Security experts find clues to ransomware worm’s lingering risks

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

(Corrects spelling of first name in paragraph 22 of this May 18 story to Salim from Samil)

By Eric Auchard

FRANKFURT (Reuters) – Two-thirds of those caught up in the past week’s global ransomware attack were running Microsoft’s Windows 7 operating system without the latest security updates, a survey for Reuters by security ratings firm BitSight found.

Researchers are struggling to try to find early traces of WannaCry, which remains an active threat in hardest-hit China and Russia, believing that identifying “patient zero” could help catch its criminal authors.

They are having more luck dissecting flaws that limited its spread.

Security experts warn that while computers at more than 300,000 internet addresses were hit by the ransomware strain, further attacks that fix weaknesses in WannaCry will follow that hit larger numbers of users, with more devastating consequences.

“Some organizations just aren’t aware of the risks; some don’t want to risk interrupting important business processes; sometimes they are short-staffed,” said Ziv Mador, vice president of security research at Trustwave’s Israeli SpiderLabs unit.

“There are plenty of reasons people wait to patch and none of them are good,” said Mador, a former long-time security researcher for Microsoft.

WannaCry’s worm-like capacity to infect other computers on the same network with no human intervention appear tailored to Windows 7, said Paul Pratley, head of investigations & incident response at UK consulting firm MWR InfoSecurity.

Data from BitSight covering 160,000 internet-connected computers hit by WannaCry, shows that Windows 7 accounts for 67 percent of infections, although it represents less than half of the global distribution of Windows PC users.

Computers running older versions, such as Windows XP used in Britain’s NHS health system, while individually vulnerable to attack, appear incapable of spreading infections and played a far smaller role in the global attack than initially reported.

In laboratory testing, researchers at MWR and Kyptos say they have found Windows XP crashes before the virus can spread.

Windows 10, the latest version of Microsoft’s flagship operating system franchise, accounts for another 15 percent, while older versions of Windows including 8.1, 8, XP and Vista, account for the remainder, BitSight estimated.

COMPUTER BASICS

Any organization which heeded strongly worded warnings from Microsoft to urgently install a security patch it labeled “critical” when it was released on March 14 on all computers on their networks are immune, experts agree.

Those hit by WannaCry also failed to heed warnings last year from Microsoft to disable a file sharing feature in Windows known as SMB, which a covert hacker group calling itself Shadow Brokers had claimed was used by NSA intelligence operatives to sneak into Windows PCs.

“Clearly people who run supported versions of Windows and patched quickly were not affected”, Trustwave’s Mador said.

Microsoft has faced criticism since 2014 for withdrawing support for older versions of Windows software such as 16-year-old Windows XP and requiring users to pay hefty annual fees instead. The British government canceled a nationwide NHS support contract with Microsoft after a year, leaving upgrades to local trusts.

Seeking to head off further criticism in the wake of the WannaCry outbreak, the U.S. software giant last weekend released a free patch for Windows XP and other older Windows versions that it previously only offered to paying customers.(http://reut.rs/2qvSPUR)

Microsoft declined to comment for this story.

On Sunday, the U.S. software giant called on intelligence services to strike a better balance between their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – and sharing those flaws with technology companies to better secure the internet (http://reut.rs/2qAOdLm).

Half of all internet addresses corrupted globally by WannaCry are located in China and Russia, with 30 and 20 percent respectively. Infection levels spiked again in both countries this week and remained high through Thursday, according to data supplied to Reuters by threat intelligence firm Kryptos Logic.

By contrast, the United States accounts for 7 percent of WannaCry infections while Britain, France and Germany each represent just 2 percent of worldwide attacks, Kryptos said.(http://tmsnrt.rs/2qIUckv)

DUMB AND SOPHISTICATED

The ransomware mixes copycat software loaded with amateur coding mistakes and recently leaked spy tools widely believed to have been stolen from the U.S. National Security Agency, creating a vastly potent class of crimeware.

“What really makes the magnitude of this attack so much greater than any other is that the intent has changed from information stealing to business disruption”, said Samil Neino, 32, chief executive of Los Angeles-based Kryptos Logic.

