"Worst-Ever Recorded" Ransomware Attack Strikes Over 57,000 Users Worldwide, Using NSA-Leaked Tools

Tyler Durden's picture

The ransomware has been identifed as WannaCry

* * *

Update 4: According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind. The security researcher who tweets and blogs as MalwareTech told The Intercept “I’ve never seen anything like this with ransomware," and "the last worm of this degree I can remember is Conficker.” Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over nine million computers in nearly 200 countries. As The Intercept details,

Today’s WannaCry attack appears to use an NSA exploit codenamed ETERNALBLUE, a software weapon that would have allowed the spy agency’s hackers to break into any of millions of Windows computers by exploiting a flaw in how certain version of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in governments) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them–but from the moment the agency lost control of its own exploit last summer, there’s been no such assurance.

 

Today shows exactly what’s at stake when government hackers can’t keep their virtual weapons locked up.

 

As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, “I am actually surprised that a weaponized malware of this nature didn’t spread sooner.”

Update 3: Microsoft  has issued a statement, confirming the status the vulnerability:

Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt.

 

In March, we provided a security update which provides additional protections against this potential attack.

 

Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance.

Update 2: Security firm Kaspersky Lab has recorded more than 45,000 attacks in 74 countries in the past 10 hours. Seventy-four countries around the globe have been affected, with the number of victims still growing, according to Kaspersky Lab. According to Avast, over 57,000 attacks have been detected worldwide, the company said, adding that it "quickly escalated into a massive spreading."

According to Avast, the ransomware has also targeted Russia, Ukraine and Taiwan. The virus is apparently the upgraded version of the ransomware that first appeared in February. Believed to be affecting only Windows operated computers, it changes the affected file extension names to ".WNCRY." It then drops ransom notes to a user in a text file, demanding $300 worth of bitcoins to be paid to unlock the infected files within a certain period of time.

While the victim's wallpaper is being changed, affected users also see a countdown timer to remind them of the limited time they have to pay the ransom. If they fail to pay, their data will be deleted, cybercriminals warn. According to the New York Times, citing security experts, the ransomware exploits a "vulnerability that was discovered and developed by the National Security Agency (NSA)." The hacking tool was leaked by a group calling itself the Shadow Brokers, the report said, adding, that it has been distributing the stolen NSA hacking tools online since last year.

Predictably, Edward Snowden - who has been warning about just such an eventuality - chimed in on Twitter, saying "Whoa: @NSAGov decision to build attack tools targeting US software now threatens the lives of hospital patients."
 

*  *  *

Update 1: In a shocking revelation, The FT reports that hackers responsible for the wave of cyber attacks that struck organisations across the globe used tools stolen from the US National Security Agency.

A hacking tool known as “eternal blue”, developed by US spies has been weaponised by the hackers to super-charge an existing form of ransomware known as WannaCry, three senior cyber security analysts said. Their reading of events was confirmed by western security officials who are still scrambling to contain the spread of the attack. The NSA’s eternal blue exploit allows the malware to spread through file-sharing protocols set up across organisations, many of which span the globe.

As Sam Coates summed up...

*  *  *

We earlier reported in the disturbing fact that hospitals across the United Kingdom had gone dark due to a massive cyber-attack...

Hospitals across the UK have been hit by what appears to be a major, nationwide cyber-attack, resulting in the loss of phonelines and computers, with many hospitals going "dark" and some diverting all but emergency patients elsewhere. At some hospitals patients are being told not to come to A&E with all non-urgent operations cancelled, the BBC reports.

 

The UK National Health Service said: “We’re aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware.” It added that trusts and hospitals in London, Blackburn, Nottingham, Cumbria and Hertfordshire have been affected and are reporting IT failures, in some cases meaning there is no way of operating phones or computers.

 

At Lister Hospital in Stevenage, the telephone and computer system has been fully disabled in an attempt to fend off the attack.

 

NHS England says it is aware of the issue and is looking into it.

UK Prime Minister Theresa May confirms today's massive cyber hit on NHS is part of wider international attack and there is no evidence patient data has been compromised.

The situation has got significantly worse as The BBC reports the ransomware attack has gone global.

 

Screenshots of a well known program that locks computers and demands a payment in Bitcoin have been shared online by parties claiming to be affected.

It is not yet clear whether the attacks are all connected. One cyber-security researcher tweeted that he had detected 36,000 instances of the ransomware, called WannaCry and variants of that name.

"This is huge," he said.

There have been reports of infections in the UK, US, China, Russia, Spain, Italy, Vietnam, Taiwan and others.

