Global Ransomware Cyberattack - Any Detroit Victims?

[Lowell]

A massive, likely the largest ever, criminal cyberattack that launched yesterday has locked down countless computers shutting down business, university, hospital and governmental operations world-wide. Has anyone heard of any Detroit-based institutions being affected?

Searching for Detroit-affected news, I find none but this isn't something that the affected parties might want known. It could embarrass many with customers and likely they are quietly paying the ransom.

For those new to this, computers are hacked, or more often their users are tricked, and malicious software is loaded. During an attack, like yesterday's, ransomware is simultaneously activated, and encrypts [locks] all the files on the hacked computer. When the user attempts to use the files they are informed that they can only be unlocked by paying of ransom of $300 in bitcoin, a virtual currency that difficult to track.

According to the NY Times a British researcher inadvertently shut down the attack preventing its widespread proliferation in the US although this graphic clearly shows many hits.



The hacking tools used were part of the suite stolen from the NSA, which goes to show, as throughout history, if you create a weapon sooner or later your enemy or the gangsters will get it.

The cyberattack was able to spread so quickly in part because of its high level of sophistication. The malware, experts said, was based on a method that the N.S.A. is believed to have developed as part of its arsenal of cyberweapons. Last summer, a group calling itself the “Shadow Brokers” posted online digital tools that it had stolen from the United States government’s stockpile of hacking weapons.

It also underlines the need for a global cyber-security arms treaty.

Do you have all your systems and software updated?

[Jimaz]

This is one reason proper backups are important. To recover, you would wipe your disk clean, restore the original system files then selectively restore any critical locked files from backup, being careful not to restore the sleeping malware at the same time. It's a pain but it's one remedy that the bad guys can't defeat.

I was wondering how many DetroitYES! users were affected but I'm guessing they wouldn't be able to tell us if they were. LOL!

I heard Microsoft was working on this problem even for their XP versions they no longer support.

[emu steve]

Here is an email from Malwarebytes which gives some background info [[including Microsoft's actions) as well as to how Malwarebytes are handling it.

The emphasis below is mine.

Dear ,
A massive ransomware attack spread across the globe today, locking up thousands of hospital, telecommunications, and utilities systems in nearly 100 countries. The attack used data stolen from the NSA to exploit vulnerabilities in Microsoft Windows and deliver the WanaCrypt0r ransomware. The demand was for $300 per PC.
While the ransomware was first detected wreaking havoc in emergency rooms and doctors' offices in the UK, the infection quickly spread worldwide, including to the US.
We're alerting you to reassure you that if you're currently using the premium version [[or the premium trial) of Malwarebytes with real-time protection turned on, you are protected from this threat. Our premium technology blocks the WanaCrypt0r ransomware before it can encrypt your files. [[The free version of Malwarebytes, however, does not protect you against WanaCrypt0r. To see which version you have, open up your Malwarebytes software and look for the version name at the top of the window.) Learn more about Malwarebytes
If you're not currently using the premium version of Malwarebytes, we recommend that you update your Microsoft Windows software immediately. Microsoft released a patch for this vulnerability in March, but many users haven't updated, leaving their computers open to this attack.
Here at Malwarebytes, we pledge to keep you protected and informed about the latest issues. Your peace of mind is our number one priority.
Sincerely,
The Malwarebytes team
P.S. Learn more about this threat here.

[enio]

Here is an email from Malwarebytes which gives some background info [[including Microsoft's actions) as well as to how Malwarebytes are handling it.

The emphasis below is mine.

Dear ,
A massive ransomware attack spread across the globe today, locking up thousands of hospital, telecommunications, and utilities systems in nearly 100 countries. The attack used data stolen from the NSA to exploit vulnerabilities in Microsoft Windows and deliver the WanaCrypt0r ransomware. The demand was for $300 per PC.
While the ransomware was first detected wreaking havoc in emergency rooms and doctors' offices in the UK, the infection quickly spread worldwide, including to the US.
We're alerting you to reassure you that if you're currently using the premium version [[or the premium trial) of Malwarebytes with real-time protection turned on, you are protected from this threat. Our premium technology blocks the WanaCrypt0r ransomware before it can encrypt your files. [[The free version of Malwarebytes, however, does not protect you against WanaCrypt0r. To see which version you have, open up your Malwarebytes software and look for the version name at the top of the window.) Learn more about Malwarebytes
If you're not currently using the premium version of Malwarebytes, we recommend that you update your Microsoft Windows software immediately. Microsoft released a patch for this vulnerability in March, but many users haven't updated, leaving their computers open to this attack.
Here at Malwarebytes, we pledge to keep you protected and informed about the latest issues. Your peace of mind is our number one priority.
Sincerely,
The Malwarebytes team
P.S. Learn more about this threat here.

If you have installed Win10 Creators Update and the security updates you are quite safe from WCry malware. If you're running Win7, Win8 you need to install the Microsoft patch. For those foolish enough to be running XP, how stupid can you be?

