A massive ransomware worm shut down computers all over the world over the weekend, in part by appropriating a National Security Agency (NSA) exploit that the mysterious group called Shadow Brokers released to the public last month.
The virus encrypts user files and demands a ransom in Bitcoin to release them.
ArsTechnica reported last Friday:
The malware, known as Wanna, Wannacry, or Wcry, has infected at least 75,000 computers, according to antivirus provider Avast. AV provider Kaspersky Lab said organizations in at least 74 countries have been affected, with Russia being disproportionately affected, followed by Ukraine, India, and Taiwan. Infections are also spreading through the United States. The malware is notable for its multi-lingual ransom demands, which support more than two-dozen languages.
On Sunday, Europol Director Rob Wainwright said, “The global reach is unprecedented. The latest count is over 200,000 victims in at least 150 countries, and those victims, many of those will be businesses, including large corporations.”
In a blog post on Sunday, Microsoft President Brad Smith appeared to tacitly acknowledge what researchers had already widely concluded: The ransomware attack leveraged a hacking tool, built by the U.S. National Security Agency, that leaked online in April.
“This is an emerging pattern in 2017,” Smith wrote. “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.”
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Smith wrote. He added that governments around the world should “treat this attack as a wake-up call” and “consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
British security researcher MalwareTech found and pulled WannaCrypt’s kill switch. An explanation of how it was done is provided here: How I Accidentally Stopped a Global Wanna Decryptor Ransomware Attack.
Despite that fix, the problem is growing, reports Zero Hedge:
However, new variants of the rapidly replicating malware were discovered Sunday. One did not include the so-called kill switch that allowed researchers to interrupt the malware’s spread Friday by diverting it to a dead end on the internet.
As Bloomberg reports that Matt Suiche, founder of United Arab Emirates-based cyber security firm Comae Technologies warns a new version of the ransomware may have also been spreading over the weekend.
About 50% of machines that would have spread the infection by the second variation of the malware have Russian I.P. addresses, according to Suiche.
Over 40,000 machines appear to have been infected by the second variation of the malware already.
CNET provides additional information on the new version:
The new ransomware demands 0.11943 bitcoin, or about $218. It uses all the same exploits as the WannaCry ransomware, including EternalBlue, a vulnerability first discovered by the NSA and leaked by the hacker group Shadow Brokers in April.
“These appear to be ‘patched’ versions of the original malware, rather than recompiled versions developed by the original authors,” Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint said.
He predicted that new, mutated variants of the global virus will continue to pop up at an alarming rate. In the last 14 months, Kalember said, there have been new variants of ransomware every two to three days.
You can track the spread of the ransomware on a live tracking map from MalwareTech.
There are some precautions you can take to try to protect your computer from the NSA’s virus, Claire Bernish of The Free Thought Project reports. For that list, please see The NSA’s Virus Can Still Destroy Your Data, Here Are 5 Ways to Make Sure It Won’t.
This report from ABC includes more information on the ransomware and how to protect yourself:
But this is just the tip of the iceberg, as Joe Joseph explains…
Originally published at DailySheeple.