Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wana Decryptor Ransomware Using NSA Exploit Leaked By Shadow Brokers To Spread Ransomware Worldwide (threatpost.com)

Posted by BeauHD on from the never-before-seen dept.

msm1267 quotes a report from Threatpost: A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent Shadow Brokers dump. Researchers said the attackers behind today's outbreak of WannaCry ransomware are using EternalBlue, an exploit made public by the mysterious group in possession of offensive hacking tools allegedly developed by the NSA. Most of the attacks are concentrated in Russia, but machines in 74 countries have been infected; researchers at Kaspersky Lab said they've recorded more than 45,000 infections so far on their sensors, and expect that number to climb. Sixteen National Health Service (NHS) organizations in the U.K., several large telecommunications companies and utilities in Spain, and other business throughout Europe have been infected. Critical services are being interrupted at hospitals across England, and in other locations, businesses are shutting down IT systems. An anonymous Slashdot reader adds: Ransomware scum are using an SMB exploit leaked by the Shadow Brokers last month to fuel a massive ransomware outbreak that exploded online today, making victims all over the world in huge numbers. The ransomware's name is Wana Decrypt0r, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or WCry. The ransomware is using the ETERNALBLUE exploit, which uses a vulnerability in the SMBv1 protocol to infect vulnerable computers left exposed online. Microsoft issued a patch for this vulnerability last March, but there are already 36,000 Wana Decrypt0r victims all over the globe, due to the fact they failed to install it. Until now, the ransomware has laid waste to many Spanish companies, healthcare organizations in the UK, Chinese universities, and Russian government agencies. According to security researchers, the scale of this ransomware outbreak is massive and never-before-seen.
UPDATE: The Guardian reports that "An 'accidental hero' has halted the global spread of the WannaCry ransomware" by discovering a kill switch involving "a very long nonsensical domain name that the malware makes a request to." By registering that domain, the spread of the ransomware was effectively halted.

12 of 197 comments (clear)

  1. Say "thanks" to your "security"-agency... by ffkom · · Score: 5, Insightful

    who chose to weaponize security holes rather than having them fixed for some actual security.

    1. Re:Say "thanks" to your "security"-agency... by Anonymous Coward · · Score: 5, Insightful

      No. Say thanks to Micro$oft for making people extremely gunshy after their concerted efforts to force Windows 10 down everyone's throats.

      It's bad enough to worry that an update to a bad driver will brick your machine without the problem of waking up to find Windows 10 on your machine.

      I'm sure there's enough blame to go around here, but don't forget that the update paranoia around Windows OS's was brought to you by none other than Micro$oft themselves.

    2. Re:Say "thanks" to your "security"-agency... by saloomy · · Score: 4, Insightful

      But this isn't a zero-day. "Microsoft issued a patch for this vulnerability last March, but there are already 36,000 Wana Decrypt0r victims all over the globe, due to the fact they failed to install it."
       
      Blame lax IT policies and ineffective management for leaving exposed machines to the internet unmatched. Of course your going to get hosed. Most know to put a firewall, enable the machine's firewall, or air-gap their systems.

    3. Re:Say "thanks" to your "security"-agency... by dbIII · · Score: 5, Insightful

      But this isn't a zero-day. "Microsoft issued a patch for this vulnerability last March, but there are already 36,000 Wana Decrypt0r victims all over the globe, due to the fact they failed to install it."

      Since there were so many people that turned off updates to avoid getting MS Windows 10 unasked I don't think blaming the victims is a useful approach.

  2. Obscurity is not security. by Gravis+Zero · · Score: 5, Insightful

    I've said it before but it bears repeating.

    When you create an exploit, you create a weapon but when you submit a fix, you make that weapon ineffective. So now instead of having the world's best armor, we have an absurd cache of weapons and those weapons have been stolen. The moral isn't to protect your weapons better, it's that you should be making better armor.

    --
    Anons need not reply. Questions end with a question mark.
  3. It hit the NHS hard by Anonymous Coward · · Score: 5, Interesting

    I'm a doctor in the NHS. It hit my hospital hard. The bosses triggered the MAJAX protocols meaning everyone off work was called to come in and help. Computers are used for everything, so blood tests, admissions, scan requests, referrals, all had to be done by hand. The public were asked to keep away from A+E because hundreds of people were waiting. It was terrifying how little failsafe infrastructure there was. The hospital just stopped working.

    1. Re:It hit the NHS hard by Anonymous Coward · · Score: 4, Insightful

      And you use unpatched computers in a hospital WHY? How the hell is it that the PC my kid plays Minecraft on is patched, but the ones you use for MEDICAL CARE are not!? WTF!?

