"Worst-Ever Recorded" Ransomware Attack Strikes Over 57,000 Users Worldwide, Using NSA-Leaked Tools

Tyler Durden's picture

The ransomware has been identifed as WannaCry

* * *

Update 4: According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind. The security researcher who tweets and blogs as MalwareTech told The Intercept “I’ve never seen anything like this with ransomware," and "the last worm of this degree I can remember is Conficker.” Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over nine million computers in nearly 200 countries. As The Intercept details,

Today’s WannaCry attack appears to use an NSA exploit codenamed ETERNALBLUE, a software weapon that would have allowed the spy agency’s hackers to break into any of millions of Windows computers by exploiting a flaw in how certain version of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in governments) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them–but from the moment the agency lost control of its own exploit last summer, there’s been no such assurance.

 

Today shows exactly what’s at stake when government hackers can’t keep their virtual weapons locked up.

 

As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, “I am actually surprised that a weaponized malware of this nature didn’t spread sooner.”

Update 3: Microsoft  has issued a statement, confirming the status the vulnerability:

Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt.

 

In March, we provided a security update which provides additional protections against this potential attack.

 

Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance.

Update 2: Security firm Kaspersky Lab has recorded more than 45,000 attacks in 74 countries in the past 10 hours. Seventy-four countries around the globe have been affected, with the number of victims still growing, according to Kaspersky Lab. According to Avast, over 57,000 attacks have been detected worldwide, the company said, adding that it "quickly escalated into a massive spreading."

According to Avast, the ransomware has also targeted Russia, Ukraine and Taiwan. The virus is apparently the upgraded version of the ransomware that first appeared in February. Believed to be affecting only Windows operated computers, it changes the affected file extension names to ".WNCRY." It then drops ransom notes to a user in a text file, demanding $300 worth of bitcoins to be paid to unlock the infected files within a certain period of time.

While the victim's wallpaper is being changed, affected users also see a countdown timer to remind them of the limited time they have to pay the ransom. If they fail to pay, their data will be deleted, cybercriminals warn. According to the New York Times, citing security experts, the ransomware exploits a "vulnerability that was discovered and developed by the National Security Agency (NSA)." The hacking tool was leaked by a group calling itself the Shadow Brokers, the report said, adding, that it has been distributing the stolen NSA hacking tools online since last year.

Predictably, Edward Snowden - who has been warning about just such an eventuality - chimed in on Twitter, saying "Whoa: @NSAGov decision to build attack tools targeting US software now threatens the lives of hospital patients."
 

*  *  *

Update 1: In a shocking revelation, The FT reports that hackers responsible for the wave of cyber attacks that struck organisations across the globe used tools stolen from the US National Security Agency.

A hacking tool known as “eternal blue”, developed by US spies has been weaponised by the hackers to super-charge an existing form of ransomware known as WannaCry, three senior cyber security analysts said. Their reading of events was confirmed by western security officials who are still scrambling to contain the spread of the attack. The NSA’s eternal blue exploit allows the malware to spread through file-sharing protocols set up across organisations, many of which span the globe.

As Sam Coates summed up...

*  *  *

We earlier reported in the disturbing fact that hospitals across the United Kingdom had gone dark due to a massive cyber-attack...

Hospitals across the UK have been hit by what appears to be a major, nationwide cyber-attack, resulting in the loss of phonelines and computers, with many hospitals going "dark" and some diverting all but emergency patients elsewhere. At some hospitals patients are being told not to come to A&E with all non-urgent operations cancelled, the BBC reports.

 

The UK National Health Service said: “We’re aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware.” It added that trusts and hospitals in London, Blackburn, Nottingham, Cumbria and Hertfordshire have been affected and are reporting IT failures, in some cases meaning there is no way of operating phones or computers.

 

At Lister Hospital in Stevenage, the telephone and computer system has been fully disabled in an attempt to fend off the attack.

 

NHS England says it is aware of the issue and is looking into it.

UK Prime Minister Theresa May confirms today's massive cyber hit on NHS is part of wider international attack and there is no evidence patient data has been compromised.

The situation has got significantly worse as The BBC reports the ransomware attack has gone global.

 

Screenshots of a well known program that locks computers and demands a payment in Bitcoin have been shared online by parties claiming to be affected.

It is not yet clear whether the attacks are all connected. One cyber-security researcher tweeted that he had detected 36,000 instances of the ransomware, called WannaCry and variants of that name.

"This is huge," he said.

There have been reports of infections in the UK, US, China, Russia, Spain, Italy, Vietnam, Taiwan and others.

The BBB details a number of Spanish firms were among the apparent victims elsewhere in Europe.

Telecoms giant Telefonica said in a statement that it was aware of a "cybersecurity incident" but that clients and services had not been affected.

 

Power firm Iberdrola and utility provider Gas Natural were also reported to have suffered from the outbreak.

