"Worst-Ever Recorded" Ransomware Attack Strikes Over 57,000 Users Worldwide, Using NSA-Leaked Tools

Tyler Durden's picture

The ransomware has been identifed as WannaCry

* * *

Update 4: According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind. The security researcher who tweets and blogs as MalwareTech told The Intercept “I’ve never seen anything like this with ransomware," and "the last worm of this degree I can remember is Conficker.” Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over nine million computers in nearly 200 countries. As The Intercept details,

Today’s WannaCry attack appears to use an NSA exploit codenamed ETERNALBLUE, a software weapon that would have allowed the spy agency’s hackers to break into any of millions of Windows computers by exploiting a flaw in how certain version of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in governments) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them–but from the moment the agency lost control of its own exploit last summer, there’s been no such assurance.

 

Today shows exactly what’s at stake when government hackers can’t keep their virtual weapons locked up.

 

As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, “I am actually surprised that a weaponized malware of this nature didn’t spread sooner.”

Update 3: Microsoft  has issued a statement, confirming the status the vulnerability:

Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt.

 

In March, we provided a security update which provides additional protections against this potential attack.

 

Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance.

Update 2: Security firm Kaspersky Lab has recorded more than 45,000 attacks in 74 countries in the past 10 hours. Seventy-four countries around the globe have been affected, with the number of victims still growing, according to Kaspersky Lab. According to Avast, over 57,000 attacks have been detected worldwide, the company said, adding that it "quickly escalated into a massive spreading."

According to Avast, the ransomware has also targeted Russia, Ukraine and Taiwan. The virus is apparently the upgraded version of the ransomware that first appeared in February. Believed to be affecting only Windows operated computers, it changes the affected file extension names to ".WNCRY." It then drops ransom notes to a user in a text file, demanding $300 worth of bitcoins to be paid to unlock the infected files within a certain period of time.

While the victim's wallpaper is being changed, affected users also see a countdown timer to remind them of the limited time they have to pay the ransom. If they fail to pay, their data will be deleted, cybercriminals warn. According to the New York Times, citing security experts, the ransomware exploits a "vulnerability that was discovered and developed by the National Security Agency (NSA)." The hacking tool was leaked by a group calling itself the Shadow Brokers, the report said, adding, that it has been distributing the stolen NSA hacking tools online since last year.

Predictably, Edward Snowden - who has been warning about just such an eventuality - chimed in on Twitter, saying "Whoa: @NSAGov decision to build attack tools targeting US software now threatens the lives of hospital patients."
 

*  *  *

Update 1: In a shocking revelation, The FT reports that hackers responsible for the wave of cyber attacks that struck organisations across the globe used tools stolen from the US National Security Agency.

A hacking tool known as “eternal blue”, developed by US spies has been weaponised by the hackers to super-charge an existing form of ransomware known as WannaCry, three senior cyber security analysts said. Their reading of events was confirmed by western security officials who are still scrambling to contain the spread of the attack. The NSA’s eternal blue exploit allows the malware to spread through file-sharing protocols set up across organisations, many of which span the globe.

As Sam Coates summed up...

*  *  *

We earlier reported in the disturbing fact that hospitals across the United Kingdom had gone dark due to a massive cyber-attack...

Hospitals across the UK have been hit by what appears to be a major, nationwide cyber-attack, resulting in the loss of phonelines and computers, with many hospitals going "dark" and some diverting all but emergency patients elsewhere. At some hospitals patients are being told not to come to A&E with all non-urgent operations cancelled, the BBC reports.

 

The UK National Health Service said: “We’re aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware.” It added that trusts and hospitals in London, Blackburn, Nottingham, Cumbria and Hertfordshire have been affected and are reporting IT failures, in some cases meaning there is no way of operating phones or computers.

 

At Lister Hospital in Stevenage, the telephone and computer system has been fully disabled in an attempt to fend off the attack.

 

NHS England says it is aware of the issue and is looking into it.

UK Prime Minister Theresa May confirms today's massive cyber hit on NHS is part of wider international attack and there is no evidence patient data has been compromised.

The situation has got significantly worse as The BBC reports the ransomware attack has gone global.

 

Screenshots of a well known program that locks computers and demands a payment in Bitcoin have been shared online by parties claiming to be affected.

It is not yet clear whether the attacks are all connected. One cyber-security researcher tweeted that he had detected 36,000 instances of the ransomware, called WannaCry and variants of that name.

"This is huge," he said.

There have been reports of infections in the UK, US, China, Russia, Spain, Italy, Vietnam, Taiwan and others.

The BBB details a number of Spanish firms were among the apparent victims elsewhere in Europe.

Telecoms giant Telefonica said in a statement that it was aware of a "cybersecurity incident" but that clients and services had not been affected.

 

Power firm Iberdrola and utility provider Gas Natural were also reported to have suffered from the outbreak.

 

There were reports that staff at the firms were told to turn off their computers.

In Italy, one user shared images appearing to show a university computer lab with machines locked by the same program.