The BBB details a number of Spanish firms were among the apparent victims elsewhere in Europe.

Telecoms giant Telefonica said in a statement that it was aware of a "cybersecurity incident" but that clients and services had not been affected.

 

Power firm Iberdrola and utility provider Gas Natural were also reported to have suffered from the outbreak.

 

There were reports that staff at the firms were told to turn off their computers.

In Italy, one user shared images appearing to show a university computer lab with machines locked by the same program.

Bitcoin wallets seemingly associated with the ransomware were reported to have already started filling up with cash.

"This is a major cyber attack, impacting organisations across Europe at a scale I've never seen before," said security architect Kevin Beaumont.

According to security firm Check Point, the version of the ransomware that appeared today is a new variant.

"Even so, it's spreading fast," said Aatish Pattni, head of threat prevention for northern Europe.

Several experts monitoring the situation have linked the attacks to vulnerabilities released by a group known as The Shadow Brokers, which recently claimed to have dumped hacking tools stolen from the NSA.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
exi1ed0ne's picture

Well epoch time for older 'nix systems ends January 19, 2038 03:14:07 GMT rather than the nice round number of 2000.  If you think that there won't be systems still in use affected by that in 2038 just look at the FAA.  Dates are a pretty big deal in an operating system, and govern a lot more than you think - even moreso today.  Besides, it wasn't the programs that were coded well enough to flip from 99 to 00.  It was the lazy code that would buffer overflow and do unpredicatable things that was the worry.

I personally think that we learned the wrong lesson from Y2K.  The bean counters said fuck IT spending and code quality - look at the masive nothingburger of Y2K!  Funny how massive outsourcing happened after that.  IMHO it was a non-issue (for all the stuff that mattered) primarily because it was a big deal.  

Rather than think that quality and proper IT spending would be essential in an increasingly computer driven world, we doubled down on stupid.  SCADA networks are still insecure piles of garbage, only now they are hooked up to the fucking Internet.  Widely used software in government and business runs on java versions (or other just as shitty middleware) so old that exploits have been around for YEARS.

 

 

techpriest's picture

There were many stories they were complete bullshit about Y2K however any financial transaction will scheduling that relied upon a date would have been affected.

There is some truth to what BarkingCat is saying - I saw a few folks at the old video rental store who had an $80,000 "late payment" because of how the system was programmed. So, some impact, but nothing devastating.

But the thing is, people knew it years in advance, so the critical systems were patched and updated. IIRC it'll be another few centuries before the next such bug (to do with UNIX timestamps) will come up, and I'm sure we'll figure out something by then.

techpriest's picture

Thanks. Forgot that one. Then again, since we know about it 20 years ahead of time, hopefully we patch everything by then - maybe a few of the older industrial control systems will be hanging on ~20 years from now.

exi1ed0ne's picture

since we know about it 20 years ahead of time, hopefully we patch everything by then

HAHAHAHAHAHAHAHAHAHAHAHAHA

wheeze

AHAHAHAHAHAHAHAHAHAHAHAHAHA

peddling-fiction's picture

Work on making it through Agend@ 21 first.

cheech_wizard's picture

Meet the Unix Millenium Bug...

The latest time that can be represented in Unix's signed 32-bit integer time format is 03:14:07 UTC on Tuesday, 19 January 2038 (2,147,483,647 seconds after 1 January 1970).

Of course, with 64 bit systems, this is not so much of a problem.

DollarMenu's picture

Financial systems that when Y2K arrived were legacy, had been built in the time of very expensive data storage, and carrying two "extra" digits for every date was prohibitive.

Transactions, accounts, and their histories, numbering into the millions, multiplied by 2 bytes per date was a truly expensive amount of data to carry back then.

Systems people knew that things would have to be rebuilt at some time in the future, but back then, the Y2K problem was 30/20/15 years ahead.

Just as most maintenance is deferred to permit current spending on things more glamorous, so too was accommodation for the Y2K problem.

But, as it was a well known unavoidable problem, pressures to spend to alleviate it were overwhelming, and almost everyone made the deadline.

The press was even then, prone to inflame issues to provide the 20 century equivalent of click-bait.