 

There were reports that staff at the firms were told to turn off their computers.

In Italy, one user shared images appearing to show a university computer lab with machines locked by the same program.

Bitcoin wallets seemingly associated with the ransomware were reported to have already started filling up with cash.

"This is a major cyber attack, impacting organisations across Europe at a scale I've never seen before," said security architect Kevin Beaumont.

According to security firm Check Point, the version of the ransomware that appeared today is a new variant.

"Even so, it's spreading fast," said Aatish Pattni, head of threat prevention for northern Europe.

Several experts monitoring the situation have linked the attacks to vulnerabilities released by a group known as The Shadow Brokers, which recently claimed to have dumped hacking tools stolen from the NSA.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
BigFatUglyBubble's picture

How come pizzagate gets brought up here a lot, but I never hear people talk about Michael Aquino. 

Now that's a creepy rabbit hole.

Born in 1946, Michael Aquino was a military intelligence officer specialising in psychological warfare.[10] In 1969 he joined Anton LaVey's Church of Satan and rose rapidly through the group's ranks

I gets much weirder from there.

Cognitive Dissonance's picture

Those Rooskies are clever fellows.

/SARC

BuddyEffed's picture

What Operating System are those computers running?

medium giraffe's picture

Looks like Win 7.  You can see the start bar on the one to the left.

Manthong's picture

Well hey, F everybody!

Our government cyber-geniuses and administration are too busy spending tens of billions busting your little cell phone open to see the titty pics from your girlfriend or wife to care about infrastructure hacking.

Joe Davola's picture

Wow, unlike Y2K, it actually affected some computers.

peddling-fiction's picture

Y2K was also ransomware.

Lotsa wallets were emptied.

Dates? My bad.

MillionDollarBonus_'s picture

It’s probably the Russians again for goodness’ sake! When are Americans going to wake up and realize that we are at war with Russia! The time for action has long passed and we are in crisis mode right now! If we want to avert a literal disaster with the red army literally storming Washington DC, we need to act boldly and decisively with the full force of our military. We cannot rule anything out at this point, even nukes.  

Why Grades Should Be Replaced With Passes And Fails

MillionDollarBonus_'s picture

And I know what I’m talking about – the Accredited Times has the only interview ever conducted with PropOrNot:

At Last, An Exclusive Interview With The Heroes Behind PropOrNot

medium giraffe's picture

MDB?!

Man, I though you were dead.  Well, sort of hoped, really.

Arnold's picture

In the old days, we could shut down, boot into safe mode, do a recovery from a day or two before , and wham bam thank you ma'am no ransom ware.

Windoze 10? fagettabout it.

PrayingMantis's picture

... "... used tools stolen from the US National Security Agency. ..." ...

       ... what goes around  ...

Manthong's picture

“Ransomware”?

The FBI has the solution and comes to the rescue….

Hollywood Overwhelmed With Hack Attacks; FBI Advises 'Pay Ransom'...

Manthong's picture

It’s just a damn good thing the US spent all that time and money developing all that stuff.

Now that it’s out, just pay the ransom to the Cyber-Barbary Pirates so that the government can return to its main 1984 mass surveillance and control mission.

pods's picture

I'm so glad my government has kept companies from closing these loopholes in their OSs to allow this kind of shit.

Each and everyone affected by this should sue the damn NSA. Oh wait, the NSA doesn't have money and they will merely take it from my kids and grandkids. Fuckers.

Disgusting how criminal these "security" agencies are. They are literally the greatest threat to mankind today.

They have the reverse Midas touch, everything they touch turns to shit.

pods

tmosley's picture

The entire world should have abandoned US software the second these backdoors came to light.

Now they will be FORCED to.

We warned them that this was madness, but they didn't listen. There need to be trials, convictions, and if anyone dies as a result--executions.

Vilfredo Pareto's picture

You think Linux isn't full of holes?  Microsoft did patch it coincidentally before the shadow brokers made the announcement.  

gladih8r's picture

I don't know if I would trust Microsoft patches at this time.  This was an exploit of an obviously embedded back-door mechanism. 

M/S probably exchanged one mechanism for another at the request of some .gov dudes in black suits so the virtual peep-show can go on.

AltRight Girl's picture

That's for not listening to WikiLeaks.

Once they start leaking , you need to take your gizmo apart and patch the holes

And the leaks are keep coming. 

WikiLeaks Trolls Trump Over the “Comey Tapes” Tweet as They Release Latest #Vault7 Instalment


BurningFuld's picture

Since there is a time delay on the "trashing your computer" could you not just update Windows 7 and become protected?

eforce's picture

If they can track down bitcoin users on AlphaBay they should be able to get these guys, especially since they've managed to piss off a lot of people/governments in a short space of time.

beemasters's picture

Class action lawsuits should be filed against NSA/CIA.

