'Accidental hero' stops worldwide ransomware attack

PLUS: Microsoft releases security patches.

UPDATE: The threat of the worldwide WannaCry ransomware attack has receded, with Microsoft releasing patches for security holes, and a 22-year-old researcher in the UK stumbling over a "kill switch."

Find links to Microsoft's security fixes here. The patches are for the older versions of Windows targeted by WannaCry (XP through to 8), and also fix a vulnerability in Windows Server 2003 that allowed the ransomware to spread to all computers on a network once it infected an older PC.

Microsoft stopped issuing security updates for Windows XP in 2014 but has taken the unusual step of making an XP patch available today – and for all-comers, not just organisations on custom (extra-cost) contracts.

'Accidental hero'
The spread of WannaCry dramatically slowed after an anonymous British cybersecurity researcher discovered and activated a "kill switch" hidden in WannaCry's code. The kill switch involved connecting to a domain (web address). The researcher noticed that WannaCry infestations were trying to connect to this domain, but that it was not active – presumably because the malware's creator did not want it to stop spreading at this point. To his surprise, the researcher found the domain name wasn't even registered, let alone activated. He duly registered it and made it live, triggering the kill switch.

UK media have dubbed the 22-year-old researcher, who from his posts seems to live his parents and was studying WannaCry while on holiday, as an accidental hero.

However, the researcher warns the attackers could easily reconfigure the ransomware's code and try again.

Although tens of thousands of systems have been hijacked by WannaCry over the past day and a half, there have been no reports of New Zealand businesses or institutions being hit.

Earlier, NetSafe boss Martin Cocker told NBR that ransomware is an escalating problem. Most attacks originated from eastern Europe, and those who forked over cash (WannaCry's maker ask for $US400) had to face the likelihood the hackers would not actually release their data. And even if they did, paying up only encourages more crime.

Against this, lawyer Michael Wigley said businesses sometimes had to take a pragmatic approach and consider paying up. He said he was aware of a New Zealand law firm that had done just that.

Worldwide ransomware attack seems to use tool stolen from NSA

Saturday
: The online world has been rocked by a massive ransomware attack this morning, dubbed "WannaCry" – and early reports indicate it could be perpetrated with eavesdropping software stolen from the US government's National Security Agency (NSA).

If so, it will be a challenge for New Zealander Chris Liddell, recently named the director of US President Donald Trump's Council for American Technology, which is charged with upgrading and securing US government IT systems, and includes intelligence agency heads among its members.

It could also be the first major challenge for the New Zealand government's newly formed  Computer Emergency Response Team (CERT). The Crown agency says it is closely following events. Initial indications are that the attack exploits a vulnerability in unpatched, older computers running Windows XP through to Windows 7.

New Zealand still had quite a fleet of Windows XP computers when Microsoft stopped security upgrades in 2014. By the company's own count, there were 266,000 across home, business and government. However, today's reports indicate Europe and Asia have been hardest hit. No major incidents have been reported in New Zealand.

The malware was probably initially spread through phishing emails; that is, fake messages purporting to be real invoices or security warnings that carried malicious attachments. Once a computer is infected, the ransomware can spread to new systems on the same Windows Server network by dint of exploiting the stolen NSA hacking tool, known as "Eternal Blue" (Microsoft initially thought it had fixed this vulnerability with a Windows Server patch released in March; it's now reassessing). 

CERT is working with the GCSB-affiliated National Cyber Security Centre, which says it is taking (undetailed) steps to secure New Zealand infrastructure. 

A New York Times animated map shows Wannacry spreading, but so far not dotting down on NZ.

CERT is designed to act as a triage unit, establishment board adviser and Lowndes Jordan partner Rick Shera told NBR Radio as the Crown agency opened its doors last month. It won't fix a compromised computer system itself but it will point a business in the right direction and, if necessary, toward the right branch of law enforcement (start at cert.govt.nz).

This morning's attack has reportedly hit tens of thousands of computer systems, with the attackers demanding $US300 in Bitcoin to unlock hijacked data, with a countdown timer reinforcing a threat to delete the data after seven days if money is not handed over.

The National Health Service (NHS) in the UK seems particularly hard hit, with reports that some patient records have been locked up by the ransomware and some instance of ambulances carrying patients being diverted to other hospitals. Thousands of businesses in Spain have also been hit.

More broadly, the standard security advice for any individual or business remains: Keep all versions of software up to date (not just security software), be intensely suspicious of email attachments, and take frequent backups on the assumption that one day the business will be hit.

20 comments
Login in or Register to view & post comments