Seeking Advice After Cyberattack News

[lennygoran]

Any thoughts or advice for the average consumer like me would be appreciated on this cyberattack. Regards, Len

Ransomware’s Aftershocks Feared as U.S. Warns of Complexity


By DAVID E. SANGER, SEWELL CHAN and MARK SCOTT MAY 14, 2017


The components of the global cyberattack that seized hundreds of thousands of computer systems last week may be more complex than originally believed, a Trump administration official said Sunday, and experts warned that the effects of the malicious software could linger for some time.

As a new workweek started Monday in Asia, there were concerns the malicious software could spread further and in different forms, with new types of ransomware afflicting computers around the globe.

There were initial reports of new cases found over the weekend in Japan, South Korea and Taiwan.

President Trump has ordered his homeland security adviser, Thomas P. Bossert, who has a background in cyberissues, to coordinate the government’s response to the spread of the malware and help organize the search for who was responsible, an administration official said Sunday.

The attack is more complicated because “the experts tell us that this code was cobbled together from many places and sources,” according to an administration official who insisted on anonymity to discuss the government’s cybersecurity plans. The more potential sources of the malicious code, the harder it is for investigators to run down the trail of possible perpetrators.


The source of the attack is a delicate issue for the United States because the vulnerability on which the malicious software is based was published by a group called the Shadow Brokers, which last summer began publishing cybertools developed by the National Security Agency.

Government investigators, while not publicly acknowledging that the computer code was developed by American intelligence agencies as part of the country’s growing arsenal of cyberweapons, say they are still investigating how the code got out. There are many theories, but increasingly it looks as though the initial breach came from an insider, perhaps a government contractor.

Copycat variants of the malicious software behind the attacks have begun to proliferate, according to experts who were on guard for new attacks. “We are in the second wave,” said Matthieu Suiche of Comae Technologies, a cybersecurity company based in the United Arab Emirates. “As expected, the attackers have released new variants of the malware. We can surely expect more.”

The National Police Agency in Japan found two computers with the malicious software over the weekend, according to reports by NHK, the national broadcaster. One instance was found on a personal computer in a hospital and the other on a private citizen’s home computer. A hospital in Taiwan also reported that one of its computers was compromised, Taiwan’s Central News Agency said Sunday.

Five businesses in South Korea reported ransomware attacks over the weekend, according to the government’s internet security agency, and a Korean theater chain said late-night moviegoers on Sunday alerted them when computer ransom notes appeared on screens instead of programmed advertisements.

The spread of the malicious software, or malware, has focused attention on several questions, including why a software patch, issued by Microsoft in March, was not installed by more users. But for many systems, especially older systems, such patches are not installed automatically — a fact the hackers took advantage of. Microsoft has not said how it became aware of the vulnerability, but it seems likely it was tipped off by the National Security Agency.

Brad Smith, the president and chief legal officer of Microsoft, said in a blog post Sunday that the attack should be a “wake-up call” for the tech industry, consumers and governments.

Mr. Smith said that Microsoft had the “first responsibility” for addressing vulnerabilities in its software, and that customers must be vigilant. But he said the latest attack showed the dangers of governments’ “stockpiling of vulnerabilities.”

“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Mr. Smith wrote.

So far, the main targets of the attack have been outside the United States. But neither the federal government nor American corporations assume that this will continue to be the case.

Britain’s National Cyber Security Center said Sunday that it had seen “no sustained new attacks” but warned that compromised computers might not have been detected yet and that the malware could further spread within networks.

Monday could bring a wave of attacks to the United States, warned Caleb Barlow, the vice president of threat intelligence for IBM. “How the infections spread across Asia, then Europe overnight will be telling for businesses here in the United States,” he said.

The cyberattack has hit 200,000 computers in more than 150 countries, according to Rob Wainwright, the executive director of Europol, Europe’s police agency.

Among the organizations hit were FedEx in the United States, the Spanish telecom giant Telefónica, the French automaker Renault, universities in China, Germany’s federal railway system and Russia’s Interior Ministry. The most disruptive attacks infected Britain’s public health system, where surgeries had to be rescheduled and some patients were turned away from emergency rooms.

