Bitcoin’s murkier rivals line up to displace it as cybercriminals’ favourite

FILE PHOTO: A Bitcoin (virtual currency) paper wallet with QR codes and a coin are seen in an illustration picture taken in Paris, France May 27, 2015. REUTERS/Benoit Tessier/File Photo

By Jemima Kelly

LONDON (Reuters) – Bitcoin is well-entrenched as the preferred payment for cybercriminals like the WannaCry hackers who have hit more than 300,000 computers over the past week, but cryptocurrencies offering more anonymity are threatening to displace it.

A key reason for bitcoin’s dominance in the nefarious online underworld, say technologists and cybercrime experts, is its size – the total value of all bitcoins in circulation is more than twice that of the nearest of hundreds of rivals.

That makes it easy for victims to access enough to pay the ransoms demanded, and for hackers to cash out of it via online exchanges to spend money in the real world.

Bitcoin was set up in 2008 by someone – or some group – calling themselves Satoshi Nakamoto, and was the first digital currency to successfully use cryptography to keep transactions secure and hidden, making traditional financial regulation difficult if not impossible.

Money is sent from one anonymous online “wallet” to another with no need for a third party to validate or clear the transactions.

In the WannaCry attack, the addresses of three anonymous bitcoin wallets were given to victims, with a demand for ransom payments from $300 worth of bitcoin, with a promise the affected machines would be decrypted in return, a promise that no evidence has shown will be kept.

But since the way that Bitcoin functions is via the blockchain – a giant, virtually tamper-proof, shared ledger of all bitcoin transactions ever made – payments can be traced, if users do not have the sophistication to take further steps to cloak themselves using digital anonymity tools.

“In the initial days of bitcoin, people…didn’t realise they were recording for posterity on the blockchain every financial transaction that ever took place,” said Emin Gun Sirer, a computer science professor at Cornell University.

Bitcoin addresses are anonymous, but users can be traced through IP addresses or by analysing money flows.

If criminals using bitcoin want to stay truly anonymous, Gun Sirer said, they have to go through a number of additional, complex steps to make sure they do not get caught.

It is not yet clear what level of sophistication the WannaCry hackers have when it comes to laundering their cryptocurrency, as none of the money has yet been moved out of the three bitcoin wallets linked to the ransomware, which have had over $80,000 worth of bitcoin paid into them so far. [http://tmsnrt.rs/2rqaLyz]

But some have suggested that the fact that the WannaCry hackers demanded bitcoin shows how amateur they are.

“If it was me, I would want people to use bitcoin all day, because you can trace it,” said Luke Wilson, vice president for law enforcement at Elliptic, a London-based security firm that tracks illicit bitcoin transactions and that counts the U.S. Federal Bureau for Investigations (FBI) among its clients.

Wilson, who used to work at the FBI, where he set up a taskforce to investigate the use of virtual currencies, did not disclose all the ways that Elliptic and law enforcement agencies find criminals using bitcoin. But sometimes, he said, the offenders make as obvious a mistake as withdrawing money from a bitcoin wallet directly into their bank accounts.

CAT-AND-MOUSE GAME

More sophisticated criminals use obfuscation methods that make it very hard to be tracked down. One of the most basic ones is a technique known as “chain-hopping”, whereby money is moved from one cryptocurrency into another, across digital currency exchanges – the less-regulated the better – to create a money trail that is almost impossible to track.

Newer and more complex money-laundering methods have also emerged in recent years, which make it very difficult for law enforcement and bitcoin security firms such as Elliptic or New-York-based Chainalysis to track down cybercriminals.

“It’s a cat-and-mouse game – as police and companies like Elliptic catch up to criminals’ techniques, they invent new techniques,” said Jerry Brito, executive director of the Washington, D.C.-based Coin Center, a not-for-profit advocacy group focusing on public policy issues around cryptocurrency.

These techniques are not foolproof, however – chain-hopping, for example, relies on unregulated exchanges that do not carry out know-your-customer (KYC) checks, and security firms say they will develop ways to trace such methods.

MONERO HACK

Easier, perhaps, would be for cybercriminals to use next-generation cryptocurrencies that have built-in anonymity from the start, such as Monero, Dash and Z-Cash.

And indeed, experts said late on Tuesday that a computer virus that exploits the same vulnerability as the WannaCry attack had latched on to more than 200,000 computers and begun using them to manufacture – or “mine” – Monero currency.

But with a total value of around $425 million – a little over 1 percent of that of bitcoin – converting that currency into spendable cash might not be so easy, and it is also much harder for victims to access, alternative payments experts said.

That is why the Monero attack did not demand a ransom, but rather used the infected computers’ computing power to create new currency.

“This used to happen in bitcoin before it became big – there were loads of botnets that went into computers that used to mine bitcoin, but you now can’t basically mine bitcoin on normal computers because you need specialist hardware,” said Chainalysis CEO Jonathan Levin.

