The Jim Bakker Show

Ransomware virus hits computer servers across the globe

A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by a wave of cyber attacks earlier in the day, in Kiev, Ukraine, June 27, 2017. REUTERS/Valentyn Ogirenko

By Jack Stubbs and Pavel Polityuk

MOSCOW/KIEV (Reuters) – A ransomware attack hit computers across the world on Tuesday, taking out servers at Russia’s biggest oil company, disrupting operations at Ukrainian banks, and shutting down computers at multinational shipping and advertising firms.

Cyber security experts said those behind the attack appeared to have exploited the same type of hacking tool used in the WannaCry ransomware attack that infected hundreds of thousands of computers in May before a British researcher created a kill-switch.

“It’s like WannaCry all over again,” said Mikko Hypponen, chief research officer with Helsinki-based cyber security firm F-Secure.

He said he expected the outbreak to spread in the Americas as workers turned on vulnerable machines, allowing the virus to attack. “This could hit the U.S.A. pretty bad,” he said.

The U.S. Department of Homeland Security said it was monitoring reports of cyber attacks around the world and coordinating with other countries.

The first reports of organizations being hit emerged from Russia and Ukraine, but the impact quickly spread westwards to computers in Romania, the Netherlands, Norway, and Britain.

Within hours, the attack had gone global.

Danish shipping giant A.P. Moller-Maersk, which handles one out of seven containers shipped globally, said the attack had caused outages at its computer systems across the world on Tuesday, including at its terminal in Los Angeles.

Pharmaceutical company Merck & Co said its computer network had been affected by the global hack.

A Swiss government agency also reported computer systems were affected in India, though the country’s cyber security agency said it had yet to receive any reports of attacks.

“DON’T WASTE YOUR TIME”

After the Wannacry attack, organizations around the globe were advised to beef up IT security.

“Unfortunately, businesses are still not ready and currently more than 80 companies are affected,” said Nikolay Grebennikov, vice president for R&D at data protection firm Acronis.

One of the victims of Tuesday’s cyber attack, a Ukrainian media company, said its computers were blocked and it had a demand for $300 worth of the Bitcoin crypto-currency to restore access to its files.

“If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service,” the message said, according to a screenshot posted by Ukraine’s Channel 24.

The same message appeared on computers at Maersk offices in Rotterdam and at businesses affected in Norway.

Other companies that said they had been hit by a cyber attack included Russian oil producer Rosneft, French construction materials firm Saint Gobain and the world’s biggest advertising agency, WPP – though it was not clear if their problems were caused by the same virus.

“The building has come to a standstill. It’s fine, we’ve just had to switch everything off,” said one WPP employee who asked not to be named.

WANNACRY AGAIN

Cyber security firms scrambled to understand the scope and impact of the attacks, seeking to confirm suspicions hackers had leveraged the same type of hacking tool exploited by WannaCry, and to identify ways to stop the onslaught.

Experts said the latest ransomware attacks unfolding worldwide, dubbed GoldenEye, were a variant of an existing ransomware family called Petya.

It uses two layers of encryption which have frustrated efforts by researchers to break the code, according to Romanian security firm Bitdefender.

“There is no workaround to help victims retrieve the decryption keys from the computer,” the company said.

Russian security software maker Kaspersky Lab, however, said its preliminary findings suggested the virus was not a variant of Petya but a new ransomware not seen before.

Last’s month’s fast-spreading WannaCry ransomware attack was crippled after a 22-year-old British security researcher Marcus Hutchins created a so-called kill-switch that experts hailed as the decisive step in slowing the attack.

Any organization that heeded strongly worded warnings in recent months from Microsoft Corp to urgently install a security patch and take other steps appeared to be protected against the latest attacks.

Ukraine was particularly badly hit, with Prime Minister Volodymyr Groysman describing the attacks on his country as “unprecedented”.

An advisor to Ukraine’s interior minister said the virus got into computer systems via “phishing” emails written in Russian and Ukrainian designed to lure employees into opening them.

According to the state security agency, the emails contained infected Word documents or PDF files as attachments.

Yevhen Dykhne, director of the Ukrainian capital’s Boryspil Airport, said it had been hit. “In connection with the irregular situation, some flight delays are possible,” Dykhne said in a post on Facebook. A Reuters reporter who visited the airport late on Tuesday said flights were operating as normal.