BTW, WCry uses an exploit developed by the NSA - a favorite of Trumpy.

https://www.eff.org/deeplinks/nsa-spying

[emu steve]

Yes.

I believe now some cybersecurity folks have 'stumbled' on the solution to this outbreak.

http://money.cnn.com/2017/05/13/tech...ack/index.html

[Lowell]

Here is an email from Malwarebytes which gives some background info [[including Microsoft's actions) as well as to how Malwarebytes are handling it.

...We're alerting you to reassure you that if you're currently using the premium version [[or the premium trial) of Malwarebytes with real-time protection turned on, you are protected from this threat. Our premium technology blocks the WanaCrypt0r ransomware before it can encrypt your files. [[The free version of Malwarebytes, however, does not protect you against WanaCrypt0r....

Ha. I saw that too. Malwarebytes is 'handling it' is by doing their variation of ransomware by saying [in so many words] "If you are using our freeware version and don't have our PAID premium version you're screwed". Nothing like turning a disaster into a marketing opportunity.

I happen to have the premium version and like their software but I found that kind of shady and disappointing.

[clubboss]

Edward Snowden‏Verified account @Snowden May 12

Edward Snowden Retweeted Edward Snowden:
If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened

[emu steve]

Ha. I saw that too. Malwarebytes is 'handling it' is by doing their variation of ransomware by saying [in so many words] "If you are using our freeware version and don't have our PAID premium version you're screwed". Nothing like turning a disaster into a marketing opportunity.

I happen to have the premium version and like their software but I found that kind of shady and disappointing.

Lowell, what you say is true.

The bigger questions, partially unanswered are:

1). If I [[or where I work) faithfully does their Microsoft patches am I safe? [[the answer seems to be 'yes').

2). Does my anti-virus [[e.g., Malwarebytes, McAfee, etc.) provide protection if I failed to properly patch my system [[#1 above)?

As I understand it, there are multiple layers of defense, especially in enterprise computing. The thought being is that all layers need to fail before someone is exposed. Malwarebytes has publicly spoken. Not sure about McAfee, PCMatic, etc. etc.

As was indicated earlier, some in Europe, etc. were using Windows XP which is no longer supported by Microsoft which means Microsoft was not providing the basic protection at the operating system level. That means the protection would fall to the anti-virus product.

Pushing patches in enterprise computing is hardly 100%.

[Honky Tonk]

Edward Snowden‏Verified account @Snowden May 12

Edward Snowden Retweeted Edward Snowden:
If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened

No one besides the FBI gives a rat's-ass about Edward Snowden anymore, he has nothing left to offer. Now he's an opinionated cyber-security expert. Hope he's enjoying his borscht for breakfast.

[Junjie]

Since the relevant security patch was released by Microsoft two months ago for Windows 10, 8.1, 7, and even Vista, this is an unfortunate exercise in seeing who willfully disregards their own security by either deliberately not patching or running badly out-of-date operating systems like Windows XP.

Keep your systems up to date!

[DetroiterOnTheWestCoast]

No one besides the FBI gives a rat's-ass about Edward Snowden anymore, he has nothing left to offer. Now he's an opinionated cyber-security expert. Hope he's enjoying his borscht for breakfast.

Isn't that the featured White House specialty these days?

[emu steve]

Since the relevant security patch was released by Microsoft two months ago for Windows 10, 8.1, 7, and even Vista, this is an unfortunate exercise in seeing who willfully disregards their own security by either deliberately not patching or running badly out-of-date operating systems like Windows XP.

Keep your systems up to date!

Indeed.

Sounds like companies in certain industries, e.g., health care, are slacking on IT spending.

Before I retired, our domain admins would use SMS to push patches and McAfee updates.

We took it seriously and had weekly domain admin meetings where we reviewed data on compliance.

When we imaged PCs we had an image which was up to date on Microsoft patches, McAfee, etc. so whenever a new device was connected to the network it was 100% compliant with all software, patches, etc.

Being 95% up to date [[compliant) when an enterprise has thousands of devices is a lot of vulnerable devices.

[ddaydetroit]

This is one reason proper backups are important. To recover, you would wipe your disk clean, restore the original system files then selectively restore any critical locked files from backup, being careful not to restore the sleeping malware at the same time. It's a pain but it's one remedy that the bad guys can't defeat.

I was wondering how many DetroitYES! users were affected but I'm guessing they wouldn't be able to tell us if they were. LOL!

I heard Microsoft was working on this problem even for their XP versions they no longer support.

The backup must be from the cloud or on a device that is only connected while doing the backup of the ransomware will encrypt the back also.

[G-DDT]

Not being all that Tech-savvy, I have gathered the following: it was a pervasive virus that grabbed folk's attention with the "noise" it made. What damage it could do [[or info it could actually steal besides just locking down a system) is as vague as someone with something jabbing within their pocket saying "this is a stick-up" [[thank my brother for that analogy).

