Turns Out North Korea Was Probably Behind That Massive Ransomware Attack Last Month
Update, June 15: The NSA has determined with "moderate confidence" that North Korea is behind the WannaCry ransomware attack that left hundreds of thousands of people unable to access their files in May.
WannaCry was apparently an attempt to raise revenue for the regime, but analysts said the effort was flawed. Though the hackers raised $140,000 in bitcoin, a form of digital currency, so far they have not cashed it in, the analysts said. That is likely because an operational error has made the transactions easy to track, including by law enforcement.
As a result, no online currency exchange will touch it, said Jake Williams, founder of Rendition Infosec, a cybersecurity firm. "This is like knowingly taking tainted bills from a bank robbery," he said.
Previously: Today, tens of thousands of computers — primarily in British Hospitals and in Spanish telecommunications company Telefonica — were taken over by a piece of malware known as Wanacrypt0r 2.0. Once loaded onto a Windows machine, the ransomware encrypts all of the computer's files and informs the user that they can decrypt the files… for a fee.
Here's what's going on, and what to do if you've been infected.
Ransomware, Obviously, Holds Your Files For Ransom
Ransomware is malicious software that infects machines, locks them by encrypting data and then extorts money to let users back in. A Telefonica spokesman said a window appeared on screens of infected computers that demanded payment with the digital currency bitcoin in order to regain access to files.
[Reuters]
Once It's In A Network, It's Hard To Stop
Unlike many other malicious programs, this one has the ability to move around a network by itself. Most others rely on humans to spread by tricking them into clicking on an attachment harbouring the attack code.
By contrast, once WannaCry is inside an organisation it will hunt down vulnerable machines and infect them too. This perhaps explains why its impact is so public — because large numbers of machines at each victim organisation are being compromised.
[BBC]
It's The Largest Attack In Recent Memory
According to MalwareTech's Botnet Tracker, the ransomware has spread to over 70,000 machines across the globe. "This is one of the largest global ransomware attacks the cyber community has ever seen," Rich Barger, director of cybersecurity firm Splunk told Reuters. Here's a snapshot of the infections across the globe.
And It All Started At The NSA
Today's WannaCry attack appears to use an NSA exploit codenamed ETERNALBLUE, a software weapon that would have allowed the spy agency's hackers to break into any of millions of Windows computers by exploiting a flaw in how certain version of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates.
You're Not Totally Helpless If You're Infected
Victims who are struggling with ransomware should pay a visit to BleepingComputer's ransomware help forum, which often has tutorials on how to remove the malware and in some cases unlock encrypted files without paying the ransom. In addition, the No More Ransom Project also includes an online tool that enables ransomware victims to learn if a free decryptor is available by uploading a single encrypted file.
Update: 'Accidental Hero' Stops The Attack By Finding Kill Switch
But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a "kill switch" in the malicious software… "I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time."
For more tech news check out our Technology Channel.