Ukrainian Deputy Prime Minister Pavlo Rozenko said the government’s computer network had gone down and the central bank said a operation at a number of banks and companies, including the state power distributor, had been disrupted by the attack.

“As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations,” the central bank said in a statement.

Russia’s Rosneft, one of the world’s biggest crude producers by volume, said its systems had suffered “serious consequences” from the attack. It said it avoided any impact on oil production by switching to backup systems.

The Russian central bank said there were isolated cases of lenders’ IT systems being infected by the cyber attack. One consumer lender, Home Credit, had to suspend client operations.

(Additional reporting by European bureaux and Jim Finkle in Toronto; writing by Christian Lowe; editing by David Clarke)

Anthem to pay record $115 million to settle U.S. lawsuits over data breach

The office building of health insurer Anthem is seen in Los Angeles, California February 5, 2015. REUTERS/Gus Ruelas

By Brendan Pierson

(Reuters) – Anthem Inc <ANTM.N>, the largest U.S. health insurance company, has agreed to settle litigation over hacking in 2015 that compromised about 79 million people’s personal information for $115 million, which lawyers said would be the largest settlement ever for a data breach.

The deal, announced Friday by lawyers for people whose information was compromised, must still be approved by U.S. District Judge Lucy Koh in San Jose, California, who is presiding over the case.

The money will be used to pay for two years of credit monitoring for people affected by the hack, the lawyers said. Victims are believed to include current and former customers of Anthem and of other insurers affiliated with Anthem through the national Blue Cross Blue Shield Association.

People who are already enrolled in credit monitoring may choose to receive cash instead, which may be up to $50 per person, according to a motion filed in California federal court Friday.

“We are very satisfied that the settlement is a great result for those affected and look forward to working through the settlement approval process,” Andrew Friedman, a lawyer for the victims, said in a statement.

The credit monitoring in the settlement is in addition to the two years of credit monitoring Anthem offered victims when it announced the breach in February 2015, according to Anthem spokeswoman Jill Becher, who said the company was pleased to be resolving the litigation.

The Indianapolis-based company did not admit wrongdoing, and there was no evidence any compromised information was sold or used to commit fraud, Becher said.

Anthem said in February 2015 that an unknown hacker had accessed a database containing personal information, including names, birthdays, social security numbers, addresses, email addresses and employment and income information. The attack did not compromise credit card information or medical information, the company said.

More than 100 lawsuits filed against Anthem over the breach were consolidated before Judge Koh.

The breach is one of a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to U.S. companies in recent years, including Target Corp <TGT.N>, which agreed to pay $18.5 million to settle claims by 47 states in May, and Home Depot Inc <HD.N>, which agreed to pay at least $19.5 million to consumers last year.

(Reporting by Brendan Pierson in New York; Editing by Lisa Shumaker)

U.S. banks, corporations establish principles for cyber risk ratings firms

A view of the exterior of the JP Morgan Chase & Co. corporate headquarters in New York City May 20, 2015. REUTERS/Mike Segar/Files

By Anna Irrera and Olivia Oran

(Reuters) – More than two dozen U.S. companies, including several big banks, have teamed up to establish shared principles that would allow them to better understand their cyber security ratings and to challenge them if necessary, the U.S. Chamber of Commerce said on Tuesday. Large corporations often use the ratings, the cyber equivalent of a FICO credit score, to assess how prepared the companies they work with are to withstand cyber attacks. Insurers also look at the ratings when they make underwriting decisions on cyber liability.

The group includes big banks like JPMorgan Chase & Co <JPM.N>, Goldman Sachs Group Inc <GS.N> and Morgan Stanley <MS.N>, as well as non-financial companies like coffee retailer Starbucks Corp <SBUX.O>, health insurer Aetna Inc <AET.N> and home improvement chain Home Depot Inc <HD.N>. They are organizing the effort through the Chamber of Commerce, a broad trade group for corporate America.

The move comes in response to the emergence of such startups as BitSight Technologies, RiskRecon and SecurityScorecard that collect and analyze large swaths of data to rate companies on cyber security.

As these startups have gained prominence and venture capital funding, the companies they rate have complained of a lack of transparency.