Levin said such bitcoin-based attacks were carried out several years ago, when mining it was still largely a hobby for tech geeks using their home computers.

As the bitcoin price has risen and as transaction numbers have grown, the computers have become so specialized that only they can only perform the function of bitcoin mining.

“If Monero does become adopted and is as big and liquid (as bitcoin), that means the crime (will) move from using computers to mine to getting to extortion,” Levin said.

Cyber attack eases, hacking group threatens to sell code

Hardwares used for Cybersecurity are displayed at the desk of Security Platform during the TechCrunch Disrupt event in Manhattan, in New York City, NY, U.S. May 15, 2017. REUTERS/Eduardo Munoz

By Dustin Volz

WASHINGTON (Reuters) – Governments turned their attention to a possible new wave of cyber threats on Tuesday after the group that leaked U.S. hacking tools used to launch the global WannaCry “ransomware” attack warned it would release more malicious code.

The fast-spreading cyber extortion campaign, which has infected more than 300,000 computers worldwide since Friday, eased for second day on Tuesday, but the identity and motive of its creators remain unknown.

The attack includes elements that belong to the U.S. National Security Agency and were leaked online last month.

Shadow Brokers, the group that has taken credit for that leak, threatened on Tuesday to release more recent code to enable hackers to break into the world’s most widely used computers, software and phones.

A blog post written by the group promised from June to release tools every month to anyone willing to pay for access to some of the tech world’s biggest commercial secrets.

It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs. “More details in June,” it promised.

The spread of the WannaCry attack – which encrypts a user’s data and demands a “ransom” be paid electronically to free it up again – slowed to a trickle on Tuesday, with few, isolated examples being reported.

In Canada, the Universite de Montreal was hit, with 120 of the French-language university’s 8,300 computers affected, according to a university spokeswoman.

There were no new, major incidents in the United States. Fewer than 10 U.S. organizations have reported attacks to the Department of Homeland Security since Friday, a U.S. official told reporters on Tuesday.

The attack has caused most damage in Russia, Taiwan, Ukraine and India, according to Czech security firm Avast.

The United States likely avoided greater harm as the attack targeted older versions of Microsoft Corp’s <MSFT.O> Windows operating system, and more U.S. users have licensed, up-to-date, patched versions of the software, compared to other regions of the world.

The Department of Homeland Security began an “aggressive awareness campaign” to alert the tech industry to the importance of installing the patch that Microsoft issued in March that protected users from the vulnerability exploited by the attack, a U.S. official working on the attack told Reuters.

Microsoft said on Tuesday it was aware of Shadow Brokers’ most recent claim and that its security teams monitor potential threats in order to “help us prioritize and take appropriate action.”

Microsoft President and Chief Legal Officer Brad Smith said earlier this week the WannaCry attack used elements stolen from the NSA. The U.S. government has not commented directly on the matter.

NORTH KOREA LINK PROBED

Cyber security researchers around the world have said they have found evidence that could link North Korea with the WannaCry cyber attack.

A researcher from South Korea’s Hauri Labs said on Tuesday their own findings matched those of Symantec <SYMC.O> and Kaspersky Lab, who said on Monday that some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.

“It is similar to North Korea’s backdoor malicious codes,” said Simon Choi, a senior researcher with Hauri who has done extensive research into North Korea’s hacking capabilities and advises South Korean police and National Intelligence Service.

Both Symantec and Kaspersky said it was too early to tell whether North Korea was involved in the attacks, based on the evidence that was published on Twitter by Google security researcher Neel Mehta.

FireEye Inc <FEYE.O>, another large cyber security firm, said it was also investigating, but it was cautious about drawing a link to North Korea.

“The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator,” FireEye researcher John Miller said.

U.S. and European security officials told Reuters on condition of anonymity that it was too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.

The Lazarus hackers, acting for impoverished North Korea, have been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of $81 million from the Bangladesh central bank, according to some cyber security firms. The United States accused it of being behind a cyber attack on Sony Pictures in 2014.

North Korea has denied being behind the Sony and banking attacks. North Korean officials were not immediately available for comment and its state media has been quiet about the matter.

NO INFORMATION TO SHARE

In China, foreign ministry spokeswoman Hua Chunying said she had no information to share, when asked about the origin of the attack and whether North Korea might be connected.

Several Asian countries have been affected by the malware, although the impact has not been as widespread as some had feared.

In Malaysia, cyber security firm LE Global Services said it identified 12 cases so far, including a large government-linked corporation, a government-linked investment firm and an insurance company. It did not name any of the entities.

“We may not see the real picture yet, as companies are not mandated to disclose security breaches to authorities in Malaysia,” said LE Global CEO Fong Choong Fook.

“The real situation may be serious. In one of the cases, the attack was traced back to early April.”

Vietnam’s state media said on Tuesday more than 200 computers had been affected, but one of the country’s leading anti virus companies, Bkav, later put the figure at 1,900.