Bitcoin wallets seemingly associated with the ransomware were reported to have already started filling up with cash.

"This is a major cyber attack, impacting organisations across Europe at a scale I've never seen before," said security architect Kevin Beaumont.

According to security firm Check Point, the version of the ransomware that appeared today is a new variant.

"Even so, it's spreading fast," said Aatish Pattni, head of threat prevention for northern Europe.

Several experts monitoring the situation have linked the attacks to vulnerabilities released by a group known as The Shadow Brokers, which recently claimed to have dumped hacking tools stolen from the NSA.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
JRobby's picture

"uses NSA hacking tools"

What are friends for?

heresy101's picture

To make yourself fully understood, you should add the /sarc tag, don't leave people guessing.

11b40's picture

You have been here 6 years and can't tell it is sarc by the name?

Often imitated but never duplicated, MDB is the original sarc machine for this site.

Vilfredo Pareto's picture

MDB was also that six shooter cowboy I forgot the name and a few others, that latina chic, etc.  He really helps the comment section.  I think he is Boris too lol.

gladih8r's picture

Yeah, only Boris can type with a Hollywood-grade russian accent.  Such talent always brings a smile to my face.

. . . _ _ _ . . .'s picture

If the Russians strike, it won't be on land; they will take out satellites.

US has no space program. US needs Russia to get up there and/or to launch satellites.

You know it, they know it, we know it.

Without space, US military is fubar.

All this Russia bashing is just jousting at windmills.

Game, set, and match without using a single nuke.

.

Don't believe me? (I can't believe not everyone knows this) Check this out, or if you like a little variety just click here.

Either way, it won't be before 2019, and the US is scheduled to buy RD-180s until 2022... thanks to Obama.

National security? Hahahahaha.

datbedank's picture

Are you an idiot or just misinformed? The US very much has the capability to ferry up new satellites and does so on a regular basis. What the heck do you think they do at ULA and maybe soon to be SpaceX? 

Vilfredo Pareto's picture

A misinformed idiot.  Those are not exclusive lol.

. . . _ _ _ . . .'s picture

Neither. Quite the opposite, in fact.

"maybe soon to be SpaceX" as you put it won't be operational for years.

Ula launches the Atlas V which uses RD-180 (Russian) rockets.

Check the links I so very generously supplied.

I will be expecting an apology.

. . . _ _ _ . . .'s picture

What, the band?

Is that a question?

.

I bet that datbedank is off Twittering over HIS discovery about Russian rockets. Not even man enough to say 'I was wrong' or 'thanks for pointing that out to me' or 'I apologize', but just leaving a downvote, like the little skidmark he is. I will wear that downvote with pride you little dweeb.

What the FiretrUCK is wrong with people these days? That's not how a man behaves. Ain't very many of them growin' up these days. Some people's kids... I swear.

.

Now where was I? Oh yeah. DOA? Is that it? I don't know Morse code by heart, you know. I had to look that up. @#$%^&! ;)

 

logicalman's picture

I guess nobody told you that a nuke war is not a winnable war, not for Joe Public at least.

Personally, no matter how fancy the digs, I wouldn't want to spend the rest of my life underground. A Morlock I am not.

 

auricle's picture

Negligence by the NSA to let such a malware loose should put them on the hook for the costs to clean it up. 

CompleteAphasia's picture

what - ya took your meds today? or something?

SILVERGEDDON's picture

It was probably Million Dollar Bonus whut done the dirty deed. 

Pimping out The Accredited Times don't pay the way it used to............. 

sartamas's picture

Just calculate and claim your loses

nmewn's picture

You just gotta luuuv a guy who uses words like "probably the Russians" as their entreaty to advocate for a nuclear war with Russia even though its demonstrably true that the NSA is the agency who created the malware in the first place, that has now been modified to be used in criminal acts of extortion. 

It is now beyond all possible doubt that you "probably are not" a friggin idiot, you definitely are. 

TheMachinist's picture

I wish the Russians would shoot you.  What a fucking retard.

peddling-fiction's picture

Yep, some of my IT buddies made some money.

In my opinion it was a disgraceful and boring way to make money.

Most people are not creative and some are dumb as rocks (no offense to minerals).

So they resort to sneaky ways to keep bilking their clients.

Anywho..

auricle's picture

Negligence by the NSA to let such a malware loose should put them on the hook for the costs to clean it up. 

Son of Captain Nemo's picture

"Negligence by the NSA to let such a malware loose should put them on the hook for the costs to clean it up."

Yep! In a moar perfect World that dealt with government(s) like the U.S. that would be possible.

But that's never going to happen with the U.S. of A. anywhere and everywhere it decides to do the "malicious"!

Frito's picture

So if the NSA agreed to disclose vulnerabilities to tech companies but didn't.  Would that open up the NSA (or US government) to potential legal liabilities?

clymer's picture

People still use Windows? (hint - Ubuntu, Mint, Centos, Kali - ANYTHING but Windows)

BarkingCat's picture

 if you believe that then you're an idiot. Only reason Y2K didn't cause chaos is because of all the money that was spent to prevented.

