Ransomware Bomb Aftershocks Rock Worldwide Businesses & Groups
A cybersecurity bomb unleashed a massive ransomware campaign affecting 200,000 computers, and numerous organizations, with thousands of infections in more than 150 countries including the United States, United Kingdom, and Russia.
The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, discovered May 12, 2017, by an independent security researcher, spread quickly and led to ransom demands of .1781 bitcoins or roughly $300 U.S.
The worm attacks Windows vulnerabilities including medical devices and ATMs still using Windows XP. Among the organizations reportedly hit were FedEx in the United States, the Spanish telecom giant Telefónica, French automaker Renault, Chinese universities, the Germany’s railway system, Russia’s interior ministry, and ATMs in India. The most disruptive attacks targeted Britain’s public health system, resulting in rescheduled surgeries and some patients declined emergency room care.
The software, which can run in as many as 27 different languages, prompted an alert from the Department of Homeland Security through the United States Computer Emergency Readiness Team.
According to DHS and CERT, reports indicated the hacker or hacking group behind the campaign gained access to enterprise servers either through Remote Desktop Protocol compromise or through the exploitation of a critical Windows Server Message Block vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017.
Report placed attack responsibility with The Shadow Brokers, which reportedly obtained and dumped National Security Agency spyware over the past year.
"The latest Shadow Broker's release was probably the most high-impact exploit drop we've seen in the last several years,” Mike Cotton, vice president, research and development for cybersecurity firm Digital Defense, suggested. “While earlier leaks from the Shadow Brokers focused on less common device services and third-party software, the exploit drop released in the April targeted core Windows operating system services and were likely among the crown jewels of the NSA toolkits.”
Cotton explained the ETERNALBLUE exploit developed by the NSA allows for reliable remote compromise of a wide variety of Windows server and client systems using nothing but network access as a precondition. “It will remain one of the most heavily used exploits in attacker toolkits for years to come."
Phillip Hallam-Baker, principal scientist, global cybersecurity firm Comodo, said, “Ransomware is following the same trajectory as phishing. The criminals have worked out how to monetize the crime, and they know which types of business are likely to pay up, and how to collect the money without being caught.”
Hallam-Baker added it appears that the CIA breach accelerated the process. “Instead of having to develop their own zero-day attacks, the criminals have use of an arsenal developed by experts at developing cyber-weapons.”
“The U.S. government clearly had its priorities wrong,” Hallam-Baker, exclaimed. “Whether or not you think the U.S. government should be spending a fortune developing such cyberweapons, surely it is obvious that the weapons they develop should be properly secured.”
Ransomware exists for the same reason other viruses exist, money, John Christly, Global CISO, Netsurion, a provider of remotely-managed security services and EventTracker, a SIEM provider, expressed. “It is designed to prey upon the unsuspecting, but rather than suck data out of a network, it cuts to the chase and asks for the cash up front.”
Christy also suggested, “We know that hackers are in constant pursuit of highly sensitive, personal data and that they are equipped with sophisticated methods to gain access to it. We also know that ransomware is now an unfortunately uncommon attack trend that cripples systems, even critical ones in hospitals, solely so the hackers can collect a profit with minimal effort.”
“And then there is victim blaming, because auto-updates were turned off which would have fixed this two months ago. Enough blame to go around for everyone. Ultimately this is a shared responsibility, but IT people are carrying the heavy load here and often do not get enough budget to get the job done right,” Stu Sjouwerman, founder and CEO of the Tampa Bay, Fla.-based cybersecurity firm KnowBe4, noted.
Sjouwerman said, “Predictions are the infection is going to get worse, because now machines will be turned on that aren't patched.”