SilverRhino's picture

Sovereign Immunity but yeah it would be nice. 

Dormouse's picture

I want to see 33,000 emails about yoga and a donkey's wedding. Until I do, I know it's Deep State psyoping with deadly consequences.

AldousHuxley's picture

1) Trump's FBI firing scandal is saved by this ransomware news redirecting the attention away.

 

2) The spread of the ransomeware was stopped by someone on vacation who simply registered the unreigstered domain the malware was attempting to reach for $11.

 

https://twitter.com/MalwareTechBlog/status/863187104716685312

 

3) Microsoft Windows product is brought you to by richest man in the world Bill Gates....$87,000,000,000

Wonder how he got so rich making such sh~tty software? ....

 

4) NSA director lies to Congress under Oath...and nothing comes out of it despite youtube evidence? 

https://www.youtube.com/watch?v=AGYn7ER5U_0

 

AVmaster's picture

Hey guys, so.

 

Just a little update on this:

1. The hackers are not handing out decryption keys.

If you get infected, don't bother paying the ransom, your files are gone.

2. Doesn't matter what OS you are running.

Microsoft has patched all OS versions.

3. This is obvious collusion of both the gov'ment and microsoft as microsoft was able to kick out a patch almost immediately.

Switch to linux.

 

GG. The End.

Manthong's picture

How do you spell “Pandora’s Box”.

Just wait until the .gov germs get out.

Ballin D's picture

No because they've already encrypted your files by the time you know what's going on. The patch would prevent access if you installed it prior to getting buttfucked.. If you believe Microsoft.

tmosley's picture

Holes are different from backdoors. Further, market fragmentation in Linux makes it far, FAR more difficult to take advantage of them.

Monoculture=death.

JRev's picture

...which is why a large percentage of the CIA's Vault7 tools were written in Python - to exploit the architectural monoculture of Unix/Linux distros, regardless of their kernel version. Nobody is truly safe. 

"Executing malicious batch files in Micro$oft Windoze? Priceless. For everything else, there's Python." 

flyweight's picture

linux is not necessarily the answer but BSD Unix might be

Boomberg's picture

Yes, which is why you should use a Mac (Darwin BSD Unix) instead of Windows.

nc551's picture

Whatever dude, any core engineer can be brought into the CIA fold and maybe not even paid to put backdoors in for the good of the country.  Fuck you for recommending apple you shithead.

erkme73's picture

Yeah, they patched it "coincidentally" the moment the NSA toolbox was leaked to the public.  Almost like they had an agreement with the NSA to leave it wide open for them, but when compromised, slam it shut.   Any company that cooperates with the NSA does so at the expense of public safety.

Keyser's picture

You are a obviously clueless as WinDoze has been buggier than springtime in Vermont for fucking decades... Unix, Xenix and the various derivatives of Linux are 1000 times safer than any Windoze machine will EVER be... 

SHRAGS's picture

Linux & *BSD are full of holes.  Excellent presentation by Poul Henning Kamp:

NSA operation ORCHESTRA: Annual Status Report https://youtu.be/fwcl17Q0bpk  

should disabuse anyone of the notion that open source will save us.  Even if it could, network protocols have been poisoned for surveillance.

yarpos's picture

yes thats why the are attacked and fall over so often,  they Linix community was "terrified" during this outbreak.

open source is irrelevant ,  sound software engineering (does it exist?) may help

HowdyDoody's picture

The US declared that cyber attacks were an act of war. This attack was carried out using US weapons. Therefore this was an attack by the US? (applying standard MSM 'logic')

HowdyDoody's picture

A side note: A while back, the Russians arrested one (or was it two?) top Kaspersky honchos on treason charges. Just one of those coinkydinks?

SoilMyselfRotten's picture

Sure glad Stuxnet didn't count against us as an act of war, our conscience is still clean

Joe Davola's picture

Yeah, software developed outside US has no backdoors/holes/bugs/exploitable surfaces/etc...

tmosley's picture

Open source people are not only far more open, they are also a LOT harder to control, due to the decentralized nature of the product. Some releases are going to be better than others, a few by a LOT.

To my knowledge, there are no non-US based comapnies that put out a closed-source OS. Could be wrong. But as it is, it seems like it would be a huge incentive for some company to produce something like that, even if it is Linux based. Hardware could be an even bigger coup, if it could be manufactured somewhere that isn't the US or China.

Keyser's picture

Name ANY operating system that was developed outside the USA... Go on, name just one, I double-dog-dare you... You can't, because none exist that are more than a laboratory exercise...

AGuy's picture

"Name ANY operating system that was developed outside the USA."

Linux was originally developed outside of the USA, but most of the core developers are now in the USA.

yarpos's picture

I think Keyser may be just 15 and unaware of computing history