“The challenge is that their (startups’) methodologies are proprietary and there hasn’t been transparency on how they go about creating the ratings,” JPMorgan Global Chief Information Security Officer Rohan Amin said in an interview.

The financial services industry is among the most vulnerable to cyber crime because of the massive amount of money and valuable data that banks, brokerages and investment firms process each day. Several technology companies, including Microsoft Corp <MSFT.O> and Verizon Communications Inc <VZ.N>, also support the principles being developed, as do the cyber ratings firms, the Chamber of Commerce said.

Ratings issued by those companies could help guide the standards being set by U.S. corporations. BitSight, for example, rates companies on a scale of 250 to 900 with a higher rating indicating better security performance.

“For organizations to use your platform you have to demonstrate trustworthiness and reliability,” said Jake Olcott, BitSight’s vice president of strategic partnerships.

(Reporting by Anna Irrera and Olivia Oran in New York; Editing by Lauren Tara LaCapra and Lisa Von Ahn)

Blame game for cyber attacks grows murkier as spying, crime tools mix

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

By Eric Auchard

TALLINN, Estonia (Reuters) – Veteran espionage researcher Jon DiMaggio was hot on the trail three months ago of what on the face of it looked like a menacing new industrial espionage attack by Russian cyber spies.

All the hallmarks were there: targeted phishing emails common to government espionage, an advanced Trojan horse for stealing data from inside organizations, covert communication channels for grabbing documents and clues in the programming code indicating its authors were Russian speakers.

It took weeks before the lead cyber spying investigator at Symantec, a top U.S. computer security firm, figured out instead he was tracking a lone-wolf cyber criminal.

DiMaggio won’t identify the name of the culprit, whom he has nicknamed Igor, saying the case is a run-of-the-mill example of increasing difficulties in separating national spy agency activity from cyber crime. The hacker comes from Transdniestria, a disputed, Russian-speaking region of Moldova, he said.

“The malware in question, Trojan.Bachosens, was so advanced that Symantec analysts initially thought they were looking at the work of nation-state actors,” DiMaggio told Reuters in a phone interview on Wednesday. “Further investigation revealed a 2017 equivalent of the hobbyist hackers of the 1990s.”

Reuters could not contact the alleged hacker.

The example highlights the dangers of jumping to conclusions in the murky world of cyber attack and defense, as tools once only available to government intelligence services find their way into the computer criminal underground.

Security experts refer to this as “the attribution problem”, using technical evidence to assign blame for cyber attacks in order to take appropriate legal and political responses.

These questions echo through the debate over whether Russia used cyber attacks to influence last year’s U.S. presidential elections and whether Moscow may be attempting to disrupt national elections taking place in coming months across Europe.

The topic is a big talking point for military officials and private security researchers at the International Conference on Cyber Conflict in Tallin this week. It has been held each year since Estonia was swamped in 2007 by cyber attacks that took down government, financial and media websites amid a dispute with Russia. Attribution for those attacks remains disputed.

THE SMOKING GUN

“Attribution is almost never a clean, smoking-gun,” said Paul Vixie, creator of the first commercial anti-spam service, whose latest firm, Farsight Security, helps firms track down cyber attackers to identify and block them.

Raising the stakes, a mystery group calling itself ShadowBrokers has taken credit for leaking cyber-spying tools that are now being turned to criminal use, including ones used in the recent WannaCry global ransomware attack, ratcheting up cyber security threats to a whole new level.

In recent weeks, ShadowBrokers has threatened to sell more such tools, believed to have been stolen from the U.S. National Security Agency, to enable hacking into the world’s most used computers, software and phones. (http://reut.rs/2rmTZmm)

“The bar for what’s considered advanced is lowered as time goes by,” said Sean Sullivan, a security researcher with Finnish cyber firm F-Secure.

The Moldovan hacker’s campaign to steal data and resell it on the web came to light only after infections popped up last year at a major airline, an online gambling firm and a Chinese automotive software maker, which are all customers of Symantec products used to secure their business networks.

Igor appears to have targeted the auto-tech company to steal its car diagnostics software, which retails for around $1,100 but Igor sold for just a few hundred dollars on underground forums and websites he had created. His aims in trying to break into the airline and gambling firm remain a mystery.

