon Leaked NSA Exploit

  1. #1
    Administrator Aragorn's Avatar
    Join Date
    17th March 2015
    Location
    Middle-Earth
    Posts
    20,241
    Thanks
    88,440
    Thanked 80,975 Times in 20,256 Posts

    Exclamation Massive Ransomware Infestation Going Round, Based Upon Leaked NSA Exploit

    For the non-technically-minded among our readers, ransomware is malware which locks up your computer and encrypts your files until you've paid a ransom — usually in Bitcoin currency — to the perpetrators.

    The infestation at the topic of the article below was created by way of an exploit of a security flaw in the Microsoft Server Message Block (SMB) layer, i.e. Microsoft's proprietary network filesystem layer. The exploit of this security flaw was itself created by the NSA, and was released to the public as part of the leaking of the NSA's hacking tools by the hacker collective who call themselves The Shadow Brokers. However, it was not The Shadow Brokers who have created the ransomware.







    Source: Threat Post


    A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent ShadowBrokers dump.

    Researchers at Kaspersky Lab said the attackers behind today’s outbreak of WannaCry ransomware are using EternalBlue, the codename for an exploit made public by the mysterious group that is in possession of offensive hacking tools allegedly developed by the NSA.

    EternalBlue is a remote code execution attack taking advantage of a SMBv1 vulnerability in Windows. Microsoft patched the vulnerability on March 14, one month before the exploit was publicly leaked. Spain’s Computer Emergency Response Team, Kaspersky Lab, and others are recommending organizations install MS17-010 immediately on all unpatched Windows machines.

    Most of the attacks are concentrated in Russia, but machines in 74 countries have been infected; researchers at Kaspersky Lab said in a Securelist report published today they’ve recorded more than 45,000 infections so far on their sensors, and expect that number to climb.

    Sixteen National Health Service (NHS) organizations in the U.K., several large telecommunications companies and utilities in Spain, and other business worldwide have been infected. Critical services are being interrupted at hospitals across England, and in other locations, businesses are shutting down IT systems.

    The BBC reports that hospitals in London and other major cities in England have been hit. Patient care has been impacted at some hospitals with non-urgent surgeries being postponed and emergency patients redirected to other facilities.

    The Guardian said hospitals run by the East and North Hertfordshire NHS Trust, Barts Health in London, and other facilities in Southport and Blackpool are known to be down. The ransomware has locked admins out of email servers and medical staff cannot access patient and clinical systems.




    MS17-010, experts warned, would haunt IT systems for years to come, much in the same way MS08-067, the Conficker vulnerability, continues to show up in pen-tests today close to a decade after it was patched. The vulnerability affects Microsoft SMB server deployments on all supported versions of Windows going back to Vista. Attackers would need to find a vulnerable SMB Server on the internet and send it a malicious packet to trigger the vulnerability.

    The patch shuts down a number of attacks leaked by the ShadowBrokers that are part of the Fuzzbunch exploit platform, including EternalBlue. Each of the exploits in the platform drops the DoublePulsar post-exploitation Windows kernel attack onto compromised machines. DoublePulsar is a kernel payload that allows an attacker to execute shellcode payloads.

    “This is a full ring0 payload that gives you full control over the system and you can do what you want to it,” Sean Dillon, senior security analyst at RiskSense told Threapost last month. Dillon was the first to reverse-engineer a DoublePulsar payload. “This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it’s still found in a lot of places,” Dillon said. “I find it everywhere. This is the most critical Windows patch since that vulnerability.”

    As for today’s attacks, England’s health care system is among the hardest hit.

    NHS issued a statement identifying the ransomware as “Wanna Decryptor,” the WanaCrypt0r variant of WCry or WannaCry identified by Malware Hunter Team.




    Users report being locked out of systems, which are now displaying a ransom note similar to those used by many other ransomware families demanding a $600 payment in Bitcoin. The note says files on the infected system have been encrypted and provides victims with instructions on how to recover their data before it is permanently lost. The tool and payment instructions were designed to address users in dozens of countries and were translated in many languages.

    “The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands,” researchers at Kaspersky Lab said. The ransom note shows a clock counting down until the ransom demand is raised, with a threat that user may permanently lose their files after the clock times out.

    This ransomware family is relatively new with the first iteration popping up in February. Early versions appended the .WCRY extension to encrypted files; today’s outbreak is also appending .WNCRY, some reports say.

    Kaspersky Lab said in its report that the malware directs victims to a page with a QR code at btcfrog; that QR code links to the attackers’ main Bitcoin wallet, which was showing five transactions so far today. Two other transactions were recorded at another Bitcoin wallet listed in the malware readme file.

