{"id":72598,"date":"2017-05-13T18:20:49","date_gmt":"2017-05-13T22:20:49","guid":{"rendered":"https:\/\/stateofthenation2012.com\/?p=72598"},"modified":"2017-05-13T18:21:28","modified_gmt":"2017-05-13T22:21:28","slug":"24-hours-later-unprecedented-fallout-from-biggest-ransomware-attack-in-history","status":"publish","type":"post","link":"https:\/\/stateofthenation2012.com\/?p=72598","title":{"rendered":"24 Hours Later: &#8220;Unprecedented&#8221; Fallout From &#8220;Biggest Ransomware Attack In History&#8221;"},"content":{"rendered":"<p><!--more-->ZeroHedge.com<\/p>\n<p>24 hours after it first emerged, it has been called the first global, coordinated ransomware attack using hacking tools developed by the NSA, crippling over a dozen hospitals across the UK, mass transit around Europe, car factories in France and the UK, universities in China, corporations in the US, banks in Russia and countless other mission-critical businesses and infrastructure.<\/p>\n<p>According to experts, &#8220;this could be one of the worst-ever recorded attacks of its kind.&#8221; The security researcher who tweets and blogs as MalwareTech <a href=\"http:\/\/theintercept.com\/2017\/05\/12\/the-nsas-lost-digital-weapon-is-helping-hijack-computers-around-the-world\/\">told The Intercept<\/a>, \u201cI\u2019ve never seen anything like this with ransomware,\u201d and \u201cthe last worm of this degree I can remember is Conficker.\u201d Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over 9 million computers in nearly 200 countries.<\/p>\n<p><strong>The fallout, according to cyber-specialists, has been &#8220;unprecedented&#8221;: <\/strong>it has left unprepared governments, companies and security experts from China to the United Kingdom on Saturday reeling, and racing to contain the damage from the audacious cyberattack that spread quickly across the globe, raising fears that people would not be able to meet ransom demands before their data are destroyed.<\/p>\n<p>As <a href=\"http:\/\/www.zerohedge.com\/news\/2017-05-12\/massive-ransomware-attack-goes-global-huge\">reported yesterday<\/a>, the global efforts come less than a day after malicious software, transmitted via email and stolen from the National Security Agency, exposed vulnerabilities in computer systems in almost 100 countries in one of the largest \u201cransomware\u201d attacks on record. The cyberattackers took over the computers, encrypted the information on them and then demanded payment of $300 or more from users in the form of bitcoin to unlock the devices.<\/p>\n<p>The ransomware was subsequently identified as a new variant of &#8220;WannaCry&#8221; that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft&#8217;s Windows operating system.<\/p>\n<p><a href=\"http:\/\/www.zerohedge.com\/sites\/default\/files\/images\/user5\/imageroot\/2017\/05\/12\/ransomware%20wannacry.jpg\"><img decoding=\"async\" src=\"http:\/\/www.zerohedge.com\/sites\/default\/files\/images\/user5\/imageroot\/2017\/05\/12\/ransomware%20wannacry_0.jpg\" \/><\/a><\/p>\n<p><em>The ransomware has been identifed as WannaCry<\/em><\/p>\n<p>The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a &#8220;worm&#8221;, or self spreading malware, by exploiting a piece of NSA code known as &#8220;Eternal Blue&#8221; that was released last month by a group known as the Shadow Brokers (see &#8220;<a href=\"http:\/\/www.zerohedge.com\/news\/2017-04-08\/hacker-group-releases-password-nsas-top-secret-arsenal-protest-trump-betrayal\">Hacker Group Releases Password To NSA&#8217;s &#8220;Top Secret Arsenal&#8221; In Protest Of Trump Betrayal<\/a>&#8220;) , researchers with several private cyber security firms said.<\/p>\n<p><strong>&#8220;This is one of the largest global ransomware attacks the cyber community has ever seen,&#8221; <\/strong><a href=\"http:\/\/www.reuters.com\/article\/us-britain-security-hospitals-idUSKBN18820S\">said Rich Barger<\/a>, director of threat research with Splunk. The extremely well coordinated attack first emerged in the United Kingdom around noon on Friday and spread like wildefire around the globe. According <a href=\"http:\/\/www.nytimes.com\/2017\/05\/13\/world\/asia\/cyberattacks-online-security-.html\">to the Times<\/a> &#8220;it has set off fears that the effects of the continuing threat will be felt for months, if not years&#8221; and raised questions about the intentions of the hackers: Did they carry out the attack for mere financial gain or for other unknown reasons?