 |
This
map released by cybersecurity experts, shows the impact of the ransomware
around the world - with blue dots showing where attacks have been made. Russia
is thought to be the worst affected, while Taiwan fears being the victim of a
second wave. Europe was targeted first, meaning there were fewer incidents in
the US because companies were able to prepare themselves better
|
A global cyber-attack
leveraging hacking tools believed to have been developed by the U.S. National
Security Agency has infected tens of thousands of computers in nearly 100
countries, disrupting Britain's health system and global shipper FedEx.
 |
Ransomware:
how hackers take your data hostage
|
Cyber
extortionists tricked victims into opening malicious malware attachments to
spam emails that appeared to contain invoices, job offers, security warnings
and other legitimate files.
The
ransomware encrypted data on the computers, demanding payments of US$300 to US$600
to restore access. Security researchers said they observed some victims paying
via the digital currency bitcoin, though they did not know what percent had
given in to the extortionists.
Researchers
with security software maker Avast said they had observed 57,000 infections in
99 countries, with Russia, Ukraine and Taiwan the top targets.
Some
experts said the threat had receded for now, in part because a British-based
researcher, who declined to give his name, registered a domain that he noticed
the malware was trying to connect to, limiting the worm's spread.
"We
are on a downward slope, the infections are extremely few, because the malware
is not able to connect to the registered domain," said Vikram Thakur,
principal research manager at Symantec.
"The
numbers are extremely low and coming down fast."
But
the attackers may yet tweak the code and restart the cycle. The British-based
researcher who may have foiled the ransomware's spread told Reuters he had not
seen any such tweaks yet, "but they will."
Finance
chiefs from the Group of Seven rich countries will commit on Saturday to join
forces to fight the growing threat of international cyber-attacks, according to
a draft statement of a meeting they are holding in Italy.
"Appropriate
economy-wide policy responses are needed," the ministers said in their
draft statement, seen by Reuters.
Hospitals in Firing Line
In
Asia, some hospitals, schools, universities and other institutions were
affected, although the full extent of the damage is not yet known because it is
the weekend.
"I
believe many companies have not yet noticed," said William Saito, a cyber
security adviser to Japan's government.
"Things
could likely emerge on Monday."
China's
official Xinhua news agency said some secondary schools and universities had
been affected, without specifying how many or identifying them.
In
Viet Nam, Vu Ngoc Son, a director of Bkav Anti Malware, said dozens of cases of
infection had been reported there, but he declined to identify any of the
victims.
South
Korea´s Yonhap news agency reported a university hospital had been affected,
while a communications official in Indonesia said two hospitals there had been
affected.
The
most disruptive attacks were reported in Britain, where hospitals and clinics
were forced to turn away patients after losing access to computers on Friday.
International
shipper FedEx Corp said some of its Windows computers were also infected.
"We are implementing remediation steps as quickly as possible," it
said in a statement.
Telecommunications
company Telefonica was among many targets in Spain. Portugal Telecom and
Telefonica Argentina both said they were also targeted.
Only
a small number of U.S.-headquartered organizations were hit because the hackers
appear to have begun the campaign by targeting organizations in Europe, said
Thakur.
By
the time they turned their attention to the United States, spam filters had
identified the new threat and flagged the ransomware-laden emails as malicious,
Thakur added.
Microsoft Ups Defences
The
U.S. Department of Homeland Security said it was sharing information with
domestic and foreign partners and was ready to lend technical support.
Private
security firms identified the ransomware as a new variant of
"WannaCry" that had the ability to automatically spread across large
networks by exploiting a known bug in Microsoft's Windows operating system.
The
hackers, who have not come forward to claim responsibility or otherwise been
identified, likely made it a "worm", or self-spreading malware, by
exploiting a piece of NSA code known as "Eternal Blue" that was
released last month by a group known as the Shadow Brokers, researchers with
several private cyber security firms said.
"This
is one of the largest global ransomware attacks the cyber community has ever
seen," said Rich Barger, director of threat research with Splunk, one of
the firms that linked WannaCry to the NSA.
The
Shadow Brokers released Eternal Blue as part of a trove of hacking tools that
they said belonged to the U.S. spy agency.
Microsoft
said it was pushing out automatic Windows updates to defend clients from
WannaCry. It issued a patch on March 14 to protect them from Eternal Blue.