Taiwan Power Co. <TAIWP.UL> said that nearly 800 of its computers were affected, although these were used for administration, not for systems involved in electricity generation.

(Additional reporting by Eric Auchard in Frankfurt, Julia Edwards Ainsley in Washington, Jim Finkle in Toronto, Allison Lampert in Montreal, Jess Macy Yu in Taipei, My Pham and Mai Nguyen in Hanoi, Ju-min Park in Seoul, Michael Martina in Beijing and Liz Lee in Kuala Lumpur,; Writing by Jeremy Wagstaff in Singapore and Bill Rigby in New York; Editing by Sam Holmes)

China hit by cyber virus, Europe warns of more attacks

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017.

By Cate Cadell and Guy Faulconbridge

BEIJING/LONDON (Reuters) – The WannaCry “ransomware” cyber attack hobbled Chinese traffic police and schools on Monday as it rolled into Asia for the new work week, while authorities in Europe said they were trying to prevent hackers from spreading new versions of the virus.

In Britain, where the virus first raised global alarm when it caused hospitals to divert ambulances on Friday, it gained traction as a political issue just weeks before a general election. The opposition Labour Party accused the Conservative government of leaving the National Health Service vulnerable.

Shares in firms that provide cyber security services rose with the prospect that companies and governments would have to spend more money on defenses.

Some victims were ignoring official advice and paying the $300 ransom demanded by the cyber criminals to unlock their computers, which was due to double to $600 on Monday for computers hit by Friday’s first wave.

Brian Lord, managing director of cyber and technology at cybersecurity firm PGI, said victims had told him “the customer service provided by the criminals is second to none”, with helpful advice on how to pay: “One customer said they actually forgot they were being robbed.”

Although the virus’s spread was curbed over the weekend in most of the world, France, where carmaker Renault was among the world’s highest profile victims, said more attacks were likely.

“We should expect similar attacks regularly in the coming days and weeks,” said Giullaume Poupard, head of French government cyber security agency ANSSI. “Attackers update their software … other attackers will learn from the method and will carry out attacks.”

Companies and governments spent the weekend upgrading software to limit the spread of the virus. Monday was the first big test for Asia, where offices had already mostly been closed for the weekend before the attack first arrived.

British media were hailing as a hero a 22-year-old computer security whiz who appeared to have helped stop the attack from spreading by discovering a “kill switch” – an internet address which halted the virus when activated.

SPREAD SLOWING

China appeared over the weekend to have been particularly vulnerable, raising worries about how well the world’s second largest economy would cope when it opened for business on Monday. However, officials and security firms said the spread was starting to slow.

“The growth rate of infected institutions on Monday has slowed significantly compared to the previous two days,” said Chinese Internet security company Qihoo 360. “Previous concerns of a wide-scale infection of domestic institutions did not eventuate.”

Qihoo had previously said the attack had infected close to 30,000 organizations by Saturday evening, more than 4,000 of which were educational institutions.

The virus hit computers running older versions of Microsoft software that had not been recently updated. Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks.

In a blog post on Sunday, Microsoft & President Brad Smith appeared to tacitly acknowledge what researchers had already widely concluded: the attack made use of a hacking tool built by the U.S. National Security Agency that had leaked online in April.

Infected computers appear to largely be out-of-date devices that organizations deemed not worth the price of upgrading. Some have also been machines involved in manufacturing or hospital functions, difficult to patch without disrupting operations.

“The government’s response has been chaotic, to be frank,” the British Labour Party’s health spokesman Jon Ashworth said. “They’ve complacently dismissed warnings which experts, we now understand, have made in recent weeks.”

“The truth is, if you’re going to cut infrastructure budgets and if you’re not going to allow the NHS to invest in upgrading its IT, then you are going to leave hospitals wide open to this sort of attack.”

Britain’s National Health Service (NHS) is the world’s fifth largest employer after the U.S. and Chinese militaries, Walmart and McDonald’s. The government says that under a previous Labour administration the trusts that run local hospitals were given responsibility to manage their own computer systems.

WARNINGS GIVEN

Asked if the government had ignored warnings over the NHS being at risk from cyber attack, Prime Minister Theresa May told Sky News: “No. It was clear [that] warnings were given to hospital trusts.”

An official from Cybersecurity Administration China (CAC) told local media on Monday that while the ransomware was still spreading and had affected industry and government computer systems, the spread was slowing.

Chinese government bodies from transport, social security, industry watchdogs and immigration said they had suspended services ranging from processing applications to traffic crime enforcement.

It was not immediately clear whether those services were suspended due to attacks, or for emergency patching to prevent infection.

“If a system supports some kind of critical processes those systems typically are very hard to patch … We don’t have a precedent for something of this scale (in China),” said Marin Ivezic, a cybersecurity expert at PwC in Hong Kong.

