Ransomware

This post is a bit different from our normal posts: We want to help our readers avoid a nasty situation.

This past weekend, as many of you already know, there was an outbreak of a new threat to computers which has done a lot of damage around the world. It is called “Ransomware” which is a PC “virus” (“worm” actually), which is downloaded to vulnerable computers. It encrypts the data on the PC and then posts a message that if you want to access your data, you need to provide $300 so that your data can be “unlocked” and available to you again. This particular malware has affected institutions all around the world and has effectively shut down hospital and health care in various areas.

This software infects PCs with the Windows operating system. The basis of this “WannaCry” ransomware was created by the United States National Security Agency (NSA) and was adapted by hackers. The NSA (and other agencies of various governments) have collected “back door” access to operating systems for years. In this case, the NSA found the vulnerability in Microsoft Windows some time back. Microsoft didn’t even know that there was such a vulnerability and the NSA didn’t disclose it to Microsoft because the NSA wanted to use it as a tool to spy on people and agencies around the world. This backfired seriously.

Now if you have been keeping your Windows operating system up to date with the latest patches, you have nothing to worry about because it is already patched to make it secure against the threat. However, anyone still running Windows XP is definitely at risk.

In less than 24 hours, the WannaCry ransomware borrowed from leaked NSA exploits to spread across at least 75,000 PCs. But, for now, the ransomware outbreak has been curtailed.

That’s because a U.K.-based researcher going by the name of MalwareTech shut the operation down, albeit by a stroke of good fortune. As he researched the spread of WannaCry, which hit 48 NHS hospitals across Britain particularly hard, the 22-year-old saw that one of the web domains used by the attackers hadn’t been registered. So he registered the site, took control of the domain for $10.69 and started seeing connections from infected victims, hence his ability to track the ransomware’s spread.

But in doing that he also took down the WannaCry operation without meaning to. Whoever was behind the ransomware included a feature designed to detect security tools that would fake internet access for quarantined PCs by using a single IP address to respond to any request the computer made. This is a feature of a “sandbox,” where security tools test code in a contained environment on a PC. When MalwareTech registered his domain to track the botnet, the same IP address was pinged back to all infected PCs, not just sandboxed ones. “So the malware thought it was in a sandbox and killed itself. Lol,” MalwareTech said. “It was meant as an anti-sandbox measure that they didn’t quite think through.”

Security companies including Cisco’s Talos division confirmed WannaCry had stopped spreading thanks to MalwareTech’s work. Talos also confirmed the malware’s use of exploits leaked by a crew called the Shadow Brokers, who’re widely believed to have dumped hacker tools belonging to the NSA. The company, in a blog post, said WannaCry (also known as WannaCrypt) would attempt to install via a backdoor leaked by the Shadow Brokers called DoublePulsar. If the backdoor wasn’t resident on a target Windows PC, it would then attempt to abuse a flaw in the Microsoft operating system’s Server Message Block (SMB), a network file sharing protocol.

The bottom line here is that if you run Windows XP, you need to upgrade to something else or you may be at risk. If you have currently supported Windows, make certain you have your PC up to date with the latest patches.

Here is a video from a former Microsoft employee with more depth on the topic:

Note that even though the attacks have been stopped temporarily, they will be back.

Also note, that once your PC has the ransomware installed, any payments to get your PC unlocked may be futile.

It should be noted that the PC on which this blog entry was written received a notification from Malwarebytes antivirus this morning that it had quarantined the ransomware virus embedded in the NVIDIA software.

We apologize for not warning you earlier.