Last Friday, the company’s British-based 22-year-old data breach research chief, Marcus Hutchins, created a “kill-switch”, which security experts have widely hailed as the decisive step in halting the ransomware’s rapid spread around the globe.

WannaCry appears to target mainly enterprises rather than consumers: Once it infects one machine, it silently proliferates across internal networks which can connect hundreds or thousands of machines in large firms, unlike individual consumers at home.

An unknown number of computers sit behind the 300,000 infected internet connections identified by Kryptos.

Because of the way WannaCry spreads sneakily inside organization networks, a far larger total of ransomed computers sitting behind company firewalls may be hit, possibly numbering upward of a million machines. The company is crunching data to arrive at a firmer estimate it aims to release later Thursday.

Liran Eshel, chief executive of cloud storage provider CTERA Networks, said: “The attack shows how sophisticated ransomware has become, forcing even unaffected organizations to rethink strategies.”

ESCAPE ROUTE

Researchers from a variety of security firms say they have so far failed to find a way to decrypt files locked up by WannaCry and say chances are low anyone will succeed.

However, a bug in WannaCry code means the attackers cannot use unique bitcoin addresses to track payments, security researchers at Symantec found this week. The result: “Users unlikely to get files restored”, the company’s Security Response team tweeted.

The rapid recovery by many organizations with unpatched computers caught out by the attack may largely be attributed to back-up and retrieval procedures they had in place, enabling technicians to re-image infected machines, experts said.

While encrypting individual computers it infects, WannaCry code does not attack network data-backup systems, as more sophisticated ransomware packages typically do, security experts who have studied WannaCry code agree.

These factors help explain the mystery of why such a tiny number of victims appear to have paid ransoms into the three bitcoin accounts to which WannaCry directs victims.

Less than 300 payments worth around $83,000 had been paid into WannaCry blackmail accounts by Thursday (1800 GMT), six days after the attack began and one day before the ransomware threatens to start locking up victim computers forever. (Reuters graphic: [http://tmsnrt.rs/2rqaLyz)

The Verizon 2017 Data Breach Investigations Report, the most comprehensive annual survey of security breakdowns, found that it takes three months before at least half of organizations install major new software security patches.

WannaCry landed nine weeks after Microsoft’s patch arrived.

“The same things are causing the same problems. That’s what the data shows,” MWR research head Pratley said.

“We haven’t seen many organizations fall over and that’s because they did some of the security basics,” he said.

For a graphic on WannaCry worm, click http://fingfx.thomsonreuters.com/gfx/rngs/CYBER-ATTACK/010041552FY/index.html

(Editing by Philippa Fletcher)

China hit by cyber virus, Europe warns of more attacks

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017.

By Cate Cadell and Guy Faulconbridge

BEIJING/LONDON (Reuters) – The WannaCry “ransomware” cyber attack hobbled Chinese traffic police and schools on Monday as it rolled into Asia for the new work week, while authorities in Europe said they were trying to prevent hackers from spreading new versions of the virus.

In Britain, where the virus first raised global alarm when it caused hospitals to divert ambulances on Friday, it gained traction as a political issue just weeks before a general election. The opposition Labour Party accused the Conservative government of leaving the National Health Service vulnerable.

Shares in firms that provide cyber security services rose with the prospect that companies and governments would have to spend more money on defenses.

Some victims were ignoring official advice and paying the $300 ransom demanded by the cyber criminals to unlock their computers, which was due to double to $600 on Monday for computers hit by Friday’s first wave.

Brian Lord, managing director of cyber and technology at cybersecurity firm PGI, said victims had told him “the customer service provided by the criminals is second to none”, with helpful advice on how to pay: “One customer said they actually forgot they were being robbed.”

Although the virus’s spread was curbed over the weekend in most of the world, France, where carmaker Renault was among the world’s highest profile victims, said more attacks were likely.

“We should expect similar attacks regularly in the coming days and weeks,” said Giullaume Poupard, head of French government cyber security agency ANSSI. “Attackers update their software … other attackers will learn from the method and will carry out attacks.”