“Considering the audacity of this attack, the financial rewards for Igor are pretty low,” DiMaggio wrote in a blog post on his findings to be published on Wednesday.

As a threat, Symantec rates Trojan.Bachosens as a very low risk virus, in part because the attack singles out only a handful of specific firms rather than the wide-ranging, random attacks used by many cyber criminals to scoop up the greatest number of victims.

“I think those days are over when we can say in black and white: We know this is an espionage group,” DiMaggio said.

The Symantec researcher has not reported Igor to local authorities, calculating that exposing the methods of the attack will be enough to neutralize them.

(Editing by Peter Millership)

China to implement cyber security law from Thursday

FILE PHOTO: A woman uses a computer in an internet cafe at the centre of Shanghai, China January 13, 2010. REUTERS/Nir Elias/File Photo

SHANGHAI (Reuters) – China, battling increased threats from cyber-terrorism and hacking, will adopt from Thursday a controversial law that mandates strict data surveillance and storage for firms working in the country, the official Xinhua news agency said.

The law, passed in November by the country’s largely rubber-stamp parliament, bans online service providers from collecting and selling users’ personal information, and gives users the right to have their information deleted, in cases of abuse.

“Those who violate the provisions and infringe on personal information will face hefty fines,” the news agency said on Monday, without elaborating.

Reuters reported this month that overseas business groups were pushing Chinese regulators to delay implementation of the law, saying the rules would severely hurt activities.

Until now, China’s data industry has had no overarching data protection framework, being governed instead by loosely defined laws.

However, overseas critics say the new law threatens to shut foreign technology companies out of sectors the country deems “critical”, and includes contentious requirements for security reviews and data stored on servers in China.

(Reporting by Brenda Goh; Editing by Clarence Fernandez)

Chipotle says hackers hit most restaurants in data breach

Signage for a Chipotle Mexican Grill is seen in Los Angeles, California, United States, April 25, 2016. REUTERS/Lucy Nicholson/File Photo

By Lisa Baertlein

(Reuters) – Hackers used malware to steal customer payment data from most of Chipotle Mexican Grill Inc’s <CMG.N> restaurants over a span of three weeks, the company said on Friday, adding to woes at the chain whose sales had just started recovering from a string of food safety lapses in 2015.

Chipotle said it did not know how many payment cards or customers were affected by the breach that struck most of its roughly 2,250 restaurants for varying amounts of time between March 24 and April 18, spokesman Chris Arnold said via email.

A handful of Canadian restaurants were also hit in the breach, which the company first disclosed on April 25.

Stolen data included account numbers and internal verification codes. The malware has since been removed.

The information could be used to drain debit card-linked bank accounts, make “clone” credit cards, or to buy items on certain less-secure online sites, said Paul Stephens, director of policy and advocacy at the non-profit Privacy Rights Clearinghouse.

The breach could once again threatens sales at its restaurants, which only recently recovered after falling sharply in late 2015 after Chipotle was linked to outbreaks of E. coli, salmonella and norovirus that sickened hundreds of people.

An investigation into the breach found the malware searched for data from the magnetic stripe of payment cards.

Arnold said Chipotle could not alert customers directly as it did not collect their names and mailing addresses at the time of purchase.

The company posted notifications on the Chipotle and Pizzeria Locale websites and issued a news release to make customers aware of the incident.

Linn Freedman, an attorney at Robinson & Cole LLP specializing in data breach response, said Chipotle was putting the burden on the consumer to discover possible fraudulent transactions by notifying them through the websites.

“I don’t think you will get to all of the customers who might have been affected,” she said.

Security analysts said Chipotle would likely face a fine based on the size of the breach and the number of records compromised.

“If your data was stolen through a data breach that means you were somewhere out of compliance” with payment industry data security standards, Julie Conroy, research director at Aite Group, a research and advisory firm.

“In this case, the card companies will fine Chipotle and also hold them liable for any fraud that results directly from their breach,” said Avivah Litan, a vice president at Gartner Inc <IT.N> specializing in security and privacy.

Chipotle did not immediately comment on the prospect of a fine.

Retailer Target Corp <TGT.N> in 2017 agreed to pay $18.5 million to settle claims stemming from a massive data breach in late 2013.

