WannaCry: How to protect yourself, what’s happened so far​ and what could happen next

16 May

WannaCry: How to protect yourself, what’s happened so far​ and what could happen next

have found evidence they said could link North Korea with WannaCry. Symantec and Kaspersky Lab say that some code in an earlier version of the ransomware had also appeared in programs used by another group that several companies have identified as a North Korea-run hacking operation.
  • Canada was largely spared from the first wave of WannaCry, and Bell Canada said Monday that the ransomware was unrelated to a recent security breach of its customer records. The telecom company apologized to customers after 1.9 million of its customer e-mail addresses were accessed illegally.
  • a patch for the EternalBlue vulnerability in March.

  • Windows XP and Windows Server 2003: Microsoft didn’t issue a set of patches for some of its older, unsupported operating systems until May 12.
  • Don’t open that attachment: To avoid infection from ransomware e-mails, be careful about clicking on links or attachments in e-mails, especially if the sender is someone you don’t know. Look carefully to see if the e-mail is worded suspiciously, or if it comes from an address that seems to be imitating a sender that you trust; malware senders sometimes try to fool you. And to make sure your important files are safe if you do get infected, back them up on a secure device. Here are some more pointers from Microsoft on how to avoid ransomware infection.
  • A screenshot, provided by cybersecurity firm Symantec on May 15, 2017, shows a WannaCry ransomware demand.

    (Return to top)

    data breach at telecom giant Bell Canada was not related to the WannaCry attack, the company said Monday after 1.9 million customer e-mail addresses were illegally accessed. “There is no indication that any financial, password or other sensitive personal information was accessed,” Bell said in a statement about the breach.

    (Return to top)

    How this man stopped WannaCry, for now

    British IT expert Marcus Hutchins has been branded a hero for slowing down the WannaCry global cyber attack. He gave his first face-to-face interview with Associated Press in Ilfracombe, England, on May 15, 2017.

    The defeat of WannaCry is widely credited to a 22-year-old British computer expert, Marcus Hutchins, who works for Los Angeles-based Kryptos Logic. He’s the one who discovered a so-called kill switch that slowed the unprecedented outbreak on Friday.

    In his first face-to-face interview, Mr. Hutchins told Associated Press Monday that he stumbled across the solution when he was analyzing a sample of the malicious code and noticed it was linked to an unregistered web address. He promptly registered the domain, something he regularly does to discover ways to track or stop cyber threats, and found that stopped the worm from spreading.

    Salim Neino, CEO of Kryptos Logic, said Mr. Hutchins took over the kill switch on Friday afternoon European time, and that doing so protected the United States from the worst of the ransomware:

    Marcus, with the program he runs at Kryptos Logic, not only saved the United States but also prevented further damage to the rest of the world. Within a few moments, we were able to validate that there was indeed a kill switch. It was a very exciting moment. This is something that Marcus validated himself.

    Mr. Neino said the company was not able to identify “patient zero,” the first system infected, which would give researchers more information about who was behind the attack. Nevertheless, he said the worm was “poorly designed” – patched together and a “sum of different parts” with an unsophisticated payment system.

    Mr. Hutchins has long tweeted under the handle MalwareTech, which features a profile photo of a pouty-faced cat wearing enormous sunglasses. But he realizes his newfound fame will mean an end to the anonymity. After all, now he’s a computer celebrity; he’s been in touch with the FBI, as well as British national cyber-security officials.

    It is likely to be a big adjustment. Mr. Hutchins lives with his family in the seaside town of Ilfracombe, where he works out of his bedroom on a sophisticated computer setup with three enormous screens. He will soon become a local hero – but if you ask him, his life of celebrity will be short lived. “I felt like I should agree to one interview,” he said. But even that made the fame-averse Mr. Hutchins so nervous that he initially misspelled his last name, leaving out the letter “n” when doing a sound-level for the cameras.

    His mother Janet, a nurse, couldn’t be prouder – and was happy to have the veil of anonymity lifted:

    I wanted to scream, but I couldn’t.

    Mr. Hutchins told Associated Press that he doesn’t consider himself a hero but fights malware because “it’s the right thing to do”:

    I’m definitely not a hero. I’m just someone doing my bit to stop botnets.

    (Return to top)

    Staff monitor the spread of ransomware cyberattacks at the Korea Internet and Security Agency in Seoul on May 15, 2017.

    What we still don’t know

    While security experts figured out fairly quickly how to slow down WannaCry, several mysteries remain about who started it and why it spread the way it did.

    Who was behind it?

    Some researchers have found evidence they say could link North Korea with the attack. A senior researcher from South Korea’s Hauri Labs, Simon Choi, told Reuters on Tuesday that the reclusive state had been developing and testing ransomware programs only since August. In one case, the hackers demanded bitcoin in exchange for client information they had stolen from a South Korean shopping mall.

    Mr. Choi, who has done extensive research into North Korea’s hacking capabilities, said his findings matched those of Symantec and Kaspersky Lab, who say some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation. The Lazarus hackers have however been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of $81-million from the Bangladesh central bank, according to some cybersecurity firms. The United States accused it of being behind a cyber attack on Sony Pictures in 2014.

    How did it spread?

    Researchers are still unsure exactly how the malware spread in the first place, IBM Security’s Caleb Barlow told Reuters. Most cybersecurity companies have blamed phishing e-mails – e-mails containing malicious attachments or links to files – that download the ransomware. The problem in the WannaCry case is that despite digging through the company’s database of more than one billion e-mails dating back to March 1, Mr. Barlow’s team could find none linked to the attack.

    The NSA used the Microsoft flaw to build a hacking tool codenamed EternalBlue that ended up in the hands of a mysterious group called the Shadow Brokers, which then published that and other such tools online. But the puzzle is how the first person in each network was infected with the worm, Mr. Barlow said.

    Some cybersecurity companies, however, say they’ve found a few samples of the phishing e-mails. FireEye told Reuters it was aware customers had used its reports to successfully identify some associated with the attack. But the company agrees that the malware relied less on phishing e-mails than other attacks. Once a certain number of infections was established, it was able to use the Microsoft vulnerability to propagate without their help.

    Why didn’t the hackers make more money?

    Only paltry sums were collected by the hackers, according to available evidence, mostly in the bitcoin cryptocurrency. There were only three bitcoin wallets and the campaign has far earned only $50,000 or so, despite the widespread infections. IBM Security’s Mr. Barlow said that single payments in some other ransomware cases were more than that, depending on the victim.

    Jonathan Levin of Chainalysis, which monitors bitcoin payments, told Reuters there were other differences compared to most ransomware campaigns: for instance, the lack of sophisticated methods used in previous cases to convince victims to pay up. In the past, this has included hot lines in various languages. And so far, Mr. Levin said, the bitcoin that had been paid into the attackers’ wallets remained there – compared to another campaign, known as Locky, which made $15-million while regularly emptying the bitcoin wallets.

    (Return to top)

    (Return to top)

    With reports from Josh O’Kane and Shane Dingman


    source : http://www.theglobeandmail.com/technology/wannacry-ransomware-protection-explainer/article35004214/?cmpid=rss1

    Leave a Reply

    Your email address will not be published. Required fields are marked *