All posts in “Wannacry”

A new ransomware is sweeping the globe, but there’s a vaccine

"I wonder if this is what Edward Jenner felt like."
“I wonder if this is what Edward Jenner felt like.”

Image: Christopher Mineses/Mashable

It’s a familiar story: You boot up your computer only to find a mysterious message saying your files are encrypted. You soon realize that your data is likely gone for good — even if you fork over a cryptocurrency ransom payment. 

But this time around, as a new and virulent form of ransomware dubbed NotPetya sweeps the globe, it doesn’t have to be this way. 

Because this time around, there’s a vaccine. 

What is NotPetya?

The first symptoms of the attack appeared on June 27 in Ukraine, with the National Bank of Ukraine and the Kiev International Airport both hit hard. Even Chernobyl’s radiation monitoring system has reportedly been affected. But NotPetya, which targets the Windows operating system, didn’t stay there. Microsoft has confirmed that computers in 64 additional countries have been infected. 

The ransomware, so called because it demands a payment from users in exchange for decrypting their files, appears to use some code from an earlier ransomware known as Petya. However, this latest version looks to have been souped up with the allegedly stolen NSA exploit EternalBlue — the same exploit that drove the spread of WannaCry — and as such has security researchers calling it “NotPetya.”

According to the security firm Symantec, NotPetya is particularly nasty because instead of just encrypting a system’s files, it actually modifies a computer’s master boot record in order to encrypt its hard disk. 

The NotPetya ransom screen.

The NotPetya ransom screen.

Image: symantec

Once a system is infected, a message is displayed demanding $300 worth of Bitcoin in exchange for a decryption key. However, as the listed email address for confirming that the ransom has been paid has been shut down by the email provider, there is little-to-no chance a decryption key will be provided even if a victim pays. 

Essentially, those hit by NotPetya can kiss their data goodbye. 

The vaccine

But the situation isn’t hopeless. Those who either don’t want to or simply can’t afford to turn off their computer and wait for this all to blow over have a weapon in the battle against this attack. And, thankfully, it’s a pretty simple home remedy. 

A security researcher by the name of Amit Serper appears to have found a way to prevent the ransomware from running on vulnerable computers with just a few easy steps. 

His observation, which has since been confirmed by other researchers, is that NotPetya looks for a specific file on a computer before encrypting the computer’s contents. If that file is located, the ransomware won’t proceed.

So all concerned users have to do is create a file by that name, and then NotPetya won’t run. To do this, head to the C:\Windows folder and make a read-only file by the name of “perfc.” Importantly, this should not have a file extension. Bleeping Computer has a great step-by-step guide for those looking for detailed instructions. 

An added dose of security, which everyone should have done by now but clearly hasn’t, is to install Windows security updates. The EternalBlue exploit used by NotPetya, which relies on a Server Message Block (SMB) vulnerability, was patched back in March.

Both keeping your Windows OS up to date with security patches, and creating the perfc file as explained by Serper, should be enough to vaccinate otherwise healthy computers against NotPetya. While that doesn’t help the National Bank of Ukraine this time around, it may be enough to save you.  

As for the next wave of ransomware? While predicting what’s coming down the pike is a difficult if not impossible task, you can still take precautionary steps: Make sure your system is up to date, and be skeptical of any and all emails and links. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80316%2ff500b367 c74e 4fa7 97cd cde8f19f3003

Yet more confirmation that WannaCry ransomware attack was from North Korea

North Korean hackers are allegedly behind the widespread ransomware attack that hit the UK’s National Health Service, affecting computers and hospitals and doctors’ offices last month, according to the BBC

The hackers belong to a group known as Lazarus, who is believed to have targeted Sony Pictures in 2014 as it planned to release the movie The Interview.

They used a ransomware program called WannaCry which hit multiple countries across the globe, locking up computers and ransoming access in exchange for large Bitcoin payments. 

The NHS wasn’t specifically targeted in the attack and the attack affected organisations from across a range of sectors.

The claim that the ransomware attack originated from North Korea was originally made in May by Google security researcher Neel Mehta, who posted a cryptic set of characters on Twitter together with the hashtag #WannaCryptAttribution.

Kaspersky Lab researchers explained that Mehta has posted two similar code samples, one from an early version of WannaCry, and one originating from Lazarus. 

Mehta allegedly found evidence that a variant of WannaCry shares code with the 2015 version of Cantopee, a backdoor used by Lazarus Group. 

Moreover, WannaCry’s code contained a kill switch — a way to stop the malware from spreading — indicating that whoever is behind the attack is not (purely) financially motivated. 

Another cybersecurity expert, Adrian Nish, who leads the cyber threat intelligence team at BAE, also noticed the overlap with previous code developed by Lazarus. 

“It seems to tie back to the same code-base and the same authors,” Nish told the BBC. “The code-overlaps are significant.”

Lazarus Group is highly sophisticated and very active, according to Kaspersky, who in a blog post called the scale of the group’s operation “shocking”. 

Britain’s National Cyber Security Centre (NCSC), who is part of the GCHQ, led the international investigation.

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80378%2fd72c9bc3 c833 4b4a 8797 c7c68f120d67

The dreaded ‘Blue Screen of Death’ helped save some PCs from massive ransomware hack

Lulz.

