Published: Sat, May 20, 2017
Science | By Hubert Green

Security experts find clues to ransomware worm's lingering risks

A successful cyber-attack on the banking system, the electric grid, traffic lights or electronic medical records could do far more economic and security damage. "There are plenty of reasons people wait to patch and none of them are good".

WannaCry's worm-like capacity to infect other computers on the same network with no human intervention appear tailored to Windows 7, said Paul Pratley, head of investigations & incident response at United Kingdom consulting firm MWR InfoSecurity.

It effectively takes the computer hostage and demands a $300 ransom, to be paid in 72 hours with bitcoin. More than 200,000 computers have been affected so far.

"When we say that the health ministry was attacked you should understand that it wasn't the main server, it was local computers ... actually nothing serious or deadly happened yet", German Klimenko, a presidential adviser, said on Russian state television.

In 2014, Microsoft ended support for the highly popular Windows XP, released in 2001 and engineered beginning in the late 1990s, arguing that the software was out of date and wasn't built with modern security safeguards. However, it is clear from the number of nations affected that the intended attacks were global. Also, Russian computer users commonly use unlicensed (pirated) or outdated version of Windows OS, and thus are not privy to security updates.

The company fixed the problem with a software patch in March, but users who failed to upgrade their OS remained vulnerable.

Microsoft declined to comment for this story.

The episode underscores the folly of the USA law enforcement demand that tech companies install backdoors into their devices and services.

Reuters also reports that half of all internet addresses corrupted globally by WannaCry are located in China and Russian Federation, with 30 and 20 percent respectively.

In Russia, where a wide array of systems came under attack, officials said services had been restored or the virus contained.

The ransomware mixes copycat software loaded with amateur coding mistakes and recently leaked spy tools widely believed to have been stolen from the U.S. National Security Agency, creating a vastly potent class of crimeware.

In the U.S., FedEx Corp. reported that its Windows computers were "experiencing interference" from malware, but wouldn't say if it had been hit by ransomware. "That's liability to individuals, consumers and patients". WannaCry has a "worm-like" ability to spread through cyber networks automatically. The company is crunching data to arrive at a firmer estimate it aims to release later Thursday.

In an official statement, the central bank said the consequences of the ransomware attack had been dealt with quickly. A researcher from Google posted on Twitter that an early version of WannaCrypt from February shared some of the same programming code as malicious software used by the Lazarus Group, the alleged North Korean government hackers behind the destructive attack on Sony Corporation in 2014 and the theft of $81 million from a Bangladesh central bank account at the New York Fed a year ago.

However, a bug in WannaCry code means the attackers can not use unique bitcoin addresses to track payments, security researchers at Symantec found this week.

Railway stations, mail delivery, gas stations, hospitals, office buildings, shopping malls and government services also were affected, China's Xinhua News Agency said, citing the Threat Intelligence Center of Qihoo 360, a Chinese internet security services company.

The rapid recovery by many organisations with unpatched computers caught out by the attack may largely be attributed to back-up and retrieval procedures they had in place, enabling technicians to re-image infected machines, experts said.

Given the scale and media attention given to WannaCry and Ransomware in the past few days you've be forgiven for thinking that the world is facing a new and deadly foe in the game of cat and mouse that is online security.

Like this: