The IT Nerd

Many news sites including Motherboard are reporting that a massive ransomware attack is underway. Computers in Spain, France, Ukraine, Russia, and other countries have apparently been hit by this:

The attacks bear some resemblance to the recent WannaCry outbreak, in which thousands of computer systems were locked down with ransomware around the world.

Motherboard has seen several reports of infections shared by victims on Twitter. We were not able to immediately confirm the veracity of the reports, but several security researchers and firms also reported the attacks.

“We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry’s first hours,” Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat.

Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin.

“If you see this text, then your files are no longer accessible, because they are encrypted,” the text reads, according to one of the photos. “Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

I suspect that this will be a very long day for IT admins in various places around the world. And we shouldn’t be shocked that this is happening as it was only a matter of time before something like this happened. The question is, how bad can this get?

Watch this space for updates as they come.

UPDATE: The ransomware in question is called Petya. Many security experts are theorizing that it is spreading so fast because it is leveraging the same NSA supplied attack vector that the last epic cyberattack used. Thus a fully patched Windows system should be able to be resistant to this ransomware.

UPDATE #2: McAfee’s Gary Davis has written a blog with three tips for consumers to keep their systems secure from ransomware attacks such as Petya.

I’m going to go out on a limb and say that heads are about to roll over this…. If they already haven’t. I say that because according to many outlets including Bloomberg, numerous Ohio Government website have been pwned by hackers who defaced the websites with messages purported to be from the terrorist group known as the Islamic State or IS:

Ten state websites and two servers were affected, and they’ve been taken off line for an investigation with law enforcement into how the hackers were able to deface them, said Tom Hoyt, a spokesman for the Ohio Department of Administrative Services.

The Ohio governor’s website wasn’t loading on Sunday afternoon, and a cached version showed the message “hacked by Team System Dz.’’ It said, “You will be held accountable Trump, you and all your people for every drop of blood flowing in Muslim countries’’ and added, “I love the Islamic state.”

Lovely. But I’m really not focused on whomever did this. The real question is why in 2017 was anyone actually able to do this? Website defacement isn’t new. Neither is how to defend against this sort of thing. Take these suggestions, or these suggestions for example. I’m sure as I am typing this there is a root cause analysis going on to figure out how these hackers got in, and who they are. The public will likely never see it, but it’s a safe bet that if someone in the IT department in Ohio screwed something up or missed something, they may be mass e-mailing their CV to find a new job in short order.

Another day, another data breach. This time it’s Zomato and the hack is big. Here’s the details via HackRead:

Recently, HackRead found out a vendor going by the online handle of “nclay” is claiming to have hacked Zomato and selling the data of its 17 million registered users on a popular Dark Web marketplace.

The database includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit. Here’s a screenshot of the sample data publicly shared by “nclay.”

The company via a blog post has acknowledged that they’ve been pwned. Passwords have apparently been reset and Zomato are looking for any breaches in their system. But they also say that any credit card info that is stored on the system is secure. Thus there’s nothing to worry about. I am not so sure. If there’s a breach, anything could have been taken. And chances are it will only be discovered and/or admitted to much later. Thus, I’ll provide my standard advice. Assume the worst and take whatever precautions that you need to so that you’re protected.

What started out about a story about the NHS getting pwned by ransomware has now evolved into the biggest cyberattack in history. The New York Times has a map that illustrates how wide spread the attack is. The Financial Times has an excellent story on the attack itself which utilizes a piece of NSA developed malware to leverage poorly secured or antiquated systems running the Windows OS. In terms of the latter, the NHS in the UK was apparently running Windows XP systems which haven’t had security patches from Microsoft in years. Thus making them great targets for this sort of thing. You can bet that heads will roll over that. Organizations such as Fed Ex, Telefonica, Renault, The Russian Interior Ministry among others have hit by this cyberattack.

All is not lost though. Microsoft has added detection and prevention routines to their antivirus products. Other antivirus vendors are doing the same. And by sheer luck, A British cybersecurity researcher accidentally stopped the attack from spreading more widely.

The only good news is that this may be the event that finally forces companies and governments to take cybersecurity seriously. Not to mention the average consumer. After this calms down, I suspect that a serious rethink about how one protects themselves in the age of the cyberattack.

UPDATE: Microsoft has advice for customers here. This page also includes emergency patches for operating systems as far back as Windows XP.

UPDATE #2: If you are a network admin who wants to protect their network from potentially getting pwned by this, here’s what you need to know. Disabling SMBv1 disables the bug that the NSA sourced ransomware uses. Guidance on how to do that can be found here. This applies to devices like network attached storage boxes that may use SMBv1 as well. You should also firewall off SMB ports 139 and 445 from the outside world and restrict access to the service where possible on internal networks.

UPDATE #3: Another way to protect yourself is to ensure that your computer(s) are fully patched. Thus this is a really good time to run software update to make sure that you are covered. This applies to companies, governments, and individuals.

UPDATE #4: A reader just asked me if this ransomware affects Macs. It does not.

UPDATE #5: Motherboard is reporting that there is a new version of this ransomware. The difference is that this one cannot be stopped accidentally or otherwise. Thus we may about to see round two this cyberattack.

Across the United Kingdom, people were seeing Tweets like these pop up in their Twitter feeds:

The reason for this is simple. National Health Service hospitals (or NHS for short) have been pwned by ransomware in a co-ordianted attack. Here’s the details from the BBC:

Staff cannot access patient data, which has been scrambled by ransomware. There is no evidence patient data has been compromised, NHS Digital has said.

The BBC understands up to 25 NHS organisations and some GP practices have been affected.

It comes amid reports of cyber-attacks affecting organisations worldwide.

A Downing Street Spokesman said Prime Minister Theresa May was being kept informed of the situation, while Health Secretary Jeremy Hunt is being briefed by the National Cyber Security Centre.

According to cybersecurity firm Foursys The ransomware is holding each computer hostage for $300 in Bitcoin. The malware demands that hospitals pay by May 15, or all the encrypted files will be deleted by May 19. Ironically, this firm manages cybersecurity for 140 NHS sites. Read into that wha you will. Also of note, according to cybersecurity expert Brian Krebs, the ransomware was spread through a recently patched flaw Microsoft Windows SMB or Server Message Block service which Windows computers rely upon to share files and printers across a local network. Which implies that they didn’t patch their systems when the patch came out in March. #fail.

This is serious and proof that organizations of all sizes need to get serious about protecting themselves against this sort of attack.