NSA tools behind worldwide WanaCryptOr ransomware attack

A ransomware attack leveraging alleged NSA hacking tools that began hitting the U.K. National Health System earlier today, has spread globally, impacting FedEx and Spanish telecom Telefonica, and locking up tens of thousands of computers in 74 countries.

Early analysis has found that the attackers dropped WanaCryptOr 2.0 ransomware using an exploit tool released last month by the Shadow Brokers hacking group. Also known as Wannacry, the malware is displaying a ransom note demanding $300 in Bitcoinn that must be paid within three days. The most widely hit countries so far are the Russian Federation, Ukraine, India and Taiwan, according to Kaspersky Labs. About 60,000 computers in total are infected.

The attacker has not yet been named.

“The ransomware is spread using a known, and patched, vulnerability (MS17-010) that came from a leaked NSA set of exploits that we reported on our blog in April. Our research shows the encryption is done with RSA-2048 encryption. That means that decryption will be next to impossible, unless the coders have made a mistake that we haven't found yet,” wrote Malwarebytes researcher Pieter Arntz.

The vulnerability MS17-010 is also known as ETERNALBLUE, which was patched by Microsoft in March, and is used to inject the backdoor malware DoublePulsar, according to Cyberscoop. The malicious actors then use the backdoor to infect the target machine with WanaCryptOr.

The initial entry into the company is most like through a phishing attack.

“It would be shocking if the NSA knew about this vulnerability, but failed to disclose it to Microsoft until after it was stolen. It is past time for Congress to enhance cybersecurity by passing a law that requires the government to disclose vulnerabilities to companies in a timely manner. Patching security holes immediately, not stockpiling them, is the best way to make everyone's digital life safer," said Patrick Toomey, a staff attorney with the American Civil Liberties Union's National Security Project.

“The speed with which it's spreading is frightening. Ransomware becomes a significant nuisance if full backups of the systems weren't taken, dramatically increasing the recovery time if the ransom isn't paid,” said Gavin Millard, Tenable EMEA technical director.

The scattershot nature of the attack has also raised eyebrows with it hitting a variety of industries and countries.

“This kind of attack is indiscriminate in its nature, it will attack any machine that is not patched for the particular vulnerability, in this case MS17-010, that it is exploiting. This appears to be financially motivated, however that doesn't mean that there aren't other potential scenarios,” Owen Connelly, VP services at IOActive, told SC Media.

Phil Richards, CISO with Ivanti, called the persistent nature of this attack strong, with infected systems – at least those that do not pay the ransom – having to be powered down and rebuilt from scratch. Also, all backups have to be pulled off the network so they do not become ensnared.

“It isn¹t surprising that NHS haven¹t gotten to root cause yet. Since 90% of this type of ransomware comes in through phishing, my assumption went with the numbers. This ransomware enumerates accounts and systems when it infects a machine, so spreading to servers is also expected. Servers are more consistently available on the network than workstations. So far, this appears to be a Windows only ransomware, not affecting Linux or Mac.

Because the attack is taking advantage of an already patched vulnerability some experts are calling it a failure on behalf of the victims to have left their systems unpatched.

“This is an example of the systemic failure of government and commercial firms to implement security, resiliency and appropriate privacy policies,” said Philip Lieberman, president of Lieberman software.

John Bambenek, threat research manager at Fidelis Cybersecurity, said that the WannaCry attack demonstrates the serious consequences that can occur when a nation-state's zero-day exploit is leaked into the wild, even after a patch is developed. “This is the first time that a worm-link tool has been used in conjunction with ransomware that has created devastating impact against entire organizations," said Bambenek. "Strong and swift patching would have helped mitigate this threat. It has undoubtedly captured the imagination of criminals who don't want to hold individual machines ransom but to take entire organizations hostage and surely we will see much more of this in the coming weeks.”

SOURCE: SC Magazine