    The researchers said the malware runs command and control through Tor, and published a list of .onion domains for hidden services acting as C2. Kaspersky Lab also published hashes of samples it has observed in the wild and a list of detection names.

    “Kaspersky Lab experts are currently working on the possibility of creating a decryption tool to help victims,” researchers said. “We will provide an update when a tool is available.”

    NHS, which is England’s public national healthcare system, said it is investigating, but does not believe that patient data has been accessed.

    “The attack was not specifically targeted at NHS and is affecting organizations from across a range of sectors,” NHS said.


    Source: Threat Post
    = DEATH BEFORE DISHONOR =

  2. The Following 5 Users Say Thank You to Aragorn For This Useful Post:

    Dreamtimer (13th May 2017), Elen (13th May 2017), Mahakasyapa (13th May 2017), modwiz (13th May 2017), sandy (13th May 2017)

  3. #2
    Retired Member United States
    Join Date
    3rd May 2015
    Location
    Denver, Colorado
    Posts
    298
    Thanks
    0
    Thanked 1,651 Times in 295 Posts
    Guess Bill Gates wasn't as smart as he thought he was. Of course, David Icke has no use for the man. Not too surprising.

  4. The Following 4 Users Say Thank You to Gale Frierson For This Useful Post:

    Aragorn (13th May 2017), Dreamtimer (13th May 2017), Elen (13th May 2017), modwiz (13th May 2017)

  5. #3
    Administrator Aragorn's Avatar
    Join Date
    17th March 2015
    Location
    Middle-Earth
    Posts
    20,241
    Thanks
    88,440
    Thanked 80,975 Times in 20,256 Posts
    Quote Originally posted by Gale Frierson View Post
    Guess Bill Gates wasn't as smart as he thought he was.
    That is correct. His greed, ego and megalomania stood in the way of his intelligence. Had he been smart, then Microsoft Windows would never have been Microsoft Windows.

    Quote Originally posted by Gale Frierson View Post
    Of course, David Icke has no use for the man.
    Oh, but neither have I.




    = DEATH BEFORE DISHONOR =

  6. The Following 3 Users Say Thank You to Aragorn For This Useful Post:

    Dreamtimer (13th May 2017), Elen (13th May 2017), modwiz (13th May 2017)

  7. #4
    Administrator Aragorn's Avatar
    Join Date
    17th March 2015
    Location
    Middle-Earth
    Posts
    20,241
    Thanks
    88,440
    Thanked 80,975 Times in 20,256 Posts

    Lightbulb

    Update:


    The spreading of this ransomware has now been halted. A security researcher discovered that the NSA had built a "kill switch" into their exploit, which checked for a response from a domain with a nonsensically long name. If no response came back, then the malware would continue to spread, but by registering a domain with the name that the malware was looking for, the malware got a response and ceased its activity.

    All affected organizations have been given the heads-up now, so that they can make sure to let their computers have access to the internet, and that the infected machines would thus be capable of reaching the domain that the malware was polling for.


    All's well that ends well... At least for now...
    = DEATH BEFORE DISHONOR =

  8. The Following 3 Users Say Thank You to Aragorn For This Useful Post:

    Dreamtimer (13th May 2017), Elen (13th May 2017), modwiz (13th May 2017)

  9. #5
    Retired Member United States
    Join Date
    21st June 2015
    Location
    East Coast U.S.
    Posts
    187
    Thanks
    257
    Thanked 798 Times in 181 Posts
    Oh the drama! Testing 123 testing. Beware of that evil bitcoin.

  10. The Following 4 Users Say Thank You to Anastasia For This Useful Post:

    Aragorn (13th May 2017), Dreamtimer (14th May 2017), Elen (14th May 2017), modwiz (13th May 2017)

  11. #6
    Administrator Aragorn's Avatar
    Join Date
    17th March 2015
    Location
    Middle-Earth
    Posts
    20,241
    Thanks
    88,440
    Thanked 80,975 Times in 20,256 Posts
    Quote Originally posted by Anastasia View Post
    Oh the drama! Testing 123 testing. Beware of that evil bitcoin.
    Indeed... Isn't it convenient that Bitcoin is all the rage these days? Sure, it's a currency that the banks have no authority over, but it's also the primary currency demanded by the creators of ransomware, and it may even facilitate other, non-internet-related extortion crimes.
    = DEATH BEFORE DISHONOR =

  12. The Following 4 Users Say Thank You to Aragorn For This Useful Post:

    Anastasia (13th May 2017), Dreamtimer (14th May 2017), Elen (14th May 2017), modwiz (13th May 2017)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •