WanaCrypt0r 2.0
May 12, 2017 11:33 AM   Subscribe

A massive ransomware campaign appears to have infected a number of organisations around the world. Computers in thousands of locations have apparently been locked by a program that demands $300 (£230) in Bitcoin. There have been reports of infections in as many as 74 countries, including the UK, US, China, Russia, Spain, Italy and Taiwan. (BBC) posted by chavenet (96 comments total) 24 users marked this as a favorite
 
I guess that's one way to bolster the relevance of bitcoin...?
posted by scaryblackdeath at 11:39 AM on May 12, 2017 [6 favorites]


The No More Ransom project is worth looking at if you're ever involved with these issues. They have some keys available from previous attacks.
posted by sammyo at 11:53 AM on May 12, 2017 [8 favorites]


The good news: the NHS has become a profit centre ahead of schedule.
The bad news: it's a profit centre for the Russian Mafia, not Conservative Party donors.
posted by acb at 11:53 AM on May 12, 2017 [12 favorites]


Given so much of this crap is STILL from classic C and Pthreads errors, I'd say it's time to fund major work into Redox-OS, compiled in a language that checks against those errors at compile time.
posted by ocschwar at 11:58 AM on May 12, 2017 [2 favorites]


Is there a known vector for this attack?
posted by loquacious at 12:00 PM on May 12, 2017


Is there a known vector for this attack?

From the second article:

"Most ransomware is spread hidden within Word documents, PDFs and other files normally sent via email, or through a secondary infection on computers already affected by viruses that offer a back door for further attacks."
posted by Hairy Lobster at 12:02 PM on May 12, 2017 [4 favorites]


Given so much of this crap is STILL from classic C and Pthreads errors, I'd say it's time to fund major work into Redox-OS, compiled in a language that checks against those errors at compile time.

Wasn't this an old version of Windows that Microsoft stopped patching sometime before the leaks but the NHS is still stuck on?

If I were Jeremy Corbyn, I'd start hammering that. Why is the NHS so neglected and underfunded that its IT systems aren't fit for purpose? Why is the government allowing this to happen? Vote Labour and we'll sweep out all the “free-market” experiments and profiteering, amalgamate the competing local trusts into one agency and review and overhaul its systems to make sure that they're the best of class, and we'll use the mighty power of Her Majesty's Government to make sure it doesn't fall through the gaps.
posted by acb at 12:03 PM on May 12, 2017 [24 favorites]


I would imagine the creators didn't expect it to be quite so successful - now they've probably made themselves just a little too visible for comfort.

Reports say it is spreading within organisations via the MS17-101 SMB vulnerability. It doesn't help that because of cuts the NHS is still stuck on Windows XP, though with 55 vulnerabilities fixed this week in Windows 10 it's more than a little worrying too.
posted by kerplunk at 12:04 PM on May 12, 2017 [11 favorites]


Trend Micro Encyclopedia entry dated 14 April Screenshots look almost the same.
posted by yoHighness at 12:15 PM on May 12, 2017


Given so much of this crap is STILL from classic C and Pthreads errors, I'd say it's time to fund major work into Redox-OS, compiled in a language that checks against those errors at compile time.

And then funding MS and all the software companies to port their applications over to it?

Not.

Going.

To.

Happen.

Nice thought though.
posted by Samizdata at 12:16 PM on May 12, 2017 [5 favorites]


Is there a primer on what I can be doing right now in case I get hit with one of these? Will just setting up a backup locally and through a cloud for all my important files be sufficient?
posted by Karaage at 12:20 PM on May 12, 2017 [1 favorite]


You can see a live-updating map of infected systems here
posted by onshi at 12:21 PM on May 12, 2017 [2 favorites]


from a reddit thread about hospitals affected by this:
I'm a doctor in one of the affected hospitals, a major trauma center in London. Everything has gone down. No blood results, no radiology images, there's no group specific blood available. They've declared an internal major incident, the hospital is diverting major trauma and stroke patients. All elective surgery was cancelled from about 1pm. We're not doing anything in theatre that's not life or limb threatening. There will almost certainly be deaths as a result of this.
posted by INFJ at 12:24 PM on May 12, 2017 [31 favorites]


brb installing updates
posted by infinitewindow at 12:24 PM on May 12, 2017 [1 favorite]


Brian Krebs has a good writeup as well.
posted by gemmy at 12:27 PM on May 12, 2017 [4 favorites]


I usually download and backup my NHS medical record at the end of each month, but after watching the news for a few minutes, and with a GPs appointment next week, just done it now. Guess I should also print off the relevant recent stuff from it, in case I turn up and my GP is using paper and pen.