Companies and governments spent the weekend upgrading software to limit the spread of the virus. Monday was the first big test for Asia, where offices had already mostly been closed for the weekend before the attack first arrived.

British media were hailing as a hero a 22-year-old computer security whiz who appeared to have helped stop the attack from spreading by discovering a “kill switch” – an internet address which halted the virus when activated.

SPREAD SLOWING

China appeared over the weekend to have been particularly vulnerable, raising worries about how well the world’s second largest economy would cope when it opened for business on Monday. However, officials and security firms said the spread was starting to slow.

“The growth rate of infected institutions on Monday has slowed significantly compared to the previous two days,” said Chinese Internet security company Qihoo 360. “Previous concerns of a wide-scale infection of domestic institutions did not eventuate.”

Qihoo had previously said the attack had infected close to 30,000 organizations by Saturday evening, more than 4,000 of which were educational institutions.

The virus hit computers running older versions of Microsoft software that had not been recently updated. Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks.

In a blog post on Sunday, Microsoft & President Brad Smith appeared to tacitly acknowledge what researchers had already widely concluded: the attack made use of a hacking tool built by the U.S. National Security Agency that had leaked online in April.

Infected computers appear to largely be out-of-date devices that organizations deemed not worth the price of upgrading. Some have also been machines involved in manufacturing or hospital functions, difficult to patch without disrupting operations.

“The government’s response has been chaotic, to be frank,” the British Labour Party’s health spokesman Jon Ashworth said. “They’ve complacently dismissed warnings which experts, we now understand, have made in recent weeks.”

“The truth is, if you’re going to cut infrastructure budgets and if you’re not going to allow the NHS to invest in upgrading its IT, then you are going to leave hospitals wide open to this sort of attack.”

Britain’s National Health Service (NHS) is the world’s fifth largest employer after the U.S. and Chinese militaries, Walmart and McDonald’s. The government says that under a previous Labour administration the trusts that run local hospitals were given responsibility to manage their own computer systems.

WARNINGS GIVEN

Asked if the government had ignored warnings over the NHS being at risk from cyber attack, Prime Minister Theresa May told Sky News: “No. It was clear [that] warnings were given to hospital trusts.”

An official from Cybersecurity Administration China (CAC) told local media on Monday that while the ransomware was still spreading and had affected industry and government computer systems, the spread was slowing.

Chinese government bodies from transport, social security, industry watchdogs and immigration said they had suspended services ranging from processing applications to traffic crime enforcement.

It was not immediately clear whether those services were suspended due to attacks, or for emergency patching to prevent infection.

“If a system supports some kind of critical processes those systems typically are very hard to patch … We don’t have a precedent for something of this scale (in China),” said Marin Ivezic, a cybersecurity expert at PwC in Hong Kong.

Affected bodies included a social security department in the city of Changsha, the exit-entry bureau in Dalian, a housing fund in Zhuhai and an industry watchdog in Xuzhou.

Energy giant PetroChina  said payment systems at some of its petrol stations were hit, although it had been able to restore most of the systems.

Elsewhere in Asia, the impact seems to have been more limited. Japan’s National Police Agency reported two breaches of computers in the country on Sunday – one at a hospital and the other case involving a private person – but no loss of funds.

Industrial conglomerate Hitachi Ltd. said the attack had affected its systems at some point over the weekend, leaving them unable to receive and send e-mails or open attachments in some cases.

In India, the government said it had only received a few reports of attacks on systems and urged those hit not to pay attackers any ransom. No major Indian corporations reported disruptions to operations.

At Indonesia’s biggest cancer hospital, Dharmais Hospital in Jakarta, around 100-200 people packed waiting rooms after the institution was hit by cyber attacks affecting scores of computers. By late morning, some people were still filling out forms manually, but the hospital said 70 percent of systems were back online.

South Korea’s presidential Blue House office said nine cases of ransomware were found in the country, but did not provide details on where the cyber attacks were discovered. A coal port in New Zealand shut temporarily to upgrade its systems.

(Writing by Peter Graff, editing by Peter Millership)