    2. Re:It hit the NHS hard by Anonymous Coward · · Score: 5, Informative

      They may remain unpatched because of a fear that the patch could cause serious errors in the same systems. Most large organizations don't immediately apply patches throughout their infrastructure. They test the patches extensively before deciding to deploy them. In many cases there are laws and regulations in place that say systems have to be certified before they are deployed. Getting the certification for a patched systems, even when the unpatched system is certified, can be a huge and expensive task which may involve hiring specialized firms to run extensive tests.

      Some organizations are just negligent and risk problems by not patching while others are super vigilant and risk different problems by delaying patches.

    3. Re:It hit the NHS hard by TroII · · Score: 4, Insightful

      And you use unpatched computers in a hospital WHY?

      Because patches are often broken. Imagine these hospitals had applied the patch when Microsoft released it, but the patch was faulty in some way, and all of the hospital computers went down as a result. Instead of complaining the hospitals were running unpatched, you and/or many people like you would be bitching and moaning that they were negligent to install the patch too soon.

      Updates from Microsoft frequently include at least one broken patch. There was one update last year that broke millions of peoples' webcams. There have been several updates that interfered with settings and reverted them back to default configurations, and several more updates that seemingly deleted group policy objects that had been configured by the domain administrator. There was a patch around the new year that inadvertently disabled the DHCP service, despite the update itself having nothing to do with DHCP. (Things that make you go hmmm.) This particular fuck-up rendered a lot of machines not only broken, but totally irreparable without manual human intervention, i.e. dispatching someone clueful to each of your premises to clean up the mess.

      Patch deployment in any enterprise environment requires extensive testing. You have to coordinate with your software vendors to make sure their applications are compatible with the update. If you install Patch XYZ without first getting approval from Vendor123, you wind up invalidating your support contracts with them. All of this takes time. In 2016, there were several months in a row where Microsoft had to un-issue, repair, supersede, and re-release a broken patch they'd pushed out. Put yourself in the shoes of an admin team who got burned by Windows Update breaking your systems, especially repeatedly. Are you going to be in any hurry to patch? If you were bitten by the DHCP bug, do you trust that the "critical SMB patch" really only touches SMBv1, and isn't going to inexplicably corrupt Office or remove IPV4 connectivity on every computer it touches?

      If the PC your kid plays Minecraft on gets hosed by a broken patch, it's not that big of a deal. The business world is a different story.

      --
      "If there was a gay Afro-Puertorican Linux distribution, I'd give it a try" ~lucm
  4. National Insecurity Agency by TiggertheMad · · Score: 4, Informative

    The NSA (and other ABC agencies that are undoubtedly running the same game plan) are doing what they are tasked with, finding ways to protect America and America's interests. Using hacking as a tool to this end is (relatively) new in the old game pf spycraft, so there are going to be a few epic disasters like this before the black ops people start to figure out all the types of blow back they can experience. The US was really big on foreign covert action in the 50's, and it took the bay of pigs to make people realize that there were ways that things could go horribly wrong. That didn't stop covert action from being used, but I think it was employed more carefully afterwards. Having all their shiny hacking toys stolen and having this happen is the hacking version of the 'Bay of Pigs'.

    Also, while the NSA seems to have compiled a formidable array of exploits and tools to compromise enemy systems, that doesn't mean that everyone else isn't playing the exact same game. The only difference between the NSA and EVERY other state intelligence agency on the planet is that they seem to be able to properly secure their black ops toys. Being one of the largest agencies of this sort, there are going to be a lot of people in the know. And the more people involved, the harder it is to keep a secret.

    Mind you, that doesn't make this any less tragic or regrettable. I sort of hope the CIA decides that it is in the US interest to find and vanish anyone connected with this ransomware to make an example of them. Alas, that sort of thing only happens in implausible Hollywood scripts.

    --

    HA! I just wasted some of your bandwidth with a frivolous sig!
  5. Re:The NSA should Compensate.... by Gravis+Zero · · Score: 4, Insightful

    EVERY Person, and EVERY Business, that this will do damage to. Its their tool, POORLY secured, that caused this ENTIRE MESS!

    You got it all wrong. The entity to blame is Microsoft. Their operating system is poorly secured which is the root cause of this entire mess.

    --
    Anons need not reply. Questions end with a question mark.
  6. That is not how it infects by dbIII · · Score: 4, Informative

    Certainly they should have blocked SMB shares from the internet.

    That's not how it it gets on a network, even a large one like that. Somebody gets tricked into installing the malware from an email attachment or link via a vunerablity in IE or MS Office (Outlook not so good) and then it spreads across a local network via a weakness in an SMB implementation. Multiple levels of "fail" but not at the firewall, and not a lot that Microsoft's customers can do about it especially in a tight budget situation with IT as a very low priority.

    Your suggestion (while a good one that would have already been done since it's so obvious) would not have helped.