I'm not hugely surprised by this, as contemporary operating systems seem to be the exception rather than the rule. I've seen Windows XP (frequently) and older systems (occasionally) being used in hospital and the GP surgery in the last year.
posted by Wordshore at 12:27 PM on May 12, 2017 [1 favorite]


I'm not surprised, but I am still appalled.
posted by wenestvedt at 12:36 PM on May 12, 2017 [9 favorites]


goddamn, 4 comments in before the "u shoulda written it in Rust LOL"

you'd think this is hacker news
posted by indubitable at 12:37 PM on May 12, 2017 [18 favorites]


Any chance that we can cut out the "Grauniad" crap? It's insider language that is probably confusing for some users (probably more for newer users) and if it was ever funny it's not anymore.
posted by ElKevbo at 12:41 PM on May 12, 2017 [40 favorites]


We're not doing anything in theatre that's not life or limb threatening. There will almost certainly be deaths as a result of this.

They need to start paying their fucking ransoms right now.
posted by save alive nothing that breatheth at 12:43 PM on May 12, 2017 [4 favorites]


> you'd think this is hacker news

A MetaFilter posts about some NSA malware that's infected the NHS...
posted by tonycpsu at 12:43 PM on May 12, 2017 [1 favorite]




This isn't the first instance of ransomware attacks on clinical information systems, either. Last year, for instance, Hollywood Presbyterian Medical Center ended up paying $17,000 in bitcoin to ransom off an attack from the Locky Trojan spread by bogus Word documents disguised as invoices.

There's only more of this to come, especially as the line between state actors and gangsters gets blurrier every day, and tools cross-pollinate between them.
posted by strangely stunted trees at 12:50 PM on May 12, 2017 [3 favorites]


Is there any discussion about the really low request? Is the idea that those infected will be more likely to pay up, and given the wide-spread nature of this attack, the attackers will reap more money overall? Or is it so the transactions can be converted to "real" money in numerous accounts without alerting authorities of massive deposits?
posted by filthy light thief at 1:01 PM on May 12, 2017 [2 favorites]


They need to start paying their fucking ransoms right now.

Sure...it's totally quick and easy for your average hospital worker to transfer funds into a 100% safe bitcoin repository, get it to the right bunch of thieves, and then ensure that the computer can't be ransomed again. This is definitely a a process that can easily be repeated thousands (possibly tens of thousands) of times at £300 a pop by people who are in the middle of a medical crisis of enormous proportions with little to no problem.
posted by zombieflanders at 1:03 PM on May 12, 2017 [59 favorites]


Probably not even specifically targeting the NHS, so it would be small enough individuals and small organizations could afford.
posted by save alive nothing that breatheth at 1:04 PM on May 12, 2017 [1 favorite]


It really is amazing how the intersection of crypto geeks and market libertarians always have to be the worst of the two.
posted by zombieflanders at 1:04 PM on May 12, 2017 [29 favorites]


> This is definitely a a process that can easily be repeated thousands
> (possibly tens of thousands) of times at £300 a pop by people who
> are in the middle of a medical crisis of enormous proportions

Well it's probably the *easiest* process. Not to say that that means it's easy. But they are certainly devoting a lot of resources to doing stuff ATM and that may well be the best way to spend those resources.
posted by merlynkline at 1:09 PM on May 12, 2017


Why is the NHS so neglected and underfunded that its IT systems aren't fit for purpose? Why is the government allowing this to happen?

The government has been pouring money into a new IT system for years, as part of the drive to create a 'paperless NHS'. It hasn't exactly been a triumph. In 2013 it was estimated to have cost £10bn, and was described (by a Tory MP) as 'one of the worst and most expensive contracting fiascos in the history of the public sector'.

I know it's tempting to raise the cry 'more money for the NHS!' but I don't think this particular fuck-up can be blamed on underfunding; it's got more to do with poor planning and unrealistic targets driven by political expediency. Or in the words of one recent study: 'there’s not yet any failsafe way of stopping a new senior minister with a strong personality, a big mandate, campaign promises, short deadlines, and no experience of major IT systems from sweeping all before them and initiating yet another disaster'.
posted by verstegan at 1:09 PM on May 12, 2017 [12 favorites]


Oh, it's international Nurses' day! What better way to celebrate it than with an underfunded IT infrastructure!
posted by popcassady at 1:09 PM on May 12, 2017 [4 favorites]


Been watching this unfold. It's abysmal, and it was always going to happen.

The NHS is in major incident mode, but a lot of the comms is out and some of the stories about diagnostic machines being crippled are horrific. Someone on Twitter claimed that hospital porters are being stationed in corridors to relay crash calls, because the bleeper system is down - obviously not confirmed, but entirely plausible.

Coming back from this will be very painful, even if all data has been backed up - you can't just put the data back into an infected machine, and if the vector is in emails or documents then those have to be scanned as well. You'll need to patch the restored systems if you can - but no patches exist for XP, which is still widely in use.

If the backups don't exist, or if they were encrypted too, too bad.

There's lots more, of course, but the best possible outcome from this will be proper organisational support and funding to update the NHS's IT to a modern standard, and to have proper maintenance.
posted by Devonian at 1:13 PM on May 12, 2017 [6 favorites]


>Is there a primer on what I can be doing right now in case I get hit with one of these?

So here's my advice:
  • Never run as an elevated user. Make a local admin and use that for all your admin tasks.
  • Encrypt your drive.
  • Do not run installers from a compressed archive. Extract all installers first.
  • Don't open shit attachments from people you don't know, and even then only if you are expecting something from them.
  • Have good and current backups.
  • Have good and current backups.
  • Have good and current backups offsite.
  • Don't download shit from email links without verifying the link goes where you believe it does.
  • Don't download anything from a google search. Go to the primary website, insure you are actually on the correct website and not some cnet mirror.
  • Have a decent virus scanner and use it.
  • Don't ever trust your kids, spouse, or drunk uncle with any computer provided by your employer unless you are looking for new employment
  • Get a Mac.
I probably forgot some.
posted by cjorgensen at 1:15 PM on May 12, 2017 [29 favorites]


> I don't think this particular fuck-up can be blamed on underfunding

This is happening because the NHS is riddled with systems running unsupported versions of Windows. Some of these are because there is no money for upgrades. Some are because there is no money to pay for upgrades to critical software that only works on unsupported versions of Windows. Some are because there is no money to pay for competent IT staff, which is even more of a problem when an apparently monolithic organisation like the NHS is actually split into countless independent parts which must each hire their own IT staff and can't even have a common policy like "don't use XP".

Few of these unsupported systems are part of what is addressed by the putative new IT system.

This particular fuck-up can mostly be blamed on underfunding.
posted by merlynkline at 1:17 PM on May 12, 2017 [15 favorites]


> "don't use XP"

Yeah, I knew I forgot one.

I'd add to that, stay current, stay patched, use only drivers you know where came from, and keep everything up-to-date. A modern OS is a must.
posted by cjorgensen at 1:24 PM on May 12, 2017 [4 favorites]


I've been waiting for biopsy results for a month from one of the affected NHS trusts. Wondering if I'll ever get them now.
posted by hazyjane at 1:27 PM on May 12, 2017 [3 favorites]


Just waiting for this to happen here in Alberta, our emergency department still runs on XP, the latest in early 2000s technology!
posted by v-tach at 1:34 PM on May 12, 2017 [2 favorites]


Sure...it's totally quick and easy for your average hospital worker to transfer funds into a 100% safe bitcoin repository, get it to the right bunch of thieves, and then ensure that the computer can't be ransomed again. This is definitely a a process that can easily be repeated thousands (possibly tens of thousands) of times at £300 a pop by people who are in the middle of a medical crisis of enormous proportions with little to no problem.

well when you work for virtual currency everything looks like an opportunity to shill for virtual currency.
posted by winna at 1:35 PM on May 12, 2017 [6 favorites]


I know it's tempting to raise the cry 'more money for the NHS!' but I don't think this particular fuck-up can be blamed on underfunding; it's got more to do with poor planning and unrealistic targets driven by political expediency.

I don't know; having the IT resources to upgrade the organisation's critical systems before the old system is cut off completely from vital security patches sounds pretty essential for something that lives depend on. Running medical clinics on an OS that's no longer patched to save money is like stocking those clinics with expired medication because throwing it out and replacing it would cost too much.
posted by acb at 1:53 PM on May 12, 2017 [17 favorites]


There's no excuse whatsoever for a government agency to be running mission-critical systems on an operating system that's no longer getting patches from the vendor. There's an explanation, though, that that's underfunding.

Many government agencies around the world only abandoned XP (for example) at the last possible minute, for this precise reason. To not do so was, as this shows, incredibly irresponsible. As noted upthread, perhaps fatally so in the most literal sense.

As for how practical it is to pay these ransoms - ransomware is a known threat, and paying to decrypt (individually or en masse) is certainly an established way to resolve this kind of crisis. Then again, the kind of shop that's vulnerable to such an attack may not be prepared to respond immediately, either...
posted by onshi at 2:05 PM on May 12, 2017 [4 favorites]


I did tech support for a backup company for a while and saw a lot of this. Most of them come from an email attachment, often a fake Fedex or UPS email with package tracking info. I've gotten that email and almost clicked it, cause, hey, who doesn't love getting a package. The one I've seen is a word doc with a macro that delivers the virus. It encrypts docs, pictures, music, excel sheets, etc., on all accessible drives. If you have versioned backups, i.e. older versions are backed up in addition to newer versions, offsite backup or a backup on a drive that is not connected, you can restore your data. All the ransomware/ encryption viruses I saw ran once, made a mess, exited. It's recommended to wipe the drive and reinstall from scratch, but I've seen success where the files were restored with no rebuild. Not all backup systems deal well with encrypted drives. Some people pay the ransom and do not get a working key.

I don't know why anti-virus software doesn't protect against these. When I used to manage images that a bunch of computers were built with, we made sure that macros were set to off. This problem has been around for long enough that any managed system should be better protected. The virus runs pretty fast, and I always wonder why so much stuff is so slow on windows, but an encryption virus can trash thousands of files in a few minutes.

It's a devastating experience to lose family pictures or critical business documents. Attacking hospitals is pretty vile.
posted by theora55 at 2:12 PM on May 12, 2017 [5 favorites]


This isn't just the NHS: per recent reports the malware has taken down FedEx offices and a Spanish cellphone network.

It's believed to originate in Russia but Russian companies and individuals are also being hit hard by it.

From the malware author's PoV, I suspect it looks a bit like this right now (and if they have any sense they'll be hunkering down and covering their tracks—they've just attracted multiple governments' attention, and not in a good way: I'd expect Interpol warrants to be pursued vigorously as soon as they've got a suspect).
posted by cstross at 2:19 PM on May 12, 2017 [3 favorites]


acb: Running medical clinics on an OS that's no longer patched to save money

Actually, a whole bunch of clinical diagnostic equipment runs on embedded PCs, either Windows CE systems or Intel ones. Windows provides the friendly UI for, for example, radiologists, or A&E blood monitoring, and so on. This isn't just office admin equipment.

A big part of the problem is that when a computerized medical device is certified for use on patients the certification applies to the hardware and all the software including the operating system and all patches and drivers in the submitted configuration only. If you allow a PC running Excel to upgrade whenever MS push a patch, the worst outcome is that you can't run your spreadsheet. If the PC is running an X-ray source or a gamma knife or helping control anaesthesia in a theatre the worst possible outcomes are fatal; you don't even want antivirus software kicking off at random and slowing shit up (this caused a medical emergency in a theater in the USA last year that made comp.risks — the anaesthetists has to drop everything and ventilate the patient on the table manually until a nurse could reboot the PC that had decided looking for malware was a higher priority level than keeping a patient breathing during surgery).

Anyway, these machines can't be patched/upgraded without large bills for safety recertification (if indeed the software is ever updated after it's finally frozen and certified). And they're often networked because being able to remotely determine if they've fallen over is important.

And so we get machines running OSs that fell of MS's support conveyor years ago still running, unpatched and without antivirus software, on hospital networks ... and the cost of replacement isn't a few hundred bucks for a new OS license or a new PC, it's several tens or hundreds of thousands for a shiny new piece of medical equipment that just happens to have an embedded Windows PC to provide the user interface.
posted by cstross at 2:27 PM on May 12, 2017 [63 favorites]


Attacking hospitals is pretty vile.

If people do die from it, as the doctor in the reddit thread suggests then it's hard to see how it isn't mass murder (or at the very least some form of willfully negligent manslaughter).
posted by Buntix at 2:44 PM on May 12, 2017 [2 favorites]


The hospital my mother was in a few months ago kept wheeling in equipment running on Windows XP, so US hospitals aren't better off.
posted by interplanetjanet at 2:52 PM on May 12, 2017 [1 favorite]


PSA: If you are on a Mac, the free software RansomWhere is a handy tool to detect ransomware-like behavior. If it detects lots of files being locked rapidly (which is behavior used by all known ransomware, but occasionally used by legitimate software), it'll pause the process until you give it permission to continue. If the locking process name looks fishy, you can terminate it, and only a few files are successfully locked. If you were doing something where locking files is expected, such as installing a new program, and the process name looks right, you can resume the process to continue normally.

There may be equivalent for Windows, but I cannot attest to the quality of any of those.
posted by Hot Pastrami! at 2:54 PM on May 12, 2017 [15 favorites]


Not a good day for some friends at work. That's about all I can say about that.
posted by grimjeer at 3:06 PM on May 12, 2017 [1 favorite]


The regulatory failure on embedded OSs works both ways. In the case of medical equipment, you cannot update the software because it would invalidate approval; in the case of your mobile phone, which has also been approved, there is no restriction on updates and the regulatory approval of the as-sold counts for little.

How do you fix that? I think you have to partition functionality better and concentrate on engineering APIs - which is, I believe, the conclusion NASA came to (multiple times) on building resilient deep-space systems.
posted by Devonian at 3:11 PM on May 12, 2017 [6 favorites]


Strong indications that this is propagating only or primarily by the "EternalBlue" vulnerability in SMB (Windows filesharing). That was patched about 6 weeks ago. If you have any question if your Windows OS is up to date, run Windows Update immediately.

Further advantage is that SMB is usually blocked at the edge of most networks. Unfortunately, there are also strong indications that this is "wormed," propagating from one infected computer to any clean one it can reach. SMB is usually not blocked inside most networks, so once you have one infected computer inside the firewall, you'll probably have many.

I'm finding recent and unconfirmed reports that the malware was hard-coded to communicate with a specific control server. Supposedly that server has been removed form the internet and new infection rates are dropping. Sure hope so.
posted by CHoldredge at 3:20 PM on May 12, 2017 [4 favorites]


I heard that the government cancelled a £5.5 million contract with Microsoft to provide ongoing support for Windows XP on the basis that most government computers were no longer using it.

If true, that could be a big election story. It hits Tory security credibility in the area Labour area strongest on - the NHS.
posted by knapah at 3:28 PM on May 12, 2017 [6 favorites]


In fact, a webserver was created to block propagation. Very strange. From Malwarebytes labs: "...this executable first tries to connect to the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It doesn’t actually download anything there, just tries to connect. If the connection succeeds, the binary exits.

This was probably some kind of kill switch or anti-sandbox technique. Whichever it is, it has backfired on the authors of the worm, as the domain has been sinkholed and the host in question now resolves to an IP address that hosts a website. "

Excellent news
posted by CHoldredge at 3:31 PM on May 12, 2017 [11 favorites]


Here's an article about XP related vulnerabilities in the NHS from December.

The UK government was one such organisation, paying Microsoft the princely sum of £5.5 million to continue providing security support for Windows XP. This deal came to an end in May 2015 and was not renewed, with a the government citing “good progress in moving away from Windows XP across departments and government organisations”.
posted by knapah at 3:33 PM on May 12, 2017 [8 favorites]


CHoldredge: ""...this executable first tries to connect to the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"

Dunno if someone Hijacked the domain or if this is the actual legit Botnet Whois info:

Domain name: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Registry Domain ID: 2123519849_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2017-05-12T15:08:10.00Z
Creation Date: 2017-05-12T15:08:04.00Z
Registrar Registration Expiration Date: 2018-05-12T15:08:04.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID:
Registrant Name: Botnet Sinkhole
Registrant Organization:
Registrant Street: Botnet Sinkhole
Registrant City: Los Angeles
Registrant State/Province: CA
Registrant Postal Code: 00000
Registrant Country: US
Registrant Phone: +0.00000000000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: BotnetSinkhole@gmail.com
Registry Admin ID:
Admin Name: Botnet Sinkhole
Admin Organization:
Admin Street: Botnet Sinkhole
Admin City: Los Angeles
Admin State/Province: CA
Admin Postal Code: 00000
Admin Country: US
Admin Phone: +0.00000000000
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: BotnetSinkhole@gmail.com
Registry Tech ID:
Tech Name: Botnet Sinkhole
Tech Organization:
Tech Street: Botnet Sinkhole
Tech City: Los Angeles
Tech State/Province: CA
Tech Postal Code: 00000
Tech Country: US
Tech Phone: +0.00000000000
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: BotnetSinkhole@gmail.com
Name Server: ns1.sinkhole.tech
Name Server: ns2.sinkhole.tech
Name Server: ns3.sinkhole.tech
Name Server: ns4.sinkhole.tech
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2017-05-12T08:34:30.38Z <>

posted by wcfields at 3:35 PM on May 12, 2017


Dunno if someone Hijacked the domain

Quite probably the original ransomware author hadn't bought the domain, just chosen one long and random enough to be sure of getting it if required.

This meant that it could be bought by the people trying to prevent its spread.
posted by Buntix at 3:42 PM on May 12, 2017


Buntix: "This meant that it could be bought by the people trying to prevent its spread.
"

Yeah, looks like BotnetSinkhole@gmail.com is owned by a lot of random Namecheap domains. so possibly confiscated domains by their abuse team and "SINKHOLE.TECH" name servers.
posted by wcfields at 3:51 PM on May 12, 2017 [1 favorite]


It's believed to originate in Russia but Russian companies and individuals are also being hit hard by it.

The Russian government tolerates and protects its local cybercrime sector as long as (a) they only target foreigners (“Amers”, in the parlance), and (b) will patriotically contribute labour and expertise when called upon to do so, by launching attacks on designated targets or keeping the GRU's hackers on the ball. A lot of malware, for example, will not fire if the machine's locale is set to Russia. Ransomware also brings in a lot of foreign revenue (“special transfers” are 12% of Russia's GDP, and this includes Bitcoin ransoms and such).

Some call Russia's cybercrime gangs “Putin's privateers” for this reason; their relationship to their leader is a bit like Sir Walter Raleigh's to Elizabeth I.
posted by acb at 3:57 PM on May 12, 2017 [15 favorites]


so, what you're saying is, if you are a nation-wide health organization, have a well-funded and staffed IT department using fairly common and well-known IA practices?

This shit isn't a mystery to anyone, nor a surprise...didn't i see a meme recently that said something like, at the beginning of every disaster film, there's a scientist (or engineer) being ignored?

I'll just say now what I told my boss (right before he sacked me): you can pay for IA now, or you can pay later. but pay you will.
posted by j_curiouser at 6:21 PM on May 12, 2017 [4 favorites]




you don't even want antivirus software kicking off at random and slowing shit up

I'm not a Microsoft hater, I'm pretty OS agnostic in my daily computing. But why the fuck would you use Windows to drive something like this? There are operating systems specifically designed for tasks like this, such as QNX. This is gross incompetence on display by the manufacturers and so-called engineers.
posted by Jimbob at 8:07 PM on May 12, 2017 [12 favorites]


They need to start paying their fucking ransoms right now.

What are the odds of actually getting a decryption key even if you did pay up? Does anyone ever actually get their files back by paying a ransom?
posted by straight at 8:33 PM on May 12, 2017


I'd expect the really life-and-limb critical systems, e.g. controller of gamma-ray surgery, run inside an air gap. The medical devices are connected with controllers, but no part of the critical network ever interfaces with the Internet.

But if you cripple a large number of public-facing systems, the end result is worse, because business can't get through, and in this case the business is life-and-limb.

Speaking of prevention, I think there are something you can do for your security, in addition to the cjorgensen's list.

- Never let anyone else plug anything into your computer's sockets. Never trust an unknown device.
- Block malware domains in your browser (some do this by default, but the blocklist may not be enough). For example, I use uBlock Origin with the "Badware risks," "Malvertising," and "Malware domains" blacklists.
- Don't run Adobe Acrobat unless absolutely necessary. Especially don't run it as a browser plugin. Don't enable any unnecessary browser plugin at all (e.g. office documents). In Adobe Acrobat, disable JavaScript (AAAAAAGH). In your office software, disable scripting (AAAAAGH).
- I don't know about you people, but I absolutely forbid my email client from interpreting emails as HTML. Everything must be in plaintext. And absolutely no rendering of remote content.
posted by runcifex at 8:36 PM on May 12, 2017 [7 favorites]


Never let anyone else plug anything into your computer's sockets. Never trust an unknown device.

Great advice. Utterly unrealistic for most people doing work and collaborating with large files.

Don't run Adobe Acrobat unless absolutely necessary.

Great advice. Unfortunately, again, for a whole bunch of people it remains absolutely necessary.
posted by Jimbob at 9:22 PM on May 12, 2017 [7 favorites]


'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack:
However, a UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and activated a “kill switch” in the malicious software.

The switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.

“I saw it wasn’t registered and thought, ‘I think I’ll have that’,” he is reported as saying. The purchase cost him $10.69. Immediately, the domain name was registering thousands of connections every second.

“They get the accidental hero award of the day,” said Proofpoint’s Ryan Kalember. “They didn’t realize how much it probably slowed down the spread of this ransomware.”
posted by TheophileEscargot at 9:32 PM on May 12, 2017 [14 favorites]




It hard to say who to pay the ransom to: the Russian mobsters behind this, or the software company that makes money building forced obsolescence into its products. Someone's going to make a lot of money off this, either way.
posted by a lungful of dragon at 1:23 AM on May 13, 2017


Good tech analysis here: http://blog.talosintelligence.com/2017/05/wannacry.html
posted by Caractacus at 2:07 AM on May 13, 2017 [1 favorite]


runcifex: All those are good principles, but none of them would necessarily protect you from WannaCrypt, which is spreading through a wormable bug in Microsoft’s SMB stack that affects every version of their OS (except Windows 10 I believe). One infected PC can infect all the others on your internal network - it only takes one misconfigured firewall or someone plugging a previously infected device in to compromise everything else.
posted by pharm at 3:07 AM on May 13, 2017 [2 favorites]


the Russian mobsters behind this

I'd have thought by now they have gone as far off the grid as is possible (although this may well just be a Yacht moored off Sochi if they actually made money before the high reproduction number of the virus made it blow up).

The potential exploits in XP were really just a factor of the codebase size and time, it would have been nice if MS had offered patches at cost for medical organisations given that there can be tight coupling between the OS and medical systems that makes upgrading expensive (in downtime, debugging, re-skilling and £).

From http://www.silicon.co.uk/security/nhs-hospitals-data-risk-outdated-windows-xp-201761 it seems like the Gov't really fscked up here,
This deal came to an end in May 2015 and was not renewed, with a the government citing “good progress in moving away from Windows XP across departments and government organisations”.
The use of the weasel word 'progress' rather than substantive figures suggests that they knew there were still a lot of XP systems out there (presumably they had access to the data that Motherboard got via FOI requests). Guessing that in a climate where austerity is king it looked like an easy place to cut some costs. So, incompetent or evil.
posted by Buntix at 3:15 AM on May 13, 2017 [2 favorites]


GCHQ proving that timing is everything: ooops.
posted by Buntix at 3:32 AM on May 13, 2017 [4 favorites]




I wonder if the NHS has opinions on vaccinations and herd immunity.
posted by vbfg at 4:07 AM on May 13, 2017 [4 favorites]


I wonder if the NHS Secretary of State for Health Jeremy Hunt has opinions on vaccinations and herd immunity.
posted by Mister Bijou at 4:20 AM on May 13, 2017 [3 favorites]


The Register:
Here are some quick links to much more technical details we've gathered:
Scroll down
posted by Mister Bijou at 5:01 AM on May 13, 2017 [1 favorite]


Microsoft patches XP... Not that this is operating the equine egress limitation device after the quadruped has destinated elsewhere, or anything.

MS' own role in this isn't stellar. Is it ethical to abandon your customers - or to hold them to ransom by demanding millions to keep them safe? That's a complicated question about the extent of and limits to responsibility, not helped by the software industry's lax attitude to liability in general. You can look at the history of IT over the past twenty years and completely understand how events like this occur, but not have a clear understanding of how they can practically be avoided.

I don't think the answer is technical; it's regulatory. You can't run an office with 1950s electrical wiring, because it's against the law, it will invalidate your insurance, etc. Likewise, you have to adhere to current accounting rules, which change; employee legislation ditto.

So, the running of software or devices connected to the public internet should also follow rules. They don't have to specify what or how, just mandate that it should be covered by an effective security update policy that can be demonstrated to conform to best practice. Your OS supplier could manage that for you, or if it wants to rid itself of the burden of support (and encourage upgrades) it can cease providing that and force its customers to change , or it could hand over legacy software to a third party. It all depends how it wants to treat its customer,s and its customers can decide for themselves whether that's the way they want to go.

Embedded systems should absolutely not be exempt. If you are producing one of those, you have the responsibility to make sure it doesn't malfunction. Non-compliance is not an option. Why should it be? It is not impossible to design a system that can be upgraded without killing you, it's that the old model of pre-Internet design is no longer applicable.

This would also be a good thing with respect to the IoT clusterfuck that's congealing from the priordial srew. Not a magic fix, but a limiting factor.
posted by Devonian at 5:31 AM on May 13, 2017 [7 favorites]


spreading through a wormable bug in Microsoft’s SMB stack that affects every version of their OS (except Windows 10 I believe)

Just for clarity, this exploit has been patched in all supported versions of Windows. So on the desktop side Windows 7, 8.1 and 10 are all fine if you have updates turned on. If you aren't running one of those with automatic updates turned on, do that as soon as you can, however they released updates for systems outside support earlier today.
posted by markr at 5:32 AM on May 13, 2017 [1 favorite]


Am I too pessimistic for thinking that the Tories and their sympathetic press will Chewbacca-defence this into being a case for their proposed encryption ban and real-time mass-surveillance capabilities, which will now be rushed into law with no effective opposition, and the press will blame this on The Traitor Snowden having given the bad guys our secret weapons, to the effect that they'll be burning Snowden effigies every Guy Fawkes Day from now on?
posted by acb at 8:36 AM on May 13, 2017 [1 favorite]


I hope not. None of that would have helped in the slightest in this case, and if anything it's highlighted the ineptitude of the government in understanding and managing practical cybersecurity. It's given a lot more ammunition to the sane.

Not that sanity is at any sort of premium at the moment, but every little helps.
posted by Devonian at 8:46 AM on May 13, 2017




I don't think the answer is technical; it's regulatory.

I expect all the affected NHS computers have been PAT tested...
posted by Helga-woo at 11:17 AM on May 13, 2017 [1 favorite]


What are the odds of actually getting a decryption key even if you did pay up? Does anyone ever actually get their files back by paying a ransom?

Nearly 100% chance of getting your files back if you pay. I was as surprised as anyone but ransomware is big business. The usual problem is that they want you to pay in bitcoin and often they don't speak good english.
posted by RustyBrooks at 12:10 PM on May 13, 2017


Hah, though, although tens or hundreds of thousands of machines are infected, they have netted only $18k ($300 per payment or about 60 payers)
posted by RustyBrooks at 12:52 PM on May 13, 2017


It appears this malware was a kinda rush job since some dude managed to shut it down accidentally :

"I can only add"accidentally stopped an international cyber attack" to my Résumé."

More : How to Accidentally Stop a Global Cyber Attacks
posted by jeffburdges at 1:51 PM on May 13, 2017 [3 favorites]


I wouldn't say he shut it down accidentally. More like, he discovered how it could be shut down accidentally. I don't know if that's a mark of it being a "rush job" or not. As a kill switch mechanism it's a little sloppy but it's kind of an interesting method, because unless the kill switch has to be thrown, it makes it harder to track down the origin of the malware. Compare that to, for example, if it checks an existing domain/website/email address/whatever. When someone finds THAT killswitch in the code they can look at see who owns or operates or has access to that.
posted by RustyBrooks at 1:55 PM on May 13, 2017 [1 favorite]


Waiting for the next edition of the malware where registering the domain activates the "delete all data" function, and instead of being an accidental hero, someone becomes "the dude who destroyed the world".....fun times....
posted by inflatablekiwi at 2:01 PM on May 13, 2017


so it looks like the "connection to a random hardcoded domain" thing was a tactic to avoid detection by antivirus. an antivirus runs executables in a sandbox environment in which presumably any attempt at making an outbound connection automatically succeeds. if you write your code to try to connecting to a domain that you know doesn't exist, and it succeeds, then you exit immediately without getting to the malicious part and you evade detection. of course, the whole thing falls apart if someone actually goes and registers that domain, which is why this isn't particularly sophisticated.

this made a lot more sense to me after reading it than the "kill switch" theory some people were writing about earlier.
posted by indubitable at 4:27 PM on May 13, 2017 [10 favorites]


Hot Pastrami!: "PSA: If you are on a Mac, the free software RansomWhere is a handy tool to detect ransomware-like behavior. If it detects lots of files being locked rapidly (which is behavior used by all known ransomware, but occasionally used by legitimate software), it'll pause the process until you give it permission to continue. If the locking process name looks fishy, you can terminate it, and only a few files are successfully locked. If you were doing something where locking files is expected, such as installing a new program, and the process name looks right, you can resume the process to continue normally.