A 22-year-old British researcher who uses the Twitter name MalwareTech has been credited with inadvertently helping to stanch the spread of the assault by identifying the web domain for the hackers’ “kill switch” — a way of disabling the malware. Mr. Suiche of Comae Technologies said he had done the same for one of the new variants of malware to surface since the initial wave.

On Sunday, MalwareTech was one of many security experts warning that a less-vulnerable version of the malware is likely to be released. On Twitter, he urged users to immediately install a security patch for older versions of Microsoft’s Windows, including Windows XP. (The attack did not target Windows 10.)

Robert Pritchard, a former cybersecurity expert at Britain’s defense ministry, said that security specialists might not be able to keep pace with the hackers.

“This vulnerability still exits; other people are bound to exploit it,” he said. “The current variant will make its way into antivirus software. But what about any new variants that will come in the future?”

Allan Liska, an analyst with Recorded Future, a cybersecurity company, said a new version of the ransomware he examined Sunday did not have the kill switch. “This is probably version 2.1, and it has the potential to be much more effective — assuming security defenders haven’t spent all weekend patching,” he said.

The Microsoft patch will help, but installing it across large organizations will take time.

Microsoft has complained for years that a large majority of computers running its software are using pirated versions. The spread of hacking attacks has made legal versions of software more popular, as they typically provide automatic updates of security upgrades.

Governments around the world were bracing themselves for new attacks.

“Please beware and anticipate, and take preventive steps against the WannaCry malware attack,” Indonesia’s communication and information minister, Rudiantara, who like many Indonesians uses only one name, said Sunday at a news conference.

He confirmed that one hospital — Dharmais Hospital in the capital, Jakarta, which specializes in cancer treatment — had been afflicted by the malware, but without major effects on patients.

In Britain, fallout continued Sunday. Two opposition parties, the Labour Party and the Liberal Democrats, asserted that the governing Conservative Party had not done enough to prevent the attack. With a general election June 8, officials have been racing to get ahead of the problem.

Britain’s defense minister, Michael Fallon, told the BBC on Sunday that the government was spending about 50 million pounds, about $64 million, to improve cybersecurity at the National Health Service, where many computers still run the outdated Windows XP software, which Microsoft had stopped supporting.

A government regulator warned the N.H.S. in July that updating hardware and software was “a matter of urgency,” and noted that one hospital had already had to pay £700,000, about $900,000, to repair a breach that began after an employee clicked on a web link in an unsafe email.



https://www.nytimes.com/2017/05/14/worl ... v=top-news

[John F]

According to the news story, there's a security patch for all versions of Windows, and all Windows users should make sure their version is fully updated. Exception: Windows 10 is apparently not vulnerable. I suppose there are people out there who avoid installing Microsoft's updates, just as there are people who don't have their children vaccinated for measles. The consequences can be deadly.

(No mention of the Mac operating system anywhere, which of course is different from Windows, so it may not be vulnerable to this attack.)

Not much specific information yet that I can find, but a NY Times story on Sunday says that this malware is transmitted by email. That means the villains had to have the email addresses, and the recipients did not observe the normal precautions when dealing with email in their in-boxes.

If a computer is infected with ransomware, there are quite a few sites with how-to advice, but if you have valuable files on your computer that you haven't backed up and don't want to lose, you may have to pay whatever the hacker demands.

So: keep a sharp watch on incoming email and when in the slightest doubt, delete it unread. Keep your operating system updated. Back up all the files you would hate to lose. Sensible people are doing all of these already, so they shouldn't be hit by this ransomware, and if they are, the consequences may not be so bad. According to the stories in the NY Times.

I've no doubt that the anti-malware program vendors are also trying to provide protection, scanning our incoming email and warning us if something bad is detected. But if this malware was indeed crafted by our own National Security Agency, it may be beyond them. Also, such programs can only be updated after the malware has struck and been detected, so you can't count on it alone.