"Today
our engineers added detection and protection against new malicious software
known as Ransom:Win32.WannaCrypt," Microsoft said in a statement on
Friday, adding it was working with customers to provide additional assistance.
Sensitive Timing
The
spread of the ransomware capped a week of cyber turmoil in Europe that began
the previous week when hackers posted a trove of campaign documents tied to
French candidate Emmanuel Macron just before a run-off vote in which he was
elected president of France.
On
Wednesday, hackers disrupted the websites of several French media companies and
aerospace giant Airbus.
The
hack happened four weeks before a British general election in which national
security and the management of the state-run National Health Service are
important issues.
The
British government did not know who was behind the attack but its National
Crime Agency was working to find out, interior minister Amber Rudd said.
Authorities
in Britain have been braced for cyber-attacks in the run-up to the election, as
happened during last year's U.S. election and on the eve of the French one.
But
those attacks - blamed on Russia, which has repeatedly denied them - followed a
different modus operandi involving penetrating the accounts of individuals and
political organizations and then releasing hacked material online.
On
Friday, Russia's interior and emergencies ministries, as well as its biggest
bank, Sberbank, said they were targeted. The interior ministry said about 1,000
computers had been infected but it had localized the virus.
Although
cyber extortion cases have been rising for several years, they have to date
affected small-to-mid sized organizations.
"Seeing
a large telco like Telefonica get hit is going to get everybody worried,"
said Chris Wysopal, chief technology officer with cyber security firm Veracode.
Researcher Finds
'Kill Switch' For Cyberattack Ransomware
A
cybersecurity researcher appears to have discovered a "kill switch"
that can prevent the spread of the WannaCry ransomware -- for now -- that has
caused the cyberattacks wreaking havoc globally, they told AFP Saturday.
The
researcher, tweeting as @MalwareTechBlog, said the discovery was accidental,
but that registering a domain name used by the malware stops it from spreading.
"Essentially
they relied on a domain not being registered and by registering it, we stopped
their malware spreading," @MalwareTechBlog told AFP in a private message
on Twitter.
The
researcher warned however that people "need to update their systems
ASAP" to avoid attack.
"The
crisis isn't over, they can always change the code and try again,"
@MalwareTechBlog said.
Friday's
wave of cyberattacks, which affected dozens of countries, apparently exploited
a flaw exposed in documents leaked from the US National Security Agency.
The
attacks used a technique known as ransomware that locks users' files unless
they pay the attackers a designated sum in the virtual currency Bitcoin.
Affected
by the onslaught were computer networks at hospitals in Britain, Russia's
interior ministry, the Spanish telecom giant Telefonica and the US delivery
firm FedEx and many other organizations.
French
carmaker Renault also announced it was attacked. A spokeswoman said the company
was "doing what is needed to counter this attack."
"I
will confess that I was unaware registering the domain would stop the malware
until after I registered it, so initially it was accidental,"
@MalwareTechBlog tweeted.
Unfortunately
however, computers already affected will not be helped by the solution.
"So
long as the domain isn't revoked, this particular strain will no longer cause
harm, but patch your systems ASAP as they will try again."
The
malware's name is WCry, but analysts were also using variants such as WannaCry.
Forcepoint
Security Labs said in a Friday statement that the attack had "global
scope" and was affecting networks in Australia, Belgium, France, Germany,
Italy and Mexico.
In
the United States, FedEx acknowledged it had been hit by malware and was
"implementing remediation steps as quickly as possible."
Also
badly hit was Britain's National Health Service, which declared a "major
incident" after the attack, which forced some hospitals to divert
ambulances and scrap operations.
Pictures
posted on social media showed screens of NHS computers with images demanding
payment of US$300 (€275 euros) in Bitcoin, saying: "Ooops, your files have
been encrypted!"
It
demands payment in three days or the price is doubled, and if none is received
in seven days, the files will be deleted, according to the screen message.
A
hacking group called Shadow Brokers released the malware in April claiming to
have discovered the flaw from the NSA, according to Kaspersky Lab, a Russian
cybersecurity provider.
Kaspersky researcher Costin Raiu cited 45,000 attacks in 74 countries as of Friday evening.
No comments:
Post a Comment