I respect the British guy who did some disarming by buying the domain it was rooted in for $11. This and the guy in Grand Rapids who "saved" us with a kill switch, who said it was kind of an amateur set-up-like overthinking the matter would've overlooked it. What isn't amateur is the use of stolen NSA codes that made it so powerfully invasive.

What agency or world power would have access to that? Also, was it just a "testing of the waters" as a prelude to something far worse to come?

Personally, I [[and my family) have been receiving emails [[in their spam)-again-using names [[referring to owners of used bookstores that used to be in Dearborn or those I knew from my activities with F-N-B.-both topics I've discussed openly on this forum.) to entice to click [[but the domains were phishing operations with names like "rhymeswithnog.com/fantastic.php").

[Zacha341]

So if you use, for example a portable hard drive to backup your files the virus may pass onto that drive as well? [[Apple Mac User)... Not sure what you meant. Thanks.

The backup must be from the cloud or on a device that is only connected while doing the backup of the ransomware will encrypt the back also.

[ddaydetroit]

So if you use, for example a portable hard drive to backup your files the virus may pass onto that drive as well? [[Apple Mac User)... Not sure what you meant. Thanks.

Sorry late night half asleep post when you are done backing up an external hard drive it must be unplugged from your computer or the virus will encyrpt the files on the backup drive also the best bet is to back up to a cloud server

[ddaydetroit]

I do not understand how these big companies and government offices got hit so hard people need to get fired. I own a small company of 25 people all my computers regularly get the latest windows updates have antivirus and malwarebytes installed are backed up everyday to a back up drive and to the cloud and my most important file quickbooks is backed up 3 times a day once to an external harddrive one using the cloud backup program that comes installed with quickbooks and to the company cloud backup spideroak. I also use an advanced firewall PFsense that gets updated daily for the latest threats. If I owned a big corporation and got hit with this ransomware that was totally preventable the guy in charge of IT would be fired.

[emu steve]

I used to work IT in a large federal agency and we had almost no cyber issues.

We took patching, A/V, etc. very seriously. The server team sent out patches, A/V files, forced reboots to ensure patches were installed, etc.

It is IT ops which needs to be done well.

[Lowell]

I do not understand how these big companies and government offices got hit so hard people need to get fired. I own a small company of 25 people all my computers regularly get the latest windows updates have antivirus and malwarebytes installed are backed up everyday to a back up drive and to the cloud and my most important file quickbooks is backed up 3 times a day once to an external harddrive one using the cloud backup program that comes installed with quickbooks and to the company cloud backup spideroak. I also use an advanced firewall PFsense that gets updated daily for the latest threats. If I owned a big corporation and got hit with this ransomware that was totally preventable the guy in charge of IT would be fired.

It's good that you do all that. It gives you a fighting chance because while prevention is a must, the real game is not about prevention, it's about recovery.
Yet you can do all that but it doesn't stop someone from bribing/extorting your IT guy who has all the keys and knows where all the bodies are buried. That's how the NSA tools got out, that is how Snowden and Bradley Manning made their dumps.

From what I am reading as this spread across Asia today most computers getting hit are those using stolen operating system software that doesn't benefit from being able to update. Winners = Microsoft and Malwarebytes.

[Jimaz]

Here's the Wikipedia article: WannaCry ransomware attack.

[emu steve]

Yes, and it appears that the most vulnerable O/S is XP as Microsoft terminated support years ago and yes, Microsoft got serious years ago about not updating bootlegged copies of their O/S.

So unpatched or bootleg copies of other O/S are at risk.

Interesting, I emailed a fmr. colleague at work today [[headquarters of a federal agency) and asked their reactions:

"[[name) mentioned management was loosing their shit over the weekend, but she told them if she wasn't worried they didn't need to be either. "

This manager is responsible for IT ops at headquarters of this agency.

This is a case of understanding the exposure and risk. Apparently this manager was 100% sure that the headquarters computers were at zero risk.

This agency has a robust cyber-security operation.

I later heard on local radio this afternoon that it was a total non-issue for the federal government.

I remember the federal government was pushing hard a half dozen years ago to get rid of XP.

[Zacha341]

Got it! Thanks.

Sorry late night half asleep post when you are done backing up an external hard drive it must be unplugged from your computer or the virus will encyrpt the files on the backup drive also the best bet is to back up to a cloud server

[Danny]

Please be advised the Ransomware malwarebytes have a delivery system by e-mail. I have made my own patch to lock to any bad warebytes to my e-mail account via spam. Only I have to do is deleted away.

[Jimaz]

“Dear Lord, please protect our files … from the people trying to protect our files.”

[Cincinnati_Kid]

This has nothing to do with the attack, but the Win 10 anniversary update patch, screwed my computer up Sunday. It said don't turn off your computer, while it updates, after I rebooted it, all my startup programs on the desktop, have disappeared. Called Microsoft and they said it will take 48 hrs before a tech will get back to me. Total BS.