"The fact of the matter is that governments and businesses around the world should not only feel old, they should feel humiliated and disgraced." -- Adam Currie via TheDuran.com per ZeroHedge
On Friday, May 12th, 2017, over 230,000 computers and servers that were still running the long-outdated Windows XP platform were hit by a variation of the WannaCry virus. People in 150 countries were affected, notably thousands of patients seeking health services in the U.K. Apparently, during an era when City of London bankers have enjoyed unprecedented wealth, the health services in the U.K. have been too underfunded to keep up with their Microsoft patches and operating system upgrades.
Interestingly, the Ransomware attack didn't make much of a splash in the U.S. which passed the day largely unaffected by the attack. On the other hand, Russia was unhappily one of the countries who saw the infection within its borders. Some news bloggers have suggested this might have something to do with the prevalence of pirated copies of Windows software sitting all over Russian desktops. Naturally, those copies are always update-free.
This 2-minute news video from Al-Jazeera asks UK residents to describe what they came up against last Friday morning when they checked in at hospitals and clinics:
ZeroHedge re-posted comments by Adam Currie, as referenced at the top of this page which, in essence, stated that people get the viruses they deserve. You can't ignore those annoying Windows Update demands forever. According to the UK Mirror, a whopping 140 million computers are still running Windows XP. And that means this brush fire might not yet be permanently extinguished.
MalwareTech Guy to the Rescue
The interesting part of this hacker event was how its killswitch became evident. A hacker group known as Shadow Brokers is being blamed for the incident. The website DrGregScott.com explains what happened:
"Apparently, the US National Security Agency found a Windows vulnerability at an unspecified time in the past and kept it a secret. Somebody penetrated the NSA earlier this year and stole more secrets, including this vulnerability, and a group that calls themselves Shadow Brokers published it. Somebody looked at what Shadow Brokers published and built a malicious software package around this vulnerability to scramble documents, emails, databases, and pretty much everything useful it can find. The malicious software also searches the network to which it’s connected for other vulnerable systems, copies itself to those systems, and exploits the vulnerability to launch a copy of itself on the new system. Once unleashed, it spread fast, shutting down a large telecom carrier in Spain and several hospital chains in England. Apparently, the Russian Interior Ministry and several universities in China were also victims. It’s come to be known as the WannaCry worm."
A dynamic duo comprised of two geek extraordinaires named "Kafeine" and "MalwareTech" inadvertently discovered WannaCry's killswitch. Once you hear how the virus suicided itself, you might wonder admiringly at its simplicity. According to this summary at JSonline.com [linked here]:
"MalwareTech noted that Kafeine passed him the sample so he could begin to reverse engineer it to see how it did what it was doing.
One of the first things MalwareTech noticed was that as soon as it installed itself on a new machine, the malware tried to send a message to an unregistered Internet address, or domain name.
He promptly registered that domain, so he could see what it was up to. This was at around 3 p.m. in London, 10 a.m. ET.
The registration wasn't done on a whim, he noted. "My job is to look for ways we can track and potentially stop botnets (and other kinds of malware)," he wrote on his blog.
However, in doing so, MalwareTech had inadvertently stopped the entire global attack in its tracks, though it took him and others awhile longer to realize it.
"Humorously," he wrote, "at this point we had unknowingly killed the malware."
The malware contained computer code that pinged an unregistered Web address, and if it didn't get back a message saying the address didn't exist, it would turn itself off. Computers that were already infected with the ransomware weren't protected but the ransomware stopped spreading except in isolated systems, said Williams."
The virus was expecting some particular domain address to be a "dead" bounce-back domain. For as long as the domain bounced back its pings as undeliverable, the virus continued living. But when that domain got registered as a "live" domain address, it stopped bouncing back the pings. And then the virus died and the brush fire from last Friday got halted. For now.
Not Much of a Ransom
I wondered if any of the victims actually paid the Bitcoin ransom. According to KrebsOnSecurity.com, only a handful of people paid up. Other news reports have mused that, with so much public scrutiny on this WannaCry attack, it's unlikely that the perps will risk detection by actually picking up their loot. Krebs said that only $26,000 was paid by the victims to the hackers [linked here]:
"As thousands of organizations work to contain and clean up the mess from this week’s devastating Wana ransomware attack, the fraudsters responsible for releasing the digital contagion are no doubt counting their earnings and congratulating themselves on a job well done. But according to a review of the Bitcoin addresses hard-coded into Wana, it appears the perpetrators of what’s being called the worst ransomware outbreak ever have made little more than USD $26,000 so far from the scam."
That begs the question if this attack might have been the work of somebody who really doesn't need the money. Or perhaps it was done for the usual hacker sociopath notoriety motives: "I climbed the mountain because it was there" type of thing.
Dead or Just Sleeping?
As noted above, 100 million computers still run Windows XP and are still vulnerable to attack. Could it happen again? You bet it can. In fact, a computer virus, like the real thing, can mutate. That same website of DrGregScott.com comments on the likelihood of a second appearance of the virus:
This specific outbreak is contained. But it’s trivial to introduce another strain without a kill switch, or that checks for a different domain name registration. Just like biological viruses mutate, WannaCry will too.
That website has more Q&A's on the whole WannaCry affair plus a link to Microsoft's WinXP update page if you need to get the patch. And shame on you if you do.
Yes, yes, we all hate sitting like an idiot in front of our Windows screens wondering how an update can be "100% complete" and yet unfinished at the same time. So if that is exactly what you are doing right now, I'll leave you with a classic croon from Lesley Gore to pass the time:
My contact information with link to my Karatbars portal are found at my billboard page of SlayTheBankster.com. Listen to my radio show, Bee In Eden, on Youtube via my show blog at SedonaDeb.wordpress.com.