There may be equivalent for Windows, but I cannot attest to the quality of any of those.
"

I've been using Cybereason's Ransomfree, which seeds your top-level folders with decoy files that it monitors for attempted encryption -- it was effective against WannaCry, fwiw.
posted by Rhaomi at 10:58 PM on May 13, 2017 [6 favorites]


WannaCry Ransomeware Made Amateur Mistakes (WIRED, May 15, 2017), or "how to build a better ransomware virus"

The attack built off of one of the leaked NSA "tools" without much thought about how it would unfold, and
At last count, the group behind WannaCry has earned just over $55,000 from its internet-shaking attack, a small fraction of the multimillion-dollar profits of more professional stealthy ransomware schemes. “From a ransom perspective, it’s a catastrophic failure,” says Craig Williams, a cybersecurity researcher with Cisco’s Talos team. “High damage, very high publicity, very high law-enforcement visibility, and it has probably the lowest profit margin we’ve seen from any moderate or even small ransomware campaign.”
Seems that low ransom price wasn't particularly well thought-out, and worse (for the victims), the ransomeware doesn't generate a victim-specific unique bitcoin address, but uses one of four hardcoded addresses, which means 1) "the criminals themselves have had to figure out which computer to decrypt as ransoms come in," and 2) it's a whole lot easier for investigators to tie this back to the culprits.
posted by filthy light thief at 2:05 PM on May 15, 2017 [1 favorite]






Dr Pound from Nottingham University installs WannaCry deliberately on a VM then talks about it.
posted by rongorongo at 4:24 AM on May 16, 2017


Anyone keeping tabs, was it DPRK? I've suggested elsewhere that it's was something of a failure as it got out of hand too fast and if you're a pro-ransom-artist you keep out of the international press.
posted by sammyo at 4:32 PM on May 17, 2017




The Grugq believes that a North Korean based APT was probably responsible.
posted by pharm at 11:54 PM on May 20, 2017


Michael Pounds second video on WannaCry, explains how the designers of the malware may have gone about the task of actually encrypting everybody's files. Being able to encrypt all files on a computer sufficiently rapidly for them not to notice, sufficiently well for them not to be able to undo the operation, with a key which is transmitted to the designers but not knowable by anybody else and in a manner which (theoretically) allows for the correct individual decryption key to be issued upon ransom payment - is pretty challenging.
posted by rongorongo at 3:53 AM on May 22, 2017


I think you linked your own history there, but there is no reason for the malware to transmit the key anywhere. Instead, your malware knows only public key consisting of an elliptic curve point A = a G for which the malware author knows the private key consisting of the scalar a.

On infection, your malware creates a private scalar b, computes the key exchange s[0] = b A as well as the public curve point B = b G, and immediately erases the private scalar b. You now make s[0] as the root of a hash iteration "ratchet" given by s[i+1] = Hs(s[i]) and k[i] = HK(s[i]). You now have an unlimited supply of k[i] to use as keys to encrypt individual files. Anytime you need a new k[i], you compute both k[i] and s[i+1] and permanently erase s[i]. You must record which i corresponds to which file somewhere too.

Now the malware author can compute s[0] = a B if the victim supplies B. If the victim pays up, then they get s[0] from which the malware decrypts everything. If the victim wants proof that the malware author can decrypt, then they must supply some i too, and the malware author supplied them with only k[i] to decrypt that one file. Individual files should be MACed with their k[i] anyways, so maybe the malware author would ask for it. s[0] should be MACed too, just so the malware can give proper error messages.

If you want to encrypt the drive faster than the drive can write, then perhaps you could encrypt the drive's directory structure first, but this sounds beyond the scope of most malware.

Increasingly, there are secure enclaves in devices like TPM and UEFI's Secure Boot on Intel platforms and TrustZone on ARM. These technologies might help protect the system from some attacks, but they enable malicious like DRM as well. Matt Green predicts that future malware will utilize these technologies exactly like DRM does. So..

CryptoLocker 2020 will encrypt your files without the key exchange above, instead storing s[0] itself in your TPM. If it observes you making the required Zcash/BTC/etc payment then it'll unlock your files, but now even the arrest of the malware authors will not be able to stop their creation from extorting money.
posted by jeffburdges at 2:53 PM on May 22, 2017 [2 favorites]


I've always assumed Zcash, BitCoin, etc. simply cannot function once the miner rewards dry up, simply because the transaction fees must then pay for the power consumption and hardware of the whole network, which makes Visa's 3% look measly by comparison.

Imagine however if Zcash, BitCoin, etc. all had shrinking money supplies due to (a) zombie ransom ware sending money into possible voids belonging to arrested, killed, etc. malware authors, and (b) companies stockpiling them to pay ransoms. We could have ever increasing coin prices with no appreciable supply, ever decreasing transactions, and no real limit on transaction fees. In the end, the China could release the malware themselves just to pump up transactions and exchange rates, as all miners operate in China.

If malware is the killer app for BitCoin then BitCoin never needs to become a usable transaction system.
posted by jeffburdges at 4:26 PM on May 22, 2017




« Older A Royal Pain   |   Stirring tenor sounds from another world... Newer »


This thread has been archived and is closed to new comments