While the WannaCry ransomware that swept across the world and crippled hundreds of thousands of PCs ransomware last month isn’t really a laughing matter, what is hilarious is how Windows’ infamous, dreaded, face-meltingly awful “Blue Screen of Death“—the error message that appears after a PC’s crashed—managed to prevent computers from being infected.

Contrary to original reports, the majority of computers WannaCry-infected PCs were not in fact running Microsoft’s outdated Windows XP, but actually Windows 7, according to a recent Kaspersky Lab analysis.

Despite Windows XP computers contributing to an “insignificant” percentage of total infected PCs—98% of PCs infected with WannaCry were running some version of Windows 7—the damage could’ve been worse, had it not been for the Blue Screen of Death (BSOD).

According to new research from the cybersecurity experts at Kryptos, installing WannaCry on PCs running Windows XP isn’t as effective as previously believed.

In tests on various versions of Windows, researchers discovered that repeated attempts to infect machines with WannaCry merely caused them to crash (displaying the BSOD) and require a hard reset, instead of encrypting all the computers’ files in return for a ransom.

“To be clear, the Windows XP systems are vulnerable to ETERNALBLUE, but the exploit as implemented in WannaCry does not seem to reliably deploy DOUBLEPULSAR and achieve proper RCE, instead simply hard crashing our test machines,” Kryptos said in a blog post. “The worst case scenario, and likely scenario, is that WannaCry caused many unexplained blue-screen-of-death crashes.”

Windows XP PCs aren’t completely immune to WannaCry (manually installing it will do the trick), but at the very least, the BSOD seems to get in the way of the ransomware doing its job locking up systems.

It’s ironic, that the last thing any PC user wants to see managed to save the day. If you’d asked anyone if there was ever a situation in which they’d want to see the Blue Screen of Death, you’d be hard-pressed to find an answer. Until now.

That said, if you haven’t already updated your PC with the latest security patch, or better yet, to Windows 10, you should definitely consider it. It’s better to not take any chances when it comes to your computer’s security—granted, some users can thank their lucky stars for it, but relying on the Blue Screen of Death isn’t exactly an ideal way to go about securing your computer.

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f474%2fd54218df ced6 434f 90b8 565de8d86928

Hackers may be working to bring back WannaCry just for the lulz

When it comes to online currency, lulz just might outvalue Bitcoin. 

A unknown group of hackers is working behind the scenes to restart the ransomware WannaCry, and one security expert believes the culprits this time around aren’t who you think. 

And neither is their motivation. 

Contrary to what you might expect, it appears not to be the initial group responsible for WannaCry now working to startle the ransomware monster awake from its slumber. Rather, we may have some internet randos to thank.

Why? The leading theory, proposed by security researcher Marcus Hutchins, suggests it’s all about shits and giggles. 

WannaCry rushed onto the international scene on May 12, infecting and encrypting hundreds of thousands of computer systems running unpatched Windows operating systems. The ransomware demanded that victims pay around $300 in the cryptocurrency Bitcoin to their attackers if they ever wanted to see their files again.

“Yeah, it’s most likely scriptkiddies doing it for lulz.”

Some paid up, but computers stayed encrypted

And while the damage was bad — England’s National Health Service was hit particularly hard — it could have been a lot worse. The ransomware — which utilized a stolen NSA exploit called EternalBlue — stopped spreading when Hutchins registered a mysterious domain he discovered in the malware code and sinkholed it. 

Hutchins explained the process on his blog, noting that “a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them.”

Hutchins means business.

Hutchins means business.

Image: AP/REX/Shutterstock

The ransomware, it seems, was designed to contact Hutchins’ domain before it spread to the next victim. Hutchins’ registration of that domain created a kind of kill switch — effectively telling WannaCry to stop spreading. 

As long as that domain, and one other discovered and sinkholed by a different researcher, remain up and active the ransomware won’t spread. Which brings us back to our lulz-pirates. 

Hutchins has observed an intentional distributed denial of service attack aimed at his domain with the apparent goal of knocking it offline. Wired reports that the traffic appears to be coming courtesy of the Mirai botnet — the same botnet, comprised of IoT devices like wireless security cameras, that brought down parts of the internet in the fall of 2016. 

Why would anyone do this? Could the initial WannaCry developers simply want more computers infected with the hope of making more money? Probably not. 

As Hutchins confirmed via Twitter direct message, the initial attackers can’t appear to even keep up with the volume of decryption requests they’ve already received.

“[The] decryption system is stupid and completely unscalable,” he observed.

In other words, infecting more computers won’t exactly translate to more Bitcoin in their wallets. That leaves another possibility: someone just looking to mess with people. 

“Yeah, it’s most likely scriptkiddies doing it for lulz,” Hutchins further speculated — using a term that refers to relatively low-skilled hackers. 

So there you have it. If someone manages to knock Hutchins’ sinkhole offline, allowing WannaCry to spread further in the process, you’ll likely have some random prankster with a messed up sense of humor to thank. 

But don’t stress about it too much. “The DDoS is unlikely to be successful,” reassures Hutchins. 

Phew. Now if only Hutchins could solve our other internet security problems. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f5%2fa8628eea c593 2540%2fthumb%2f00001