WannaCry Ransomware: all the updates on the cyberattack

The US has declared North Korea the perpetrator of the widespread and financially devastating WannaCry ransomware cyberattack that rapidly spread across the globe in May, hitting hospitals, companies, and other critical institutions in countries around the world. The announcement came in the form of an op-ed in The Wall Street Journal authored by President Donald Trump’s Homeland Security Advisor, Thomas Bossert.

News of the administration’s announcement was reported earlier today by The Washington Post, which reports that the White House will be issuing a formal statement tomorrow. It was reported back in June that the US National Security Agency was in possession of evidence that pointed to North Korea. Bossert’s op-ed publicly confirms the NSA’s findings with support from evidence gathered by foreign governments, independent cybersecurity firms, and corporations directly hit by the attack.

North Korea increasingly appears to have been behind the ransomware attack that infected hundreds of thousands of computers last month and shut down hospitals, businesses, and other systems in the process.

The Washington Post is now reporting that the US National Security Agency believes with “moderate confidence” that the ransomware, called WannaCry, came from hackers sponsored by North Korea’s spy agency. The report isn’t public, but the Post says the assessment has been distributed within the agency.

Windows XP isn’t as vulnerable to the WannaCry ransomware as many assumed, according to a new report from Kryptos research. The company’s researchers found that XP computers hit with the most common WannaCry attack tended to simply crash without successfully installing or spreading the ransomware. If true, the result would undercut much of the early reporting on Windows XP’s role in spreading the globe-spanning ransomware.

The core of WannaCry is a vulnerability in a Windows file-sharing system called SMB, which allowed WannaCry to spread quickly across vulnerable systems with no user interaction. But when Kryptos researchers targeted an XP computer with the malware in a lab setting, they found that the computers either failed to install or exhibited a “blue screen of death,” requiring a hard reset. It’s still possible to manually install WannaCry on XP machines, but the program’s particular method of breaking through security simply isn’t effective against the older operating system.

One week after it first hit, researchers are getting a better handle on how the WannaCry ransomware spread so quickly — and judging from the early figures, the story seems to be almost entirely about Windows 7.

According to data released today by Kaspersky Lab, roughly 98 percent of the computers affected by the ransomware were running some version of Windows 7, with less than one in a thousand running Windows XP. 2008 R2 Server clients were also hit hard, making up just over 1 percent of infections.

When the ShadowBrokers first published the code for EternalBlue — an NSA exploit targeting Windows’ file-sharing protocol — researchers knew it was a bad bug. But most had no idea of the scale of the damage that would be caused by the vulnerability.

Much of that damage has only become visible in recent days, as a ransomware program dubbed “WannaCry” locked up computers from the UK’s National Health Service to the Russian Ministry of the Interior. Some of the damage caused by EternalBlue was harder to spot, caused by more discreet malware designed to infect and monetize computers without leaving a trace. As researchers look for clues as to WannaCry’s origins, more of those programs are coming to light, and giving us more information about the sheer scale of the damage caused by Eternal Blue.

After last week’s massive ransomware attack shut down machines around the world, the NSA, which knew of the exploit before it was public, became a target for criticism. Microsoft patched the problem before the attack, but it’s still raised questions about how, and when, the NSA decides to hold on to software vulnerabilities.

A new bill would help bring accountability to how the NSA deals with those vulnerabilities. Introduced by Sen. Brian Schatz, the Protecting Our Ability to Counter Hacking Act of 2017, or PATCH Act, would establish a legal framework for the process, requiring federal agencies to establish policies on when to share vulnerabilities and, if unclassified, to make those policies widely available.

Researchers at Kaspersky Lab have uncovered new evidence linking the WannaCry ransomware code to North Korea. In a post today, the group detailed a segment of code used in both an early WannaCry variant and a February 2015 sample attributed to the Lazarus Group, a Kaspersky-tracked actor tied to the North Korean government. The overlap was first spotted by Google researcher Neal Mehta, and Kaspersky believes the similarity goes far beyond shared code.