Hotels and restaurants have also been hit. They include Trump Hotels, InterContinental Hotels Group <IHG.L> as well as Wendy’s <WEN.O>, Arby’s and Landry’s restaurants.

Shares in Chipotle Mexican Grill ended marginally lower at $480.15 on Friday following the announcement.

(Additional reporting by Natalie Grover and Siddharth Cavale in Bengaluru and Tom Polansek and Nandita Bose in Chicago; Editing by Grant McCool and Lisa Shumaker)

Symantec says ‘highly likely’ North Korea group behind ransomware attacks

A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Joseph Menn

SAN FRANCISCO (Reuters) – Cyber security firm Symantec Corp <SYMC.O> said on Monday it was “highly likely” a hacking group affiliated with North Korea was behind the WannaCry cyber attack this month that infected more than 300,000 computers worldwide and disrupted hospitals, banks and schools across the globe.

Symantec researchers said they had found multiple instances of code that had been used both in the North Korea-linked group’s previous activity and in early versions of WannaCry.

In addition, the same Internet connection was used to install an early version of WannaCry on two computers and to communicate with a tool that destroyed files at Sony Pictures Entertainment. The U.S. government and private companies have accused North Korea in the 2014 Sony attack.

North Korea has routinely denied any such role. On Monday, it called earlier reports that it might have been behind the WannaCry attack “a dirty and despicable smear campaign.”

Lazarus is the name many security companies have given to the hacking group behind the Sony attack and others. By custom, Symantec does not attribute cyber campaigns directly to governments, but its researchers did not dispute the common belief that Lazarus works for North Korea.

In a blog post, Symantec listed numerous links between Lazarus and software the group had left behind after launching an earlier, less virulent, version of the malware in February. One was a variant of software used to wipe disks during the Sony Pictures attack, while another tool used the same internet addresses as two other pieces of malware linked to Lazarus.

At the same time, flaws in the WannaCry code, its wide spread, and its demands for payment in the electronic bitcoin before files are decrypted suggest that the hackers were not working for North Korean government objectives in this case, said Vikram Thakur, Symantec’s security response technical director.

“Our confidence is very high that this is the work of people associated with the Lazarus Group, because they had to have source code access,” Thakur said in an interview.

But he added: “We don’t think that this is an operation run by a nation-state.”

With WannaCry, Thakur said, Lazarus Group members could have been moonlighting to make extra money, or they could have left government service, or they could have been contractors without direct obligations to serve only the government.

The most effective version of WannaCry spread by using a flaw in Microsoft’s Windows and a program that took advantage of it that had been used by the U.S. National Security Agency, officials said privately.

That program was among a batch leaked or stolen and then dumped online by a group calling itself The Shadow Brokers, who some in U.S. intelligence believe to be affiliated with Russia.

Analysts have been weighing in with various theories on the identity of those behind WannaCry, and some early evidence had pointed to North Korea. The Shadow Brokers endorsed that theory, perhaps to take heat off their own government backers for the disaster.

Cybersecurity company Kaspersky has said it had found several similarities between the WannaCry malware from the earlier attack and those used by Lazarus. But in an interview last week, its Asia research director, Vitaly Kamluk, said it was not conclusive evidence. “It’s unusual,” he said.

Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, said that the Korean language used in some versions of the WannaCry ransom note was not that of a native speaker, making a Lazarus connection unlikely.

But Thakur said that some hackers deliberately obfuscate their language to make tracing them harder. It is also possible that the writer in question was a contractor in another country, he said.

Thakur said a less likely scenario is that Lazarus’ main aim was to create chaos by distributing WannaCry.

If the hackers’ main objective was to earn money on the side, that would suggest an undisciplined hacking operation run by North Korea, one that could be exploited and weakened by the country’s many foes.

“The intelligence community will probably take away from this that there is a possibility of splinters in the Lazarus Group, or members who are interested in filling their own pockets, and that could help,” Thakur said.

Lazarus has also been linked to attacks on banks using their SWIFT messaging network. Last year, hackers stole $81 million from Bangladesh’s central bank. Symantec said malware used in that attack was linked to Lazarus.