Affected bodies included a social security department in the city of Changsha, the exit-entry bureau in Dalian, a housing fund in Zhuhai and an industry watchdog in Xuzhou.

Energy giant PetroChina  said payment systems at some of its petrol stations were hit, although it had been able to restore most of the systems.

Elsewhere in Asia, the impact seems to have been more limited. Japan’s National Police Agency reported two breaches of computers in the country on Sunday – one at a hospital and the other case involving a private person – but no loss of funds.

Industrial conglomerate Hitachi Ltd. said the attack had affected its systems at some point over the weekend, leaving them unable to receive and send e-mails or open attachments in some cases.

In India, the government said it had only received a few reports of attacks on systems and urged those hit not to pay attackers any ransom. No major Indian corporations reported disruptions to operations.

At Indonesia’s biggest cancer hospital, Dharmais Hospital in Jakarta, around 100-200 people packed waiting rooms after the institution was hit by cyber attacks affecting scores of computers. By late morning, some people were still filling out forms manually, but the hospital said 70 percent of systems were back online.

South Korea’s presidential Blue House office said nine cases of ransomware were found in the country, but did not provide details on where the cyber attacks were discovered. A coal port in New Zealand shut temporarily to upgrade its systems.

(Writing by Peter Graff, editing by Peter Millership)

Global cyber attack slows but experts see risk of fresh strikes

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Jeremy Wagstaff and Eric Auchard

SINGAPORE/FRANKFURT (Reuters) – A global cyber attack described as unprecedented in scale forced a major European automaker to halt some production lines while hitting schools in China and hospitals in Indonesia on Saturday, though it appeared to die down a day after its launch.

Capitalizing on spying tools believed to have been developed by the U.S. National Security Agency, the cyber assault has infected tens of thousands of computers in nearly 100 countries, with Britain’s health system suffering the worst disruptions.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that seemed to contain invoices, job offers, security warnings and other legitimate files.

Once inside the targeted network, so-called ransomware made use of recently revealed spy tools to silently infect other out-of-date machines without any human intervention. This, security experts said, marked an unprecedented escalation in the risk of fresh attacks spreading in the coming days and weeks.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Researchers observed some victims paying via the digital currency bitcoin, though no one knows how much may have been transferred to extortionists because of the largely anonymous nature of such transactions.

Researchers with security software maker Avast said they had observed 126,534 ransomware infections in 99 countries, with Russia, Ukraine and Taiwan the top targets.

The hackers, who have not come forward to claim responsibility or otherwise been identified, took advantage of a worm, or self-spreading malware, by exploiting a piece of NSA spy code known as “Eternal Blue” that was released last month by a hackers group known as the Shadow Brokers, according to researchers with several private cyber security firms.

Renault said it had halted auto production at several sites including Sandouville in northwestern France and Renault-owned Dacia plants in Romania on Saturday to prevent the spread of ransomware in its systems.

Nissan’s manufacturing plant in Sunderland, northeast England, was also affected by the cyber assault though “there has been no major impact on our business”, a spokesman for the Japanese carmaker said.German rail operator Deutsche Bahn [DBN.UL] said some electronic signs at stations announcing arrivals and departures were infected, with travelers posting pictures showing some bearing a message demanding a cash payment to restore access.

“UNPRECEDENTED” ATTACK EASES

Europol’s European Cybercrime Center said it was working closely with country investigators and private security firms to combat the threat and help victims. “The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” it said in a statement.

Some experts said the threat had receded for now, in part because a British-based researcher, who declined to give his name, registered a domain that he noticed the malware was trying to connect to, and so limited the worm’s spread.

“We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,” said Vikram Thakur, principal research manager at Symantec.

“The numbers are extremely low and coming down fast.”

But the attackers may yet tweak the code and restart the cycle. The researcher in Britain widely credited with foiling the ransomware’s proliferation told Reuters he had not seen any such tweaks yet, “but they will (happen).”

Researchers said the worm deployed in the latest attack, or similar tools released by Shadow Brokers, are likely to be used for fresh assaults not just with ransomware but other malware to break into firms, seize control of networks and steal data.

Finance chiefs from the Group of Seven rich countries were to commit on Saturday to joining forces to fight the growing threat of international cyber attacks, according to a draft statement of a meeting they are holding in Italy.

“Appropriate economy-wide policy responses are needed,” the ministers said in their draft statement, seen by Reuters.

HOSPITALS IN FIRING LINE

In Asia, some hospitals, schools, universities and other institutions were affected, though the full extent of the damage is not yet known because it is the weekend.

“I believe many companies have not yet noticed,” said William Saito, a cyber security adviser to Japan’s government. “Things could likely emerge on Monday” as staff return to work.

China’s information security watchdog said “a portion” of Windows systems users in the country were infected, according to a notice posted on the official Weibo page of the Beijing branch of the Public Security Bureau on Saturday. Xinhua state news agency said some secondary schools and universities were hit.

