Microsoft, Kaspersky & Symnantec Weigh In On WannaCry Ransomware

Uploaded on 2017-05-16 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Two top security firms have found evidence linking the WannaCry ransomware to the prolific North Korean Cybergang known as Lazarus Group.

Kaspersky and Symantec both said that technical details within an early version of the WannaCry code are similar to code used in a 2015 backdoor created by the government-linked North Korean hackers, who were implicated in the 2014 attack on Sony Pictures and an $81m heist on a Bangladeshi bank in 2016. 

Lazarus Group has also been known to use and target Bitcoin in its hacking operations. The similarities were first spotted by Google security researcher Neal Mehtaand echoed by other researchers including Matthieu Suiche from UAE-based Comae Technologies.

WannaCry or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor is a ransomware program targeting the Microsoft Windows operating system. 

On Friday, 12 May 2017, a large cyber-attack was launched using it, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency Bitcoin in 28 languages. The attack has been described by Europol as unprecedented in scale.

Starting first in the United Kingdom and Spain, the malicious “WannaCrypt” software quickly spread globally, blocking customers from their data unless they paid a ransom using Bitcoin. Like previous ransomware, the attack spreads by phishing emails, but also uses the EternalBlueexploit developed by the US National Security Agency (NSA) to spread through a network which has not installed recent security updates to directly infect any exposed systems. A "critical" patch had been issued by Microsoft on 14 March 2017 to remove the underlying vulnerability for supported systems, but many organizations had not yet applied it. 

Those still running exposed older, unsupported operating systems were initially at particular risk, such as Windows XP and Windows Server 2003, but Microsoft has now taken the unusual step of releasing updates for these. Shortly after the attack began, a web security researcher known by his Twitter account MalwareTech, found an effective kill switch which slowed the spread of infection, but new versions have now been detected that lack the kill switch. The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States. That theft was publicly reported earlier this year. 

Microsoft Unsupported Networks

A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.

All of this provides the broadest example yet of so-called “ransomware,” which is only one type of cyberattack. Unfortunately, consumers and business leaders have become familiar with terms like “zero day” and “phishing” that are part of the broad array of tools used to attack individuals and infrastructure. 

Microsoft takes every single cyber-attack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported. Clearly, responding to this attack and helping those affected needs to be our most immediate priority.

At the same time, it’s already apparent that there will be broader and important lessons from the “WannaCrypt” attack we’ll need to consider to avoid these types of attacks in the future. I see three areas where this event provides an opportunity for Microsoft and the industry to improve.

As a technology company, Microsoft has the first responsibility to address these issues. We increasingly are among the first responders to attacks on the internet. We have more than 3,500 security engineers at the company, and we’re working comprehensively to address cybersecurity threats. This includes new security functionality across our entire software platform, including constant updates to our Advanced Threat Protection service to detect and disrupt new cyberattacks. In this instance, this included the development and release of the patch in March, a prompt update on Friday to Windows Defender to detect the WannaCrypt attack, and work by our customer support personnel to help customers afflicted by the attack. But as this attack demonstrates, there is no cause for celebration. We’ll assess this attack, ask what lessons we can learn, and apply these to strengthen our capabilities.

Working through our Microsoft Threat Intelligence Center (MSTIC) and Digital Crimes Unit, we’ll also share what we learn with law enforcement agencies, governments, and other customers around the world.

This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. 

How to defend against the ransomware

  •  The vulnerability does not exist within Windows 10, the latest version of the software, but is present in all versions of Windows prior to that, dating back to Windows XP.
  •  As a result of Microsoft’s first patch, users of Windows Vista, Windows 7, and Windows 8.1 can easily protect themselves against the main route of infection by running Windows Update on their systems. In fact, fully updated systems were largely protected from WanaCrypt0r even before Friday, with many of those infected having chosen to delay installing the security updates.
  • Users of Windows XP, Windows Server 2003 and Windows 8 can defend against the ransomware by downloading the new patch from Windows.
  •  All users can further protect themselves by being wary of malicious email attachments, another major way through which the ransomware was spread.

As cyber-criminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support.

At the same time, we have a clear understanding of the complexity and diversity of today’s IT infrastructure, and how updates can be a formidable practical challenge for many customers. Today, we use robust testing and analytics to enable rapid updates into IT infrastructure, and we are dedicated to developing further steps to help ensure security updates are applied immediately to all IT environments.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. 

Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today, nation-state action and organised criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyber-space to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. 

And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyber-attacks, regardless of their nationality. Whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.

We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cyber-security attacks. 

More action is needed, and it’s needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us. We recognise our responsibility to help answer this call, and Microsoft is committed to doing its part.

Guardian 1:     Wikipedia:      Microsoft:   Guardian 2:

You Might Also Read:

Massive Ransom Attack Hits 99 Countries:

SWIFT Hackers Linked to ‘North Korean’ Lazarus Group:

Shadow Brokers Release Secret List Of NSA-Compromised Servers:

National Security Chief Talks About The UK’s Cyber Dangers:

 

 

 

« Systemic Cyber Attacks Most Likely In Finance & Energy Industries
What Every CISO Needs To Know »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

IT GRC Forum

IT GRC Forum

The IT GRC Forum is an online resource and networking platform for the Governance, Risk Management, and Compliance (GRC) community

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

The main objective of the Hub is to bring cybersecurity and other advanced technologies closer to companies and as a result help to increase their performance as Industry 4.0.

Eskive

Eskive

Eskive is a Brazilian cyber security awareness and education platform that empowers users and strengthens their company in the face of cyber threats.

Center for Cyber & Homeland Security (CCHS)

Center for Cyber & Homeland Security (CCHS)

The Center for Cyber and Homeland Security at Auburn University is a nonpartisan think tank that works to develop innovative strategies to address current and future threats to the United States.

Accelerator Frankfurt

Accelerator Frankfurt

Accelerator Frankfurt is an independent go-to-market program focused on Fintech, Cybersecurity and Digital B2B startups.

Grayshift

Grayshift

Grayshift is the leading provider of mobile device digital forensics, specializing in lawful access and extraction.

CyberPeace Foundation

CyberPeace Foundation

CPF is a think tank of cybersecurity and policy experts with the vision of pioneering Cyber Peace Initiatives to build collective resiliency against CyberCrimes and global threats of cyber warfare.

Advantio

Advantio

Advantio offers a unique combination of technologies and managed, advisory and testing services to increase your cyber resilience and compliance.

Spyderbat

Spyderbat

Spyderbat ATI closes the manual investigation gap between detection and response by instantly presenting causally connected threat activity to security analysts at the onset of an investigation.

Mr Backup (MRB)

Mr Backup (MRB)

MRB offers Data Protection as a Service for businesses looking to reduce the time, cost and complexity of securing your company data.

Trusted Cyber Solutions

Trusted Cyber Solutions

Trusted Cyber Solutions is an independent Cyber Security and Risk Management consultancy.

ALSCO

ALSCO

ALSCO is dedicated to bringing first class IT services, technical support, and solutions to goverment, companies and organizations worldwide.

GTT Communications

GTT Communications

GTT are a global network provider that serves thousands of multinational and national enterprise, government and carrier customers with a portfolio of advanced connectivity and security services.

Gotham Security

Gotham Security

Gotham Security delivers high-quality penetration testing, malicious adversary simulation, compliance program development, and threat intelligence services.

Aegis9

Aegis9

Aegis9 is an Australian owned and sovereign consultancy that specialises in providing tailored security solutions for both public and private sector clients based on their specific needs.

St Fox

St Fox

St. Fox is a leading consultancy helping enterprises secure their Cloud, Data, endpoints, and applications.