<\/p>\n<p>The animated map below shows the speed and scale of the global infestation which took just a few hours to cover the globe:<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Animated map of how tens of thousands of computers were infected with ransomware <a href=\"https:\/\/t.co\/LDFCW9K5Ls\">https:\/\/t.co\/LDFCW9K5Ls<\/a> <a href=\"https:\/\/t.co\/E5Ep9KesaV\">pic.twitter.com\/E5Ep9KesaV<\/a><\/p>\n<p>&mdash; The New York Times (@nytimes) <a href=\"https:\/\/twitter.com\/nytimes\/status\/863193644991471616?ref_src=twsrc%5Etfw\">May 13, 2017<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Meanwhile, some of the world\u2019s largest institutions and government agencies have been affected, including the Russian Interior Ministry, FedEx in the United States and Britain\u2019s National Health Service. As people fretted over whether to pay the digital ransom or lose data from their computers, experts said the attackers might pocket more than $1 billion worldwide before the deadline ran out to unlock the machines.<\/p>\n<p>Across Asia, several universities and organizations said they had been affected. In China, the virus hit the computer networks of both companies and universities, according to the state-run news media. News about the attack began trending on Chinese social media on Saturday, though most attention was focused on university networks, where there were concerns about students losing access to their academic work. The attack, however, focused on the UK and Europe where in addition to the British healthcare system, companies like Deutsche Bahn, the German transport giant; Telef\u00f3nica, a Spanish telecommunications firm; and Renault, the French automaker, said some of their systems had been affected.<\/p>\n<p><strong>&#8220;Seeing a large telco like Telefonica get hit is going to get everybody worried,&#8221; <\/strong>said Chris Wysopal, chief technology officer with cyber security firm Veracode.<\/p>\n<p>The British National Health Service said that 45 of its hospitals, doctors\u2019 offices and ambulance companies had been crippled \u2014 making it perhaps one of the largest institutions affected worldwide. Surgical procedures were canceled and some hospital operations shut down as government officials struggled to respond to the attack.<\/p>\n<p>\u201cWe are not able to tell you who is behind that attack,\u201d Amber Rudd, Britain\u2019s home secretary, told the British Broadcasting Corporation on Saturday. \u201cThat work is still ongoing.\u201d<\/p>\n<p>Things only got worse on Saturday as auto production facilities across Europe have been shuttered, including car plants in the UK and France, in the aftermath of the cyberattack.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/BREAKING?src=hash&amp;ref_src=twsrc%5Etfw\">#BREAKING<\/a> Renault says production halted at French sites after cyberattack<\/p>\n<p>&mdash; AFP News Agency (@AFP) <a href=\"https:\/\/twitter.com\/AFP\/status\/863328048870981632?ref_src=twsrc%5Etfw\">May 13, 2017<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Sky News understands production at the Nissan factory in Sunderland has been affected as a result of a cyber attack<\/p>\n<p>&mdash; Sky News Breaking (@SkyNewsBreak) <a href=\"https:\/\/twitter.com\/SkyNewsBreak\/status\/863342046521765889?ref_src=twsrc%5Etfw\">May 13, 2017<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In total, more than 75,000 computers in 99 countries were compromised in Friday\u2019s attack, with a heavy concentration of infections in Russia and Ukraine, according to Dutch security company Avast Software BV. Russia\u2019s Interior Ministry, with oversees the country\u2019s police forces, said \u201caround 1,000 computers were infected,\u201d which it described as less than 1 percent of the total, the New York Times reported. The ministry said technicians had stopped the attack and were updating the department\u2019s \u201cantivirus defense systems,\u201d according to the Times. Russia&#8217;s RIA reported that the central bank said on Saturday it had detected &#8220;massive&#8221; cyber attacks on domestic banks, which successfully thwarted them.