In Vietnam, Vu Ngoc Son, a director of Bkav Anti Malware, said dozens of cases of infection had been reported there, but he declined to identify any of the victims.

South Korea’s Yonhap news agency reported a university hospital had been affected, while a communications official in Indonesia said two hospitals there had been hit.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers on Friday.

International shipper FedEx Corp said some of its Windows computers were also breached. “We are implementing remediation steps as quickly as possible,” a FedEx statement said.

Telecommunications company Telefonica was among many targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by focusing on targets in Europe, said Thakur.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, he added.

MICROSOFT BOLSTERS WINDOWS DEFENCES

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

The attack targeted Windows computers that had not installed patches released by Microsoft in March, or older machines running software that Microsoft no longer supports and for which patches did not exist, including the 16-year-old Windows XP system, researchers said.

Microsoft said it pushed out automatic Windows updates to defend existing clients from WannaCry. It had issued a patch on March 14 to protect them from Eternal Blue. Late on Friday, Microsoft also released patches for a range of long discontinued software, including Windows XP and Windows Server 2003.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement on Friday, adding it was working with customers to provide additional assistance.

POLITICALLY SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that began when hackers posted a trove of campaign documents tied to French candidate Emmanuel Macron just before a run-off vote in which he was elected president of France.

On Wednesday, hackers disrupted the websites of several French media companies and aerospace giant Airbus. The hack happened four weeks before a British general election in which national security and the management of the state-run National Health Service are important issues.

Authorities in Britain have been braced for cyber attacks in the run-up to the election, as happened during last year’s U.S. election and on the eve of the French run-off vote on May 7.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as its biggest bank, Sberbank, said they were targeted by ransomware. The interior ministry said about 1,000 computers had been infected but it had localized the virus.

Although cyber extortion cases have been rising for several years, they have to date affected small- to mid-sized organizations. “Seeing a large telco like Telefonica get hit is going to get everybody worried,” said Chris Wysopal, chief technology officer with cyber security firm Veracode.

(Additional reporting by Kiyoshi Takenaka, Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim, Mai Nguyen; editing by Mark Heinrich)

UK government in dark over who behind cyber attack

FILE PHOTO: A National Health Service (NHS) sign is seen in the grounds of St Thomas' Hospital, in front of the Houses of Parliament in London June 7, 2011. REUTERS/Toby Melville/File Photo

LONDON (Reuters) – The British government does not yet know who was behind Friday’s global cyber attack that disrupted the country’s health system, interior minister Amber Rudd said on Saturday.

“We’re not able to tell you who’s behind the attack. That work is still ongoing,” she told BBC radio.

She said Britain’s National Cyber Security Center was working with the country’s health service to ensure the attack was contained, while the National Crime Agency was working with them to find out where it came from.

Rudd said the government did not know if the attack was directed by a foreign government.

On Friday, cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files. Nearly 100 countries were impacted.

Rudd said the attack was not specifically targeted at Britain’s health service.

“(The virus) feels random in terms of where it’s gone to and where it’s been opened,” she said.

Though 45 health service organizations in England and Scotland were affected by malicious software, no patient data has been accessed or transferred, said Rudd.

The minister said lessons had to be learned from the attack.

“There will be lessons to learn … Why is it certain regions are affected more than others? Is it to do with the software? Is it to do with better IT?”

Separately on Saturday, finance chiefs from the Group of Seven rich countries will commit to join forces to fight the growing threat of international cyber attacks, according to a draft statement of a meeting they are holding in Bari, Italy.

(Reporting by James Davey; Editing by Mark Potter)

Global cyber attack fuels concern about U.S. vulnerability disclosures

An undated aerial handout photo shows the National Security Agency (NSA) headquarters building in Fort Meade, Maryland. NSA/Handout via REUTERS

By Dustin Volz

WASHINGTON (Reuters) – A global cyber attack on Friday renewed concerns about whether the U.S. National Security Agency and other countries’ intelligence services too often hoard software vulnerabilities for offensive purposes, rather than quickly alerting technology companies to such flaws.

Hacking tools believed to belong to the NSA that were leaked online last month appear to be the root cause of a major cyber attack unfurling throughout Europe and beyond, security researchers said, stoking fears that the spy agency’s powerful cyber weapons had been stolen and repurposed by hackers with nefarious goals.

Some cyber security experts and privacy advocates said the massive attack reflected a flawed approach by the United States to dedicate more cyber resources to offense rather than defense, a practice they argued makes the internet less secure.

Across the U.S. federal government, about 90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure, senior intelligence officials told Reuters in March. (http://reut.rs/2o7qHqN)

“These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world,” Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in a statement.

The NSA did not respond to a request for comment.

Hospitals and doctors’ surgeries in parts of England on Friday were forced to turn away patients and cancel appointments after they were infected with the “ransomware”, which scrambled data on computers and demanded payments of $300 to $600 to restore access.