“We strongly believe the February 2017 sample was compiled by the same people,” Kaspersky writes, “or by people with access to the same source code as the May 2017 WannaCry encryptor used in the May 11th wave of attacks.”

Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We’re only beginning to calculate the damage inflicted by the WannaCry program — in both dollars and lives lost from hospital downtime — but at the same time, we’re also calculating blame.

There’s a long list of parties responsible, including the criminals, the NSA, and the victims themselves — but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

As news of the WannaCry ransomware attack broke last week, companies and governments scrambled first to keep it contained. Now, with more details about its origins and effects clear, those organizations are issuing their official responses.

Among the first is Microsoft, which rushed out an emergency patch for Windows XP on Friday, after formally ending support for the operating system three years ago. The company responded to the attacks with a strongly worded blog post, criticizing governments for “stockpiling” information about cybersecurity vulnerabilities, and likening the WannaCry attack to the US military “having some of its Tomahawk missiles stolen.”

Since its discovery on Friday afternoon, the WannaCry ransomware attack has continued to spread this weekend, impacting over 10,000 organizations and 200,000 individuals in over 150 countries, according to European authorities. However, while measures have been taken to slow the spread of the malware, new variations have begun to surface.

This morning, Europol director Rob Wainwright told the BBC that the cyberattack is “unprecedented in its scale,” and noted that it will likely continue as people return to work on Monday. While Microsoft took the unusual step to issue a patch for Windows XP, the patch will only work if installed, and authorities have been warning businesses to ensure that their systems are updated.

As the massive WannaCry ransomware attack spread to over 100 countries this weekend, French automaker Renault halted production in several of its factories on Saturday, according to a spokesperson.

Speaking to Automotive News, the spokesperson confirmed that the company shut down production in its Sandouville factory, saying that “proactive measures have been put in place, including the temporarily suspension of industrial activity at some sites,” but declined to provide a full list of affected sites. Renault’s partner company Nissan was also affected: a UK spokesperson confirmed that files at its Sunderland factory were impacted on Friday night, but wouldn’t confirm reports that production was halted. A Renault spokesperson told Reuters that the company expects that “nearly all plants” will reopen on Monday.

Over the past 24 hours, a ransomware program called WannaCry has shut down more than 75,000 computers across 99 countries, including a string of hospitals in the United Kingdom and critical gas and water utilities in Spain. But despite the massive scale of the attack, stopping new infections from the attack seems to have been as simple as registering a single web address.

This morning, researchers announced they had found a kill switch in the code of the ransomware program — a single domain which, when registered, would prevent any infections from taking place. It’s still unclear whether registering that domain will stop every strain of the infection, but it should severely limit the global spread of the attack.

UK hospitals, Telefonica, FedEx, and other businesses were hit by a massive ransomware attack on Friday. Around 75,000 computers in 99 countries were affected by malware known as WannaCry, which encrypts a computer and demands a $300 ransom before unlocking it. The malware was able to spread thanks to flaws in old versions of Windows that were originally used by the NSA to hack into PCs before being made public by the Shadow Brokers group last month.

While Microsoft quickly issued fixes for the latest versions of Windows last month, this left Windows XP unprotected. Many of the machines attacked today have been breached simply because the latest Windows updates have not been applied quickly enough, but there are still organizations that continue to run Windows XP despite the risks. Microsoft is now taking what it describes as a “highly unusual” step to provide public patches for Windows operating systems that are in custom support only. This includes specific fixes for Windows XP, Windows 8, and Windows Server 2003.

A massive ransomware attack has shut down work at 16 hospitals across the United Kingdom. According to The Guardian, the attack began at roughly 12:30PM local time, freezing systems and encrypting files. When employees tried to access the computers, they were presented with a demand for $300 in bitcoin, a classic ransomware tactic.

The result has been a wave of canceled appointments and general disarray, as many hospitals are left unable to access basic medical records. At least one hospital has canceled all non-urgent operations as a result.