<\/p>\n<p>* * *<\/p>\n<p>There has been some good news: an ingenious discovery appears to have halted the spread of the virus for now.<\/p>\n<p>As part of the digital attack, the hackers included a way of disabling the malware in case they wanted to shut down their activities, <a href=\"http:\/\/arstechnica.com\/security\/2017\/05\/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide\/\">Ars Technica reported<\/a>. To do so, the assailants included code in the ransomware that would stop it from spreading if the virus sent an online request to a website created by the attackers. The kill switch would stop the malware from spreading as soon as the website went online and communicated with the spreading digital virus.<\/p>\n<p>A British-based researcher, who declined to give his name, registered a<br \/>\ndomain that he noticed the malware was trying to connect to, limiting<br \/>\nthe worm&#8217;s spread. When the 22-year-old British researcher, whose Twitter handle is @MalwareTechBlog, confirmed his involvement but insisted on anonymity because he did not want the public scrutiny, saw that the kill switch\u2019s domain name \u2014 a long and complicated set of letters \u2014 had yet to be registered, he bought it himself. By making the site go live, the researcher shut down the hacking attack before it could fully spread to the United States.<\/p>\n<p>However, this temporary workaround will only last for a few days if not hours.<\/p>\n<p>\u201cI will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,\u201d wrote the @MalwareTechBlog researcher. \u201c<strong>So long as the domain isn\u2019t revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.<\/strong>\u201d<\/p>\n<p>http:\/\/twitter.com\/MalwareTechBlog\/status\/863187104716685312?ref_src=twsrc%5Etfw&#038;ref_url=http%3A%2F%2Fwww.zerohedge.com%2Fnews%2F2017-05-13%2F24-hours-later-unprecedented-fallout-first-global-coordinated-ransomware-attack<\/p>\n<p>\u201cThe kill switch is why the U.S. hasn\u2019t been touched so far,\u201d said Matthieu Suiche, founder of Comae Technologies, a cybersecurity company in the United Arab Emirates. \u201cBut it\u2019s only temporary. All the attackers would have to do is create a variant of the hack with a different domain name.<strong> I would expect them to do tha<\/strong>t.\u201d<\/p>\n<p>Adds <a href=\"http:\/\/www.reuters.com\/article\/us-britain-security-hospitals-idUSKBN18820S\">Reuters<\/a>: &#8220;We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,&#8221; said Vikram Thakur, principal research manager at Symantec.<\/p>\n<p>&#8220;The numbers are extremely low and coming down fast.&#8221; But the attackers may yet tweak the code and restart the cycle. The British-based researcher who may have foiled the ransomware&#8217;s spread told Reuters he had not seen any such tweaks yet, &#8220;but they will.&#8221;<\/p>\n<p>* * *<\/p>\n<p>Meanwhile, questions are mounting why code created by the NSA. has i) fallen in the wrong hands and ii) is being used to hold the world hostage. As the NYT notes, the ability of the cyberattack to spread so quickly was partly because of its high level of sophistication.<\/p>\n<p>The malware, experts said, was based on a method that the N.S.A. is believed to have developed as part of its arsenal of cyberweapons. Last summer, a group calling itself the \u201cShadow Brokers\u201d posted online digital tools that it had stolen from the United States government\u2019s stockpile of hacking weapons.\u00a0 <strong>The connection to the N.S.A. is likely to draw further criticism from privacy advocates who have repeatedly called for a clampdown on how the agency collects information online<\/strong>.<\/p>\n<blockquote><p>Brian Lord, a former deputy director for intelligence and cyber operations at Government Communications Headquarters, Britain\u2019s equivalent to the N.S.A., said that any investigation, which would include the F.B.I. and the National Crime Agency of Britain, would take months to name the potential attackers, if it ever does. And by focusing the attacks on large institutions with a track record of not keeping their technology systems up-to-date, global criminal organizations were cherry-picking easy targets that were highly susceptible to such hacks, according to Mr. Lord.