Security software maker Avast said it had observed more than 57,000 infections in 99 countries. Russia, Ukraine and Taiwan were the top targets, it said.

Private security firms identified the virus as a new variant of ‘WannaCry’ ransomware with the ability to automatically spread across large networks by exploiting a bug in Microsoft Corp’s Windows operating system.

Security experts said the ransomware used in the attacks leveraged a hacking tool found in a leak of documents in April by a group known as Shadow Brokers.

At the time, Microsoft acknowledged the vulnerabilities and said they had been patched in a series of earlier updates pushed to customers, the most recent of which had been rolled out only a month earlier in March. But the episode prompted concerns about whether the tools could be leveraged by hackers to attack unpatched systems.

In a statement, a Microsoft spokesman said on Friday its engineers had provided additional detection and protection services against the WannaCry malware and that it was working with customers to provide additional assistance. The spokesman reiterated that customers who have Windows Updates enabled and use the company’s free antivirus software are protected.

Shadow Brokers first emerged last year and began dumping tranches of documents that it said belonged to the NSA, though the files appeared at least a few years old.

Over time, western researchers have grown more confident that Russia may be behind Shadow Brokers and possibly other recent disclosures of sensitive information about cyber capabilities that have been pilfered from U.S. intelligence agencies.

Some researchers cast blame not on the NSA but on the hospitals and other customers that appeared to leave themselves open to attack.

“The main problem here is organizations taking more than eight weeks to patch once Microsoft released the update,” said Chris Wysopal, chief technology officer at the cyber firm Veracode. “Eight weeks is plenty of time for a criminal organization to develop a sophisticated attack on software and launch it on a wide scale.”

Former intelligence contractor Edward Snowden, who in 2013 leaked documents to journalists revealing the existence of broad U.S. surveillance programs, said on Twitter the NSA had built attack tools targeting U.S. software that “now threatens the lives of hospital patients.”

“Despite warnings, (NSA) built dangerous attack tools that could target Western software,” Snowden said. “Today we see the cost.”

(This version of the story has been refiled to correct spelling of hoard in first paragraph)

(Reporting by Dustin Volz; Editing by Lisa Shumaker)

Global cyber attack hits hospitals and companies, threat seen fading for now

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Jeremy Wagstaff and Costas Pitas

SINGAPORE/LONDON (Reuters) – A global cyber attack leveraging hacking tools believed to have been developed by the U.S. National Security Agency has infected tens of thousands of computers in nearly 100 countries, disrupting Britain’s health system and global shipper FedEx.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Security researchers said they observed some victims paying via the digital currency bitcoin, though they did not know what percent had given in to the extortionists.

Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries, with Russia, Ukraine and Taiwan the top targets.

Some experts said the threat had receded for now, in part because a British-based researcher, who declined to give his name, registered a domain that he noticed the malware was trying to connect to, limiting the worm’s spread.

“We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,” said Vikram Thakur, principal research manager at Symantec.

“The numbers are extremely low and coming down fast.”

But the attackers may yet tweak the code and restart the cycle. The British-based researcher who may have foiled the ransomware’s spread told Reuters he had not seen any such tweaks yet, “but they will.”

Finance chiefs from the Group of Seven rich countries will commit on Saturday to join forces to fight the growing threat of international cyber attacks, according to a draft statement of a meeting they are holding in Italy.

“Appropriate economy-wide policy responses are needed,” the ministers said in their draft statement, seen by Reuters.

HOSPITALS IN FIRING LINE

In Asia, some hospitals, schools, universities and other institutions were affected, although the full extent of the damage is not yet known because it is the weekend.

“I believe many companies have not yet noticed,” said William Saito, a cyber security adviser to Japan’s government.

“Things could likely emerge on Monday.”

China’s official Xinhua news agency said some secondary schools and universities had been affected, without specifying how many or identifying them.

In Vietnam, Vu Ngoc Son, a director of Bkav Anti Malware, said dozens of cases of infection had been reported there, but he declined to identify any of the victims.

South Korea’s Yonhap news agency reported a university hospital had been affected, while a communications official in Indonesia said two hospitals there had been affected.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers on Friday.

International shipper FedEx Corp said some of its Windows computers were also infected. “We are implementing remediation steps as quickly as possible,” it said in a statement.

Telecommunications company Telefonica was among many targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, said Thakur.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Thakur added.

MICROSOFT UPS DEFENSES

The U.S. Department of Homeland Security said it was sharing information with domestic and foreign partners and was ready to lend technical support.

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a “worm”, or self spreading malware, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers, researchers with several private cyber security firms said.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

Microsoft said it was pushing out automatic Windows updates to defend clients from WannaCry. It issued a patch on March 14 to protect them from Eternal Blue.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement on Friday, adding it was working with customers to provide additional assistance.

SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that began the previous week when hackers posted a trove of campaign documents tied to French candidate Emmanuel Macron just before a run-off vote in which he was elected president of France.

