Ransomware 2.0 Much Worse than 1.0 — No Kill Switch
New Variant Of ‘Ransomware’ Begins To Spread: “We’ve Never Seen Anything Like This”
Governments and companies around the world began to gain the upper hand against the first wave of the unrivaled global cyberattack this morning.
More than 200,000 computers in at least 150 countries have so far been infected, according to Europol, the European Union’s law enforcement agency. The U.K.’s National Cyber Security Centre said new cases of so-called ransomware are possible “at a significant scale.”
“For now, it does not look like the number of infected computers is increasing,” said a Europol spokesman. “We will get a decryption tool eventually, but for the moment, it’s still a live threat and we’re still in disaster recovery mode.”
The initial attack was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts warned the hackers were likely to mount a second attack because so many users of personal computers with Microsoft operating systems couldn’t or didn’t download a security patch released in March that Microsoft had labeled “critical.”
“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,” wrote the researcher, who uses the Twitter name @MalwareTechBlog.
“So long as the domain isn’t revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.”
But the world is still digging out…
Europol executive director Rob Wainwright told Britain’s ITV television on Sunday that the attack had been “unprecedented”. “We’ve never seen anything like this,” he said.
In China, “hundreds of thousands” of computers were affected, including petrol stations, cash machines and universities, according to Qihoo 360, one of China’s largest providers of antivirus software. The malware affected computers at “several” unspecified Chinese government departments, the country’s Cyberspace Administration said on its WeChat blog Monday. Since that initial attack, agencies and companies from the police to banks and communications firms have put preventive measures in place, while Qihoo 360 Technology Co., Tencent Holdings Ltd. and other cybersecurity firms have begun making protection tools available, the internet overseer said.
French carmaker Renault said its Douai plant, one of its biggest sites in France employing 5,500 people, would be shut on Monday as systems were upgraded.
At Germany’s national Deutsche Bahn railroad, workers were laboring under “high pressure” Monday to repair remaining glitches with train stations’ electronic departure boards, a spokesman said.
In Japan, Hitachi Ltd. said that some of its computers had been affected.
In South Korea, CJ CGV Co., the country’s largest cinema chain, said advertising servers and displays at film theaters were hit by ransomware. Movie servers weren’t affected and are running as normal, it said in a text message Monday.
Indonesia’s government reported two hospitals in Jakarta were affected.
About 97 percent of U.K. facilities and doctors disabled by the attack were back to normal operation, Home Secretary Amber Rudd said Saturday after a government meeting. At the height of the attack Friday and early Saturday, 48 organizations in the NHS were affected, and hospitals in London, North West England and Central England urged people with non-emergency conditions to stay away as technicians tried to stop the spread of the malicious software.
As Microsoft’s president and chief legal officer, Brad Smith, said in a blog post Sunday:
“An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen,” Smith wrote.
“The governments of the world should treat this attack as a wake up call.”
And waking up they seem to be…(as Axios notes)
President Trump’s homeland security adviser, Tom Bossert, said that Friday’s global cyberattack is something that “for right now, we’ve got under control” in the U.S., reports AP:
“Bossert tells ABC’s ‘Good Morning America’ that the malware is an “extremely serious threat” that could inspire copycat attacks. But Microsoft’s security patch released in March should protect U.S. networks for those who install it.”
“Micrsoft’s top lawyer has criticized U.S. intelligence for ‘stockpiling’ software code that can aid hackers. Cybersecurity experts say the unknown hackers behind the latest attacks used a vulnerability exposed in U.S. government documents leaked online.”
“Bossert said ‘criminals’ are responsible, not the U.S. government. Bossert says the U.S. hasn’t ruled out involvement by a foreign government, but that the recent ransom demands suggest a criminal network.”
However, new variants of the rapidly replicating malware were discovered Sunday. One did not include the so-called kill switch that allowed researchers to interrupt the malware’s spread Friday by diverting it to a dead end on the internet.
As Bloomberg reports that Matt Suiche, founder of United Arab Emirates-based cyber security firm Comae Technologies warns a new version of the ransomware may have also been spreading over the weekend.
About 50% of machines that would have spread the infection by the second variation of the malware have Russian I.P. addresses, according to Suiche.
Over 40,000 machines appear to have been infected by the second variation of the malware already.