WannaCry Ransomware: What We Know Monday

A world map shows where computers were infected by WannaCrypt ransomware since Sunday, as recorded by MalwareTech.com.
MalwareTech.com/Screenshot by NPR

A ransomware attack that began in Europe on Friday is lingering — and hitting new targets in Japan and China. The WannaCry software has locked thousands of computers in more than 150 countries. Users are confronted with a screen demanding a $300 payment to restore their files.

The cyberattack has hit more than 300,000 computers, White House homeland security adviser Tom Bossert said at Monday’s midday White House briefing. He added that the rate of infection has slowed over the weekend.

Because of its success infiltrating systems, the software — also known as WannaCrypt, Wana Decryptor or WCry — is already inspiring imitators.

Here’s a rundown of what we know on Monday:

U.S.

In the U.S., “the list of victims is very small,” a Department of Homeland Security official tells NPR, noting that it’s still relatively early in the WannaCry attack. The victims, the official says, range widely in scope, from a few computers at companies and organizations to networks of many more.

“The U.S. is still in a relatively good place — I don’t want to jinx it,” the department official says. “We don’t have a large number of victims right now, and we, for the most part, are not seeing significant operational impacts for those who have been victimized. They’ve been able to manage through it.”

The agency and its partners in the global security community are now in a “sort of cat-and-mouse” competition with hackers, as variants of the software that foil previous solutions emerge, the official says.

Asia

Businesses and networks across Asia are coping with the first wave of WannaCry during their workweek. The initial attack had started after many offices had closed Friday.

In China, many users can’t access Microsoft’s software patch to fix the vulnerability “because many Chinese computers run on pirated Microsoft operating systems,” NPR’s Rob Schmitz reports from Shanghai. He says Chinese security companies have been offering their help.

“More than 40,000 businesses and institutions in China have been struck by the malware, according to state media,” Schmitz says. “One of the country’s largest oil companies, PetroChina, reported the attack had disrupted its electronic payment systems at its gas stations over the weekend. On China’s most prestigious college campuses, students reported being locked out of their final papers.”

In Japan, several large manufacturers have been hit, reporter John Matthews tells NPR: “Companies including Hitachi have reported several of their systems going down, including computers at a hospital in eastern Japan. However, Hitachi and others have mostly only reported loss of email and other secondary functionalities.”

In India, more than “more than 100 systems of the Andhra Pradesh police department” were affected over the weekend, NDTV reports. Power utilities also reported problems.

Europe

Malware-tracking maps show WannaCry has remained active in Europe over the past 24 hours. In the U.K., where the initial attack threw parts of the health care system into chaos Friday, the government scheduled an emergency meeting Monday afternoon to discuss the attack.

French automaker Renault and its partner, Nissan, say their plants were hit by the attack, NBC reports.

“The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” Europol’s European Cybercrime Center says.

While ransom payments for users’ stolen data had been notably low, the Security Response blog notes that a bitcoin address linked to the hackers showed a “spike in payments” to the account that began at 8 a.m. Greenwich Mean Time on Monday.

WannaCry’s Origins

The identity of whoever deployed the software remains unknown.

“The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency,” Microsoft President and Chief Legal Officer Brad Smith says. He says that when the NSA lost control of the software behind the cyberattack, it was like “the U.S. military having some of its Tomahawk missiles stolen.”

Theft of the software was reported in April, when it was published by the Shadow Brokers, a group that has been linked to Russia. One month earlier, Microsoft had released a patch targeting the vulnerability. But the success of the attack shows that not enough people took advantage of the patch.

“This was not a tool developed by the NSA to hold ransom data,” homeland security adviser Bossert said at Monday’s White House briefing. He said the software attacking a vulnerability had been incorporated with other software and delivered in a way to cause “infection, encryption and locking.”

Fighting The Malware

A security expert in England has been hailed as an “accidental hero” for quashing the spread of the initial version of the ransomware late Friday. But we note that it’s no accident that the expert, who prefers to remain anonymous and uses the name Malware Tech, registered a domain name that was called out in the code and used it to stop the worm from spreading.

The use of that domain is being called a “kill switch” in the malware. Researchers say new variants of the software have a similar kill switch, but they refer to different domains.

“Thankfully some researchers are already registering the new domains as they identify them,” AlienVault researcher Chris Doman says. “The cat-and-mouse will likely continue until [someone] makes a larger change to the malware, removing the kill-switch functionality completely. At that point, it will be harder to stop new variants.”

The Fix

Windows users should update their software to avoid the ransomware, security experts say.

In addition to Microsoft’s Security Bulletin MS17-010 that patched the vulnerability in March, the company also issued a separate patch on Friday for users of older and unsupported operating systems such as Windows XP.

Other advice includes these six tips from the No More Ransom site, edited here for length:

  1. Back up your computer and store the safety version in the cloud or on a drive that is not connected to your computer.
  2. Use robust antivirus software.
  3. Keep all the software on your computer up-to-date. Enable automatic updates.
  4. Never open attachments in emails from someone you don’t know. And remember that any account can be compromised.
  5. Enable the “Show file extensions” option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions like “.exe,” “.vbs” and “.scr.”
  6. If you find a problem, disconnect your machine immediately from the Internet or other network connections (such as home Wi-Fi).

Source