On Wednesday, hackers disrupted the websites of several French media companies and aerospace giant Airbus.The hack happened four weeks before a British general election in which national security and the management of the state-run National Health Service are important issues.

The British government did not know who was behind the attack but its National Crime Agency was working to find out, interior minister Amber Rudd said.

Authorities in Britain have been braced for cyber attacks in the run-up to the election, as happened during last year’s U.S. election and on the eve of the French one.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as its biggest bank, Sberbank, said they were targeted. The interior ministry said about 1,000 computers had been infected but it had localized the virus.

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations.

“Seeing a large telco like Telefonica get hit is going to get everybody worried,” said Chris Wysopal, chief technology officer with cyber security firm Veracode.

(Additional reporting by Kiyoshi Takenaka, Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim, Mai Nguyen; Editing by Rob Birsel and Mike Collett-White)

Hackers exploit stolen U.S. spy agency tool to launch global cyberattack

An undated aerial handout photo shows the National Security Agency (NSA) headquarters building in Fort Meade, Maryland. NSA/Handout via REUTERS

By Costas Pitas and Carlos Ruano

LONDON/MADRID (Reuters) – A global cyberattack leveraging hacking tools widely believed by researchers to have been developed by the U.S. National Security Agency hit international shipper FedEx, disrupted Britain’s health system and infected computers in nearly 100 countries on Friday.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Security researchers said they observed some victims paying via the digital currency bitcoin, though they did not know what percent had given in to the extortionists.

Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries with Russia, Ukraine and Taiwan the top targets.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers.

International shipper FedEx Corp said some of its Windows computers were also infected. “We are implementing remediation steps as quickly as possible,” it said in a statement.

Still, only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, said Vikram Thakur, research manager with security software maker Symantec.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Thakur said.

The U.S. Department of Homeland Security said late on Friday that it was aware of reports of the ransomware, was sharing information with domestic and foreign partners and was ready to lend technical support.

Telecommunications company Telefonica was among many targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

“Once it gets in and starts moving across the infrastructure, there is no way to stop it,” said Adam Meyers, a researcher with cyber security firm CrowdStrike.

The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a “worm,” or self spreading malware, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers, researchers with several private cyber security firms said.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

Microsoft on Friday said it was pushing out automatic Windows updates to defend clients from WannaCry. It issued a patch on March 14 to protect them from Eternal Blue.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement. It said the company was working with its customers to provide additional assistance.

SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that kicked off a week earlier when hackers posted a huge trove of campaign documents tied to French candidate Emmanuel Macron just 1-1/2 days before a run-off vote in which he was elected as the new president of France.

On Wednesday, hackers disputed the websites of several French media companies and aerospace giant Airbus.Also, the hack happened four weeks before a British parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year’s U.S. election and on the eve of this month’s presidential vote in France.

But those attacks – blamed on Russia, which has repeatedly denied them – followed an entirely different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as the country’s biggest bank, Sberbank, said they were targeted. The interior ministry said on its website that around 1,000 computers had been infected but it had localized the virus.

The emergencies ministry told Russian news agencies it had repelled the cyberattacks while Sberbank said its cyber security systems had prevented viruses from entering its systems.

NEW BREED OF RANSOMWARE

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

“Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks,” Camacho said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain’s National Cryptology Centre of “a massive ransomware attack.”

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement.

(Additional reporting by Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh; Writing by Mark Trevelyan and Jim Finkle; Editing by Ralph Boulton and Grant McCool)

British hospitals, Spanish firms among targets of huge cyberattack

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Costas Pitas and Carlos Ruano

LONDON/MADRID (Reuters) – A huge cyberattack brought disruption to Britain’s health system on Friday and infected many Spanish companies with malicious software, and security researchers said a dozen other countries may be affected.

Hospitals and doctors’ surgeries in parts of England were forced to turn away patients and cancel appointments. People in affected areas were being advised to seek medical care only in emergencies.

“We are experiencing a major IT disruption and there are delays at all of our hospitals,” said the Barts Health group, which manages major London hospitals. Routine appointments had been canceled and ambulances were being diverted to neighboring hospitals.

Telecommunications giant Telefonica was among the targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services.

Authorities in both countries said the attack was conducted using ‘ransomware’ – malicious software that infects machines, locks them up by encrypting data and demands a ransom to restore access. They identified the type of malware as ‘Wanna Cry’, also known as ‘Wanna Decryptor’.

A Telefonica spokesman said a window appeared on screens of infected computers that demanded payment with the digital currency bitcoin in order to regain access to files.

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement. Still, the news prompted security teams at large financial services firms and businesses around the world to review their plans for defending against ransomware attacks, according to executives with private cyber security firms.

A spokeswoman for Portugal Telecom said: “We were the target of an attack, like what is happening in all of Europe, a large scale-attack, but none of our services were affected.”

