Microsoft this weekend unleashed its wrath on the National Security Agency, alleging it was responsible for the ransomware attack that began last week and has spread to thousands of corporate, government and individual computer systems around the world.
Microsoft Chief Legal Officer Brad Smith launched a blistering attack on the NSA and governments worldwide, equating the ransomware attack with the U.S. military allowing the theft of a Tomahawk missile cache.
“This is an emerging pattern in 2017,” Smith wrote Sunday in an online post. “We have seen vulnerabilities stored by the CIA show up on Wikileaks and now this vulnerability stolen from the NSA has affected customers around the world.”
The attack illustrated a “disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation state action and organized criminal action,” Smith said.
Governments should treat the attack — which has impacted more than 300,000 computers in 150 countries, according to Trump administration officials — as a wake-up call, Smith added, reiterating Microsoft’s call for a Digital Geneva Convention to govern the worldwide use of cybertools.
New Variants Popping Up
The WannaCry exploit is part of a trove of hacking tools the Shadow Brokers allegedly stole from the NSA and then leaked to the Internet. The attack mechanism is a phishing operation that encrypts files using the AES-128 cipher, and demands a ransom ranging from US$300 to $600 in bitcoins in order for the data to be released.
WannaCry has targeted computers using Windows systems, particularly legacy systems. Microsoft earlier this year issued a patch to protect computers from the malware, but in many parts of the world, users of Windows XP or Windows Vista failed to upgrade their systems or download the patch.
Microsoft issued a new patch last week, as well as a patch that would cover the legacy systems, as it stopped providing routine upgrades for them last month.
Two additional variants of the WannaCry malware were patched versions — rather than recompiled versions from the original authors — according to Ryan Kalember, senior vice president of cybersecurity at Proofpoint, which helped stop the original strain of the virus last week.
The first variant, WannaCry 2.0(a) pointed its kill switch to a different Internet domain, which promptly was registered and sinkholed, he told the E-Commerce Times. The second variant, WannaCry 2.0(b) had its kill switch functionally removed, which allows it to propagate, but prevents it from properly deploying the ransomware payload.
Proofpoint has found new variants of ransomware emerging every two to three days for the last 14 months, said Kalember, so organizations need to make sure they have the latest patches.
The WannaCry worm will not infect computers that have been in sleep mode, even with Transmission Control Protocol port 445 open on an unpatched system, noted Trend Micro in a Monday online post.
Still, administrators should patch such machines, the company warned.
Return to Normalcy
Tom Bossert, the assistant to the president for homeland security and counterterrorism, addressed the issue at the White House daily press briefing.
Bossert spoke to his counterpart in the UK, he said, noting that no government systems were affected and less than $70,000 in ransom has been paid to release computers seized in the ransomware attack, worldwide.
The government was not aware of any payments resulting in data recovery, he added.
The Department of Homeland Security was aware of a small number of potential victims in the U.S. and was working with them to confirm and mitigate the threat, a DHS official who requested anonymity told the E-Commerce Times.
Federal Express “has resumed normal operations and systems are performing as designed,” said spokesperson Rae Lyn. The Ransomware attack disrupted the company’s sorting operation in Memphis, Tennessee, and it waived the guarantee on deliveries due last Saturday.
The National Health Service in the UK was working to recover from the ransomware attack, which led to widespread computer disruptions, ambulance diversions, and cancellations of surgeries and office appointments.
“There are encouraging signs that the situation is improving, with fewer hospitals having to divert patients from their A&E units,” said Anne Rainsberry, national incident director.
Two hospitals still were diverting patients, however. The Lister Hospital — East and North Hertfordshire NHS Trust was diverting patients for trauma, stroke and urgent heart attack treatment that would require diagnostic services. Also, Broomfield Hospital — Mid Essex Hospital Services was diverting trauma patients patients to Southend University Hospital.
The German Deutsche Bahn rail system largely has recovered from an attack of the initial strain of Wannacry, which caused electronic departure boards to display the hacker’s ransom demands, according to Lutz Miller, spokesperson for the rail service.
Train operations were not impacted, he told the E-Commerce Times, but some ticketing machines malfunctioned, and extra staff were positioned in affected rail stations.
Passengers were urged to use the DB Navigator or the DB Streckenagent apps.
The apps, the website, and customer service lines were not affected by the attack, Miller said, noting that it would take a few more days for departure boards to return to normal operation.
The city of Newark was hit by a ransomware attack last fall, but Frank Baraff, spokesperson for the city, told the E-Commerce Times that at the request of federal and state law enforcement, it would not comment further.
An FBI spokesperson would neither confirm nor deny the existence of an investigation.
The NSA did not respond to our requests to comment for this story.