 

There were many stories they were complete bullshit about Y2K however any financial transaction will scheduling that relied upon a date would have been affected.

Jim in MN's picture

My friends at Energy Dept HQ had to work NYE 2000, were up all night, and there were about a dozen....minor....incidents at US nuclear facilities that night. 

Bullet dodged.  But it was a bullet.

I was in a round wooden cabin in central MN stirring vodka drinks with icicles, and occasionally turning on a car to listen to the radio and see that the world was still there.....but we had/have a standing NYE camping tradition so we weren't just bugging out for Y2K.  Just a coincidence I swear.

toady's picture

I was in a at&t NOC watching the switches.... a little nerve wracking. They had the B-team do the pre-Y2k work, NOT the A-team, and those duffuses  (duffi? ) kept wandering in saying "we missed this, we missed that...)

In the end the only problem was the old 4 time zone clocks on the wall went to 88:88.

crazytechnician's picture

Yeah I heard some dildo electronics went next level as well.

toady's picture

Yeah..... you "heard" that happened...

swmnguy's picture

I'm sure the droning sound traveled well.

"Nine times out of ten it's an electric razor, but every once in a while..."

toady's picture

You can never say "your dildo", you can only say "a dildo"....

toady's picture

Mesa, AZ.... we pulled the billing data & sent it to the printer.... so money was involved. Nothing worries top management more than not being able to send bills to customers! 

stormsailor's picture

distributed peripheral processing  and you just printed out the entire log, wow.   centel pulled all of their tops out of las vegas trucked them to north carolina and had me do an extention on old 82 dms100, taking it to 100/200 and trunking in all of their statewide tops.  some of the trunks were 8 wire analog, getting the mtm's on a digital switch to interface with them was a jolly good time.

stormsailor's picture

i worked for nti, dms100/200 in the itas section. we had anticipated most of the y2k in software and firmware but were not sure how the trunk switching was going to go in the carrier rooms of some of the class 1 and 2 offices.  we worked closely with the bells and att on the trunks and it was a dull night,  you had some damn fine technicians back in the 80s and 90s. did you ever get those ess switches fine tuned?

 

did they ever yank those cosmo line termination frames out of central offices and go back to blocks?

swmnguy's picture

That was good thinking on your part, that NYE.  Sounds like an awesome, perfectly analog, place to be.  There's nothing like Mother Nature supplying the ice for your cocktail.  Maybe not any colder, but much more fun.

peddling-fiction's picture

BarfingCats, naive people believe that it was not created on purpose.

Oh and there are no conspiracies... LOL

Where is my tinfoil hat (not good idea if they are beaming you)

BarkingCat's picture

You are a fucking idiot.

Let me explain it so your tiny brain has a chance to comprehend it.

Most of that original source code was written back in the 1960s.

The programmers back then were not thinking about year 2000 or its consequences. 

They used 2 digits for the year simply because that is how everyone wrote the dates. 

I have seen mainframe code written after year 2000 that used 2 digit year.

The company I was working for had to institute a Y2k code review for any work that the regular programmers were doing in 1998 and 1999 because some people were re-introducing Y2K vulnerabilities back into code that was already converted and Y2K compliant.

Some habits are hard to break and some programmers are not very smart.

Y2K was caused by lack of foresight. 

 

peddling-fiction's picture

Bark at the moon kitty cat.

You have no idea about the monsters of Cain that are in charge, and what they are capable of doing. You soon will.

Apologetics is for their bitches and/or idiots.

Hopefully you are their gatekeeper, otherwise you are the idiot.

Boomberg's picture

Back then those extra 2 digits were very expensive to store and process for millions/billions of records, not just lack of foresight but wise use of technology of the times.

Blue Vervain's picture

Which raises the question as to why there was no significant impact anywhere in the world (feel free to correct me someone - it's just my recollection).

It's unlikely that all critical systems that 'relied on a date' around the world were protected and yet there was no impact (as far as I know).

If it had been a real threat, that threat would have materialised somewhere.

 

medium giraffe's picture

17 years later and no one knows what Y2K was actually about? FFS....

It's very simple - the concern was over the '00 format that we use to describe years.  It was thought that computers would roll over to 01/01/1900 instead of 01/01/2000 as both are '00.  That is it. 

Backend systems were fine for the large part, because they are mostly Unix based and Unix has its own 'Unix time', which is the number of seconds elapsed since 01/01/1970.

Really, it was a lot fucking nonsense about nothing.  There have been similar date bugs since that time that I didn't notice the entire world shitting their pants over.

Toronto Kid's picture

Moron.

I watched all hell break loose trying to get that bug fixed. Roll date forward, watch your 'fixed' system go haywire, fix the fix, roll date forward, and if all was then good, move on to another system.

It wasn't nonsense. There was real impact, averted because a lot of people worked hard.

_triplesix_'s picture

Virtually every sentence you wrote is entirely wrong, but hey, facts are such a nuisance.