British based cyber researcher Chris Doman of AlienVault said the ransomware “looks to be targeting a wide range of countries”, with preliminary evidence of infections from 14 countries so far, also including Russia, Indonesia and Ukraine.

PM BRIEFED

A spokesman for British Prime Minister Theresa May said she was being kept informed of the incident, which came less than four weeks before a parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year’s U.S. election and on the eve of this month’s presidential vote in France.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a entirely different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

The full extent of Friday’s disruption in Britain remained unclear.

“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” NHS Digital, the computer arm of the health service, said in a statement.

Britain’s National Cyber Security Centre, part of the GCHQ spy agency, said it was aware of a cyber incident and was working with NHS Digital and the police to investigate.

A reporter from the Health Service Journal said the attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems.

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

“Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks,” Camacho said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain’s National Cryptology Centre of “a massive ransomware attack.”

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

It was not immediately clear how many Spanish organizations had been compromised by the attacks, if any critical services had been interrupted or whether victims had paid cyber criminals to regain access to their networks.

(Additional reporting by Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Kate Holton, Andy Bruce, Michael Holden and David Milliken; Editing by Mark Trevelyan and Ralph Boulton)

Ransomware: Extortionist hackers borrow customer-service tactics

Hollywood Presbyterian Medical Center

By Jim Finkle

TEWKSBURY, Mass (Reuters) – When hackers set out to extort the town of Tewksbury, Massachusetts with “ransomware,” they followed up with an FAQ explaining the attack and easy instructions for online payment.

After balking for several days, Tewksbury officials decided that paying the modest ransom of about $600 was better than struggling to unlock its own systems, said police chief Timothy Sheehan.

That case and others show how cyber-criminals have professionalized ransomware schemes, borrowing tactics from customer service or marketing, law enforcement officials and security firms say. Some players in the booming underworld employ graphic artists, call centers and technical support to streamline payment and data recovery, according to security firms that advise businesses on hacking threats.

The advancements, along with modest ransom demands, make it easier to pay than fight.

“It’s a perfect business model, as long as you overlook the fact that they are doing something awful,” said James Trombly, president of Delphi Technology Solutions, a Lawrence, Massachusetts, computer services firm that helped three clients over the past year pay ransoms in bitcoin, the virtual currency. He declined to identify the clients.

In the December 2014 attack on Tewksbury, the pressure to pay took on a special urgency because hackers disabled emergency systems. That same is true of additional attacks on police departments and hospitals since then. But all sectors of government and business are targeted, along with individuals, security firms said.

The total cost of ransomware attacks is hard to quantify. But the Cyber Threat Alliance, a group of leading cyber security firms, last year estimated that global damages from CryptoWall 3 – among the most popular of dozens of ransomware variants – totaled $325 million in the first nine months of 2015.

Some operations hire underground call centers or email-response groups to walk victims through paying and restoring their data, said Lance James, chief scientist with the cyber-intelligence firm Flashpoint.

Graphic artists and translators craft clear ransom demands and instructions in multiple languages. They use geolocation to make sure that victims in Italy get the Italian version, said Alex Holden, chief information security officer with Hold Security.

While ransomware attacks have been around longer than a decade, security experts say they’ve become far more threatening and prevalent in recent years because of state-of-the-art encryption, modules that infect backup systems, and the ability to infect large numbers of computers over a single network.

Law enforcement officials have long advised victims against paying ransoms. Paying ransoms is “supporting the business model,” encouraging more criminals to become extortionists, said Will Bales, a supervisory special agent for the Federal Bureau of Investigation.

But Bales, who helps run ransomware investigations nationwide from the Washington, DC office, acknowledged that the payoffs make economic sense for many victims.

“It is a business decision for the victim to make,” he said.

Run-of-the-mill ransomware attacks typically seek 1 bitcoin, now worth about $420, which is about the same as the hourly rate that some security consultants charge to respond to such incidents, according to security firms who investigate ransomware cases.

Some attacks seek more, as when hackers forced Hollywood Presbyterian Hospital in Los Angeles to pay $17,000 to end an outage in February.

Such publicized incidents will breed more attacks, said California State Senator Robert Hertzberg, who in February introduced legislation to make a ransomware schemes punishable by up to four years in prison. The Senate’s public safety committee was scheduled to review that bill on Tuesday.

Some victims choose not to pay. The Pearland Independent School District near Houston refused to fork over about $1,600 in ransom demanded in two attacks this year, losing about three days of work from teachers and students. Instead, the district invested tens of thousands of dollars on security software, said Jonathan Block, the district’s desktop support services manager.

“This threat is real and something that needs to be dealt with,” Block said.

The town of Tewksbury has also upgraded its security technology, but Sheehan says he fears more attacks.

“We are so petrified we could be put into this position again,” he said. “Everybody is vulnerable.”

(Reporting by Jim Finkle. Additional reporting by Dustin Volz. Editing by Jonathan Weber and Brian Thevenot.)