I'm certain there were many nervous programmers watching for that missed line of code, or buried uncorrected date, but they pulled it off.

zorba THE GREEK's picture

maybe it is just the set-up for claiming our nuke missles were hacked and launched by cyber attack. sorry Russia and China.

peddling-fiction's picture

Let me check those codes on them reliable floppy disks. LOL

s2man's picture

Y2K was expensive?  Try changing daylight savings time.  that cost businesses much more than y2k.

peddling-fiction's picture

More ransomware from back in the days. Nice.

imbrbing's picture

I worked in IT and was part of the team updateing all systems for Y2k AND daylight savings time change. All it did for me was give me

many long nights of working weeee hours in the morning updating systems with patches. And the long night staying up watching what was happening in all the time zones as the world turned into Y2000. 

Nothing happened except more gray f'ing hair for the long hours those a$$hats always made us work without compensation (salary)

20 years of that crap before I finally said f it, 6 figure job or not, that can cram that shit.

 

 

 

 

Christophe2's picture

The deep state tries to keep us all as busy as possible, especially those of us who are particularly driven, intelligent and/or functional.  It took me a while to see how artificially stressful and destabilizing all the high paying jobs are.

In a satanic system, there is practically nothing to strive for, since everything is designed to be confusingly abusive.  But that's no problem since I've always had the option to just do my thing to the exclusion of all things mainstream.  I don't know about you, but I've been having a great time since I started doing that :)

Jacksons Ghost's picture

Woodstove industry here.  Northeast USA.  1999 at the time was the greatest Woodstove year in the history of the industry.   People thought the grid was going down and woodstoves were hot!  The previous owner of my company sold it after 2000 saying, "it will never get better than this".   It did, 2008, Katrina and the spiking of oil for the 1st time.  That was license to print money year.   I can remember selling 50 woodstoves or pellets stoves per weekend.   It is cold North of Boston.

Golden Showers's picture

Yeah, it is a good angle. Kill two birds with one stone.

Route this bitcoin shit, dark web, windows security (off the hook with convenient updates), leaked NSA malware (leaks in general). Perhaps it's a preemptive attack. People will want cyber security! Perhaps ISPs like Concast will save the day by throttling access to interweb for our safety and security.

There is a last frontier and it's this thing in front of your face right now.

Who says "not so enough time"...?

Don't forget that the US bombs hospitals, with bombs. Bombs that explode. Bomb badaa Bomb Bomb bomb. Baada Boom. Big Baada bomb. (yeah, in the cab) Big baada boom. So who knows? Ethically, hitting hospitals is pretty sick no matter what or how you do it. This will be an interesting story to watch.

clade7's picture

Funny thing about "Y2K"...When it was all the rage, I was making sales calls to mfgs at the time, selling metal working equipment...I happened to be in Red Bay Alabama at the Allegro Motor Coach factory..Back then, it was a dirt floor disorganized disaster...a bunch of sheet metal sheds basically, Blue Bird Bus chassis sitting out in the weedy lot, all sorts of flintstone gear scattered about the shop, no structured production flow pattern that I could discern. 

 

So I ups and says to the hillbilly guy I was pitching my wares to, "You may want to think about this..in a few days Y2K will be upon us, and My equipment is Y2K safety compliant!"  He looked a bit puzzled, spit on the floor, then ups and says..."What in the hell are you talking about?"   "Y2K?"   "Is that that damned old little robot off of Star Wars?"  "Hell son, my shop vac could kick his ass!"

 

True story!...Full evidence that a Country Boy Can Survive....They make a good coach there though...you sure would not expect it if you seen the site...I got the sale though!..for an arbor press and some hacksaw blades!...Yippee!  Eating a good Tee bone tonight down at the Waffle House!

CrankyCurmudgeon's picture

Sorry asshole, y2k was real. I worked on it. And there were massive unexplained corporate losses and disadvantageous mergers over the next six months.

 

Also sorry, disadvantageous is too big a word for the average Hedgetard,

peddling-fiction's picture

They are not the good guys Sore-on

tmosley's picture

That's word thinking right there. If Satan himself stopped some thugs from extorting millions of dollars while killing a few thousand people, that action would be objectively good. This is pretty much literally the exact justification that was used for torture under the best circumstance. Get to it, intelligence agencies.

Of course, if they can use some quantum computational magic to undo this bullshit without hitting someone repeatedly with a $5 wrench, that's fine too.

webmatex's picture

Yes but imagine if they start doing this to bank and government computer systems, wouldnt that be a neat treat?

techpriest's picture

A Fed IT guy once told me that an unpatched box on their network is "owned" in less than 10 minutes. 24/7 paranoia, apparently.

There are a lot of people trying, it seems.

peddling-fiction's picture

Back in '98 lots of people were trying. Now it is automated.

Caught a hacker red-handed with his hands on the keyboard.

Galahad Threepwood's picture

Maybe

Or maybe the real goal here is to shut down cryptos

freedogger's picture

Someone found a kill switch:

https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds...

So it's fixed for the short term until the worm is relaunched without this switch

sleigher's picture

Wasn't there a large dump of hacks recently onto the internet?  hmm...

Raffie's picture

Wonder if this false flag is to demonize Bitcoin by the Central Banks.

MANvsMACHINE's picture

Probably correct. Large denomination bills used for nefarious activities. Look over here what those bad guys are using bitcoin for?

crazytechnician's picture

I don't buy that , it would just create more demand. And we all know what happens to something that has more demand.

clade7's picture

I dont know..but when shit like this happens, a big stack of coins and some guns makes a guy feel validated....

A Nanny Moose's picture

This is an exploit of the Vulnerability in MS17-010 Bulletin (CVE-2017-0147). Affects Windows versions Vista-Win10 and Server 2009-2016, runnning SMBv1. Patchable since March 17th 2017. SMBv1 is old school, and should be disabled.

Patch, patch, patch.

Cognitive Dissonance's picture

DOS 666

I warned them to skip directly to DOS 667. But they never listen to me.

Dickweed Wang's picture

What Operating System are those computers running?

 

Probably Windows 98 . . . .

kiwigal's picture

The idiots are running WINDOWS XP! A system no longer supported by Microsoft for years now. This is The National Health System of United Kingdom. Unbelievable that a government can penny pinch on something so vital. 

stormsailor's picture

i'm running xp and server 2003 and my systems run like swiss watches, i do have cutouts, firewalls, and discipline in my company.  ps fuck the cloud

HRClinton's picture

They are using an Operating System, that does not affect the stock price of the company (MS) that makes it. 

Note that none of these viruses wipe out mortgage or car loan debts.

Isn't that weird?

jeffglobal's picture

FALSE FLAG. 

I mean seriously.  Deep state is just an extension of the bankers. The CIA gets their pants pulled down by Assange, showing they can cyberattack anyone leaving "fingerprints" of anyone, so they attack everyone and then blame ASSANGE, or a leak?  The leak of this caliber would necessitate the termination of all the personnel that failed to protect the nation.  I mean Vincent Foster type of termination.  I mean a Seth Rich type of termination, though those shooters were FBI that got caught red handed by local authorities because they didn't know about shot mics that got the cops on them faster than they could leave the scene. FFS!

The CIA is a VERY young organization.  It's time to disband the spooks.  All they do is overturn elected governments, and attack their own citizens.

secretargentman's picture

Who is going to get blamed?

<-- Bitcoin

<-- NSA

halcyon's picture

Infects pretty much all Windows versions in use:

WannaCry only targets Microsoft Windows systems and is known to impact the following versions:

  • Windows Xp
  • Microsoft Windows Vista SP2
  • Windows Server 2008 SP2 and R2 SP1
  • Windows 7
  • Windows 8.1
  • Windows RT 8.1
  • Windows Server 2012 and R2
  • Windows 10
  • Windows Server 2016
  • Windows XP (NO SECURITY UPDATES AVAILABLE)
Amicus Curiae's picture

some supposed expert in Aus today said that XP and win 2012 were at risk

past that build nothings supposed to have been affected IF?  updates were applied as reminded

it appears many places with shitloads of networked units do NOT apply updates on time.

Ahmeexnal's picture

Why aren't microsoft shares falling?  Anyone with half a braincell would start thinking it's not a good idea to stay with windows.

Some reports coming in seem to indicate that at least in Spain, the "ransomware" screen is actually a screensaver put up by "employees" in order to have the day off.  "Only in the land of the fiesta and siesta!"

kiwigal's picture

Not Microsoft's fault that the government choose to use and outdated system that has had no patches for years now. Windows XP.

AllBentOutOfShape's picture

I doubt they put too much attention on Russia for this.

This looks more like a CIA false flag that will be used to target Assange and Wikileaks to justify the charges against him.

Expect increased calls for his arrest and calls to revoke his diplomatic immunity on the grounds that he's responsible for inadvertently creating this new threat to the global cyber infrastructure.

Croesus's picture

Thank God the government is protecting us!

nightshiftsucks's picture

The fucking piece of shit Aquino was involved in the SF Presidio daycare kiddie rape.There were 4 year olds with STD's and no one went to prison.  Donate to this group,they are raising money to produce a video exposing high level pedophile satanist.   http://www.vets4childrescue.org/