<\/p>\n<p>\u201cSerious organized crime is looking to these new technologies to the maximum effect,\u201d Mr. Lord said. \u201cWith cybercrime, you can operate globally without leaving where you already are.\u201d<\/p>\n<p>He added of this attack: \u201cIt was well thought-out, well timed and well coordinated. But, fundamentally, there is nothing unusual about its delivery. It is still fundamentally robbery and extortion.\u201d<\/p><\/blockquote>\n<p>For now, the victims &#8211; both actual and potential &#8211; may have bought themselves some time. As part of the efforts to combat the attack, Microsoft, whose Windows software lies at the heart of the potential hacking vulnerability, released a software update available to those affected by the attack and others who could be potential targets. Microsoft took the \u201chighly unusual\u201d step of securing early operating systems in the wake of a massive ransomware attack that wreaked havoc on global computer networks, including the UK\u2019s National Health Service. Overnight, Microsoft XP received the new security patch three years after the computer giant discontinued support for the OS.<\/p>\n<p>\u201cSeeing businesses and individuals affected by cyberattacks, such as the ones reported today [Friday], was painful,\u201d a Microsoft statement read. \u201cWe are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.\u201d<\/p>\n<p>Security experts however said the upgrade came too late for many of the tens of thousands of machines that were locked out and whose data could be erased if people did not pay the ransom. Earlier this year, Microsoft created a patch <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\">called MS17-010 <\/a>to guard against the virus. But older, unsupported operating systems were not included in the update.<\/p>\n<p>Making matters worse, government officials and industry watchers also warned on Saturday that other hackers might now try to use the global ransomware attack for their own means, potentially tweaking the code and developing their own targets for new cyberattacks.<\/p>\n<p>* * *<\/p>\n<p>Finally, there is the question who is behind this coordinated global attack. Not surprisingly, Russia has been named. There is a high-probability that Russian-language cyber-criminals were behind the attack, said Aleks Gostev, chief cybersecurity expert for Kaspersky Labs. \u201cRansomware is traditionally their topic,\u201d he said <a href=\"http:\/\/www.bloomberg.com\/news\/articles\/2017-05-12\/ransom-hack-racking-up-victims-with-hospitals-most-at-risk\">cited by Bloomberg<\/a>. \u201cThe geography of attacks that hit post-Soviet Union most also suggests that.\u201d<\/p>\n<p>Whoever is the responsible party behind this first, global, coordinated ransomware attack, the have demonstrated one thing: <em>the world is thoroughly unprepared for cyberwar<\/em>.<\/p>\n<p>\u201cAs with everything in cyber, we\u2019re now waiting for the next type of attack,\u201d Paul Bantick, a cyber security expert at Beazley, a global insurance underwriter, told the NYT.<\/p>\n<p>\u201cRansomware like this has been on the rise over the last 18 months,\u201d he added. \u201cThis represents the next step that people were expecting.\u201d<\/p>\n<p>As such, it is only a matter of time now before an even greater, more destructive cyberattack is unleashed on the world.<\/p>\n<p>___<br \/>\n<a href=\"http:\/\/www.zerohedge.com\/news\/2017-05-13\/24-hours-later-unprecedented-fallout-first-global-coordinated-ransomware-attack\">http:\/\/www.zerohedge.com\/news\/2017-05-13\/24-hours-later-unprecedented-fallout-first-global-coordinated-ransomware-attack<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-72598","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=\/wp\/v2\/posts\/72598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=72598"}],"version-history":[{"count":0,"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=\/wp\/v2\/posts\/72598\/revisions"}],"wp:attachment":[{"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=72598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=72598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=72598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}