[jserraglio]

A good antivirus is essential. I use VIPRE, supplied by my employer. But there are many other good ones, reasonably priced. Check out this PCMag article:

Best Ransomware Protection of 2017
http://www.pcmag.com/roundup/353231/the ... protection

As a backup (no antivirus is perfect) I downloaded Malwarebytes https://www.malwarebytes.com and run it every couple weeks. Use the free version. No need to pay for real-time protection.

And Malwarebytes has released a beta version of a dedicated anti-ransomware product:
Malwarebytes Anti-Ransomware https://www.bleepingcomputer.com/downlo ... ansomware/


-----------------------------------------------------------------------------------------

An additional course of action is optional, but almost foolproof. Image or clone your drive. It won't cost a bundle: the software will cost you something unless you use freeware and you'll definitely have to buy an external drive. But with an image or clone in place, you can politely invite any intruder from Timbuktu to furgle his/her own orifices.

http://www.pcmag.com/article2/0,2817,2421302,00.asp?

[lennygoran]

According to the news story, there's a security patch for all versions of Windows, and all Windows users should make sure their version is fully updated. Exception: Windows 10 is apparently not vulnerable. I suppose there are people out there who avoid installing Microsoft's updates, just as there are people who don't have their children vaccinated for measles. The consequences can be deadly.

(No mention of the Mac operating system anywhere, which of course is different from Windows, so it may not be vulnerable to this attack.)

Not much specific information yet that I can find, but a NY Times story on Sunday says that this malware is transmitted by email. That means the villains had to have the email addresses, and the recipients did not observe the normal precautions when dealing with email in their in-boxes.

If a computer is infected with ransomware, there are quite a few sites with how-to advice, but if you have valuable files on your computer that you haven't backed up and don't want to lose, you may have to pay whatever the hacker demands.

So: keep a sharp watch on incoming email and when in the slightest doubt, delete it unread. Keep your operating system updated. Back up all the files you would hate to lose. Sensible people are doing all of these already, so they shouldn't be hit by this ransomware, and if they are, the consequences may not be so bad. According to the stories in the NY Times.

I've no doubt that the anti-malware program vendors are also trying to provide protection, scanning our incoming email and warning us if something bad is detected. But if this malware was indeed crafted by our own National Security Agency, it may be beyond them. Also, such programs can only be updated after the malware has struck and been detected, so you can't count on it alone.

John thanks-I'll be doing more backup! Len

[lennygoran]

A good antivirus is essential. I use VIPRE, supplied by my employer. But there are many other good ones, reasonably priced. Check out this PCMag article:

Best Ransomware Protection of 2017
http://www.pcmag.com/roundup/353231/the ... protection

As a backup (no antivirus is perfect) I downloaded Malwarebytes https://www.malwarebytes.com and run it every couple weeks. Use the free version. No need to pay for real-time protection.

And Malwarebytes has released a beta version of a dedicated anti-ransomware product:
Malwarebytes Anti-Ransomware https://www.bleepingcomputer.com/downlo ... ansomware/


-----------------------------------------------------------------------------------------

An additional course of action is optional, but almost foolproof. Image or clone your drive. It won't cost a bundle: the software will cost you something unless you use freeware and you'll definitely have to buy an external drive. But with an image or clone in place, you can politely invite any intruder from Timbuktu to furgle his/her own orifices.

http://www.pcmag.com/article2/0,2817,2421302,00.asp?

Thanks, I have 2 external hard drives. Len

[Chalkperson]

don't use microsoft or google, buy an apple phone.

[lennygoran]

don't use microsoft or google, buy an apple phone.

Chalkie thanks but just last week I updated to a new Samsung android smartphone--Verizon gave us 2 tablets that were nearly free. I just don't see apple in my future. Regards, Len

[John F]

These elaborate suggestions, though certainly well informed, appear to be needless. Just guard against dangerous email, keep your Windows and anti-malware software updated, and back up your files. And of course keep an eye on the news for further developments.

Looks like it's definitive that this malware was created and previously used by the National Security Agency. They call it EternalBlue.

https://www.washingtonpost.com/business ... story.html

It's past time for the NSA to go public with its defenses against its own cyberweapon. Not that they will...

[jserraglio]

It did not work for me. I routinely did all that you suggest, and these are very important things to do, but still had my machine infected.