(Reporting by Joseph Menn, Dustin Volz, Jeremy Wagstaff and Ju-Min Park; Editing by Chris Reese, Mary Milliken and Raju Gopalakrishnan)

Newly discovered vulnerability raises fears of another WannaCry

FILE PHOTO: A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

SINGAPORE (Reuters) – A newly found flaw in widely used networking software leaves tens of thousands of computers potentially vulnerable to an attack similar to that caused by WannaCry, which infected more than 300,000 computers worldwide, cybersecurity researchers said on Thursday.

The U.S. Department of Homeland Security on Wednesday announced the vulnerability, which could be exploited to take control of an affected computer, and urged users and administrators to apply a patch.

Rebekah Brown of Rapid7, a cybersecurity company, told Reuters that there were no signs yet of attackers exploiting the vulnerability in the 12 hours since its discovery was announced.

But she said it had taken researchers only 15 minutes to develop malware that made use of the hole. “This one seems to be very, very easy to exploit,” she said.

Rapid7 said it had found more than 100,000 computers running vulnerable versions of the software, Samba, free networking software developed for Linux and Unix computers. There are likely to be many more, it said in response to emailed questions.

Most of the computers found are running older versions of the software and cannot be patched, said Brown.

Some of the computers appear to belong to organizations and companies, she said, but most were home users.

The vulnerability could potentially be used to create a worm like the one which allowed WannaCry to spread so quickly, Brown said, but that would require an extra step for the attacker.

Cybersecurity researchers have said they believe North Korean hackers were behind the WannaCry malware, which encrypted data on victims’ computers and demanded bitcoin in return for a decryption key.

(Reporting and writing By Jeremy Wagstaff; Editing by Michael Perry)

Security experts find clues to ransomware worm’s lingering risks

(Corrects spelling of first name in paragraph 22 of this May 18 story to Salim from Samil)

By Eric Auchard

FRANKFURT (Reuters) – Two-thirds of those caught up in the past week’s global ransomware attack were running Microsoft’s Windows 7 operating system without the latest security updates, a survey for Reuters by security ratings firm BitSight found.

Researchers are struggling to try to find early traces of WannaCry, which remains an active threat in hardest-hit China and Russia, believing that identifying “patient zero” could help catch its criminal authors.

They are having more luck dissecting flaws that limited its spread.

Security experts warn that while computers at more than 300,000 internet addresses were hit by the ransomware strain, further attacks that fix weaknesses in WannaCry will follow that hit larger numbers of users, with more devastating consequences.

“Some organizations just aren’t aware of the risks; some don’t want to risk interrupting important business processes; sometimes they are short-staffed,” said Ziv Mador, vice president of security research at Trustwave’s Israeli SpiderLabs unit.

“There are plenty of reasons people wait to patch and none of them are good,” said Mador, a former long-time security researcher for Microsoft.

WannaCry’s worm-like capacity to infect other computers on the same network with no human intervention appear tailored to Windows 7, said Paul Pratley, head of investigations & incident response at UK consulting firm MWR InfoSecurity.

Data from BitSight covering 160,000 internet-connected computers hit by WannaCry, shows that Windows 7 accounts for 67 percent of infections, although it represents less than half of the global distribution of Windows PC users.

Computers running older versions, such as Windows XP used in Britain’s NHS health system, while individually vulnerable to attack, appear incapable of spreading infections and played a far smaller role in the global attack than initially reported.

In laboratory testing, researchers at MWR and Kyptos say they have found Windows XP crashes before the virus can spread.

Windows 10, the latest version of Microsoft’s flagship operating system franchise, accounts for another 15 percent, while older versions of Windows including 8.1, 8, XP and Vista, account for the remainder, BitSight estimated.

COMPUTER BASICS

Any organization which heeded strongly worded warnings from Microsoft to urgently install a security patch it labeled “critical” when it was released on March 14 on all computers on their networks are immune, experts agree.

Those hit by WannaCry also failed to heed warnings last year from Microsoft to disable a file sharing feature in Windows known as SMB, which a covert hacker group calling itself Shadow Brokers had claimed was used by NSA intelligence operatives to sneak into Windows PCs.

“Clearly people who run supported versions of Windows and patched quickly were not affected”, Trustwave’s Mador said.

Microsoft has faced criticism since 2014 for withdrawing support for older versions of Windows software such as 16-year-old Windows XP and requiring users to pay hefty annual fees instead. The British government canceled a nationwide NHS support contract with Microsoft after a year, leaving upgrades to local trusts.

Seeking to head off further criticism in the wake of the WannaCry outbreak, the U.S. software giant last weekend released a free patch for Windows XP and other older Windows versions that it previously only offered to paying customers.(http://reut.rs/2qvSPUR)

Microsoft declined to comment for this story.

On Sunday, the U.S. software giant called on intelligence services to strike a better balance between their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – and sharing those flaws with technology companies to better secure the internet (http://reut.rs/2qAOdLm).

Half of all internet addresses corrupted globally by WannaCry are located in China and Russia, with 30 and 20 percent respectively. Infection levels spiked again in both countries this week and remained high through Thursday, according to data supplied to Reuters by threat intelligence firm Kryptos Logic.

By contrast, the United States accounts for 7 percent of WannaCry infections while Britain, France and Germany each represent just 2 percent of worldwide attacks, Kryptos said.(http://tmsnrt.rs/2qIUckv)

DUMB AND SOPHISTICATED

The ransomware mixes copycat software loaded with amateur coding mistakes and recently leaked spy tools widely believed to have been stolen from the U.S. National Security Agency, creating a vastly potent class of crimeware.

“What really makes the magnitude of this attack so much greater than any other is that the intent has changed from information stealing to business disruption”, said Samil Neino, 32, chief executive of Los Angeles-based Kryptos Logic.

Last Friday, the company’s British-based 22-year-old data breach research chief, Marcus Hutchins, created a “kill-switch”, which security experts have widely hailed as the decisive step in halting the ransomware’s rapid spread around the globe.

WannaCry appears to target mainly enterprises rather than consumers: Once it infects one machine, it silently proliferates across internal networks which can connect hundreds or thousands of machines in large firms, unlike individual consumers at home.

An unknown number of computers sit behind the 300,000 infected internet connections identified by Kryptos.

Because of the way WannaCry spreads sneakily inside organization networks, a far larger total of ransomed computers sitting behind company firewalls may be hit, possibly numbering upward of a million machines. The company is crunching data to arrive at a firmer estimate it aims to release later Thursday.

Liran Eshel, chief executive of cloud storage provider CTERA Networks, said: “The attack shows how sophisticated ransomware has become, forcing even unaffected organizations to rethink strategies.”

ESCAPE ROUTE

Researchers from a variety of security firms say they have so far failed to find a way to decrypt files locked up by WannaCry and say chances are low anyone will succeed.

However, a bug in WannaCry code means the attackers cannot use unique bitcoin addresses to track payments, security researchers at Symantec found this week. The result: “Users unlikely to get files restored”, the company’s Security Response team tweeted.

The rapid recovery by many organizations with unpatched computers caught out by the attack may largely be attributed to back-up and retrieval procedures they had in place, enabling technicians to re-image infected machines, experts said.

While encrypting individual computers it infects, WannaCry code does not attack network data-backup systems, as more sophisticated ransomware packages typically do, security experts who have studied WannaCry code agree.

These factors help explain the mystery of why such a tiny number of victims appear to have paid ransoms into the three bitcoin accounts to which WannaCry directs victims.

Less than 300 payments worth around $83,000 had been paid into WannaCry blackmail accounts by Thursday (1800 GMT), six days after the attack began and one day before the ransomware threatens to start locking up victim computers forever. (Reuters graphic: [http://tmsnrt.rs/2rqaLyz)

The Verizon 2017 Data Breach Investigations Report, the most comprehensive annual survey of security breakdowns, found that it takes three months before at least half of organizations install major new software security patches.

WannaCry landed nine weeks after Microsoft’s patch arrived.

“The same things are causing the same problems. That’s what the data shows,” MWR research head Pratley said.

“We haven’t seen many organizations fall over and that’s because they did some of the security basics,” he said.

For a graphic on WannaCry worm, click http://fingfx.thomsonreuters.com/gfx/rngs/CYBER-ATTACK/010041552FY/index.html

(Editing by Philippa Fletcher)

Symantec says ‘highly likely’ North Korea group behind ransomware attacks