I was informed by my employer's IT pro that all he had to do to eliminate my problems was to run Malwarebytes. It's free, a snap to install, not at all an elaborate solution. He suggested I do this myself, and since then I have had no problems.

Same with my wife's computer which is used only to browse innocuous sites like Facebook. I ran Malwarebytes and was surprised to find infections that had slipped by her standard malware protection. Malwarebytes zapped them all.

Another precaution would be to install tracker blockers like Ghostery and AdGuard as browser extensions. I did this on her computer in Firefox. Since then, no problems.

[John F]

Thanks for correcting me (and the NY Times's advice, at https://www.nytimes.com/2017/05/15/tech ... tacks.html) and giving advice from your experience.

Here's a follow-up story:

Victims Call Hackers’ Bluff as Ransomware Deadline Nears
By PAUL MOZUR and MARK SCOTT
MAY 19, 2017

With the clock ticking on whether a global hacking attack would wipe out his data, Bolton Jiang had no intention of paying a 21st-century ransom. Since a week ago, when the malware first struck, Mr. Jiang has been busily fixing and replacing computers at the electronics company where he works in Shanghai. Paying is a bother, he said, and there was no guarantee he would get his data back. “Even if you do pay, you won’t necessarily be able to open the files that are hit,” he said. “There is no solution to it.”

Tens of thousands of computer users around the world faced the same dilemma on Friday, their last chance to pay the anonymous hackers behind the ransomware attack known as WannaCry. The malicious software exposed the widespread vulnerability of computers and offered a peek at how a new type of crime could be committed on a global scale. As part of the hacking, attackers demanded that individuals pay a fee to regain control of their machines, or face losing their data.

The latest strain of ransomware was particularly virulent, experts warned, because it had been based on software stolen from the National Security Agency. Law enforcement agencies in the United States and elsewhere have been hunting for the culprits, with attention focused on hackers linked to North Korea.

Despite a week of widespread disruption, the total ransom paid so far looks relatively modest. An online tracking system showed that the amount sent in the electronic currency Bitcoin to accounts listed by the attackers had begun to plateau on Wednesday, and had reached about $90,000 on Friday afternoon in Europe. Early estimates of what the virus could ultimately earn had ranged into the tens of millions or even hundreds of millions of dollars. Victims have seven days to pay from when their computers were originally infected, so the deadline will vary from case to case.

A number of people and companies have struck a defiant tone. The Japanese conglomerate Hitachi, which had been identified in the news media as a victim, declined to confirm those reports on Friday but said that it had no intention of paying a ransom and that it aimed to be fully secure against future attacks by Monday. Nissan Motor, another Japanese industrial giant, also said it would not pay a ransom. Its factory in Sunderland, England, was affected, but the company said it had not lost data.

Owners of the more than 200,000 computers across the globe that have been hit by the malware face similar decisions. Those affected, including hospitals, government offices and universities, have lost access to business information, term papers and even medical records that could involve matters of life or death.

In Britain, whose National Health Service was one of the largest organizations affected by the ransomware, some medical institutions were still struggling to get back on their feet. Barts Health, one of the country’s largest hospital groups, said that it had been forced to cancel 20 percent of outpatient appointments, as well as to cut back on nonemergency surgeries.

Yet cybersecurity experts have generally advised those affected not to pay. “It costs the perpetrators peanuts to carry out an attack like this,” said Rafael Sanchez, an international breach response manager at Beazley, an insurer in London that has handled thousands of ransomware attacks for corporate clients. “And any ransom will only likely lead to more attacks,” he added.

While some who had paid regained access to their files, according to the Finnish cybersecurity firm F-Secure, security analysts cautioned that there was no guarantee all WannaCry victims would. Because the attackers listed only three addresses as payment destinations, it would be difficult for them to determine which victims had paid, and therefore whose files to decrypt. “It looks like the attackers had no intent in decrypting anything,” said Tom Robinson, co-founder of Elliptic, a company in London that tracks online financial transactions involving virtual currencies that helps organizations respond to digital attacks.

https://www.nytimes.com/2017/05/19/busi ... dline.html