If you were paying attention to Liberty Nation on May 13th and May 15th, you know that a huge ransomware worm has encrypted the hard drives of hundreds of thousands of computers, and over another million are still theoretically vulnerable. The worm’s name is WannaCry or WannaCrypt0r. It spreads itself across the Internet and private networks via email, compromised websites, or an NSA developed tool which exploits a vulnerability in Microsoft’s file and print sharing. Microsoft has released a patch to fix the vulnerability, but many systems are still unprotected. WannaCry has a built in kill switch which was discovered and triggered by a young British cyber-security researcher, which has slowed the spread of WannaCry and given the world time to fix the holes in their systems. Here is what’s new.
Heimdal Security has discovered a new ransomware variant they call Uiwix, which takes advantage of the same weaknesses as WannaCry, but it has no kill switch. Expect more of these improved knockoffs to show up very soon.
Microsoft laid partial blame for these attacks at the feet of government agencies that they claim are engaged in a “stockpiling of vulnerabilities” as weapons and called for new policies that put the security needs of consumers first. Russia, on the other hand, has blamed the United States in particular for the attack. As reported by the Independent, President Putin of Russia denied that Russia had anything to do with the ransomware and stated:
As regards the source of these threats, I believe that the leadership of Microsoft has announced this plainly, that the initial source of the virus is the intelligence services of the United States.
Once they’re let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators.
It is undisputed that the tools ETERNALBLUE and DOUBLEPULSAR exploits, which were developed by the NSA, are the tools which WannaCry uses to spread itself across networks automatically. It is also well known that a hacker group called Shadowbrokers released these stolen tools into the wild in April 2017. But who created and released WannaCry? Researchers are digging deep.
Kaspersky Labs reported that a researcher at Google suggested that there are similarities in the code of WannaCry and previous work by the Lazarus Group, a hacking collective linked to North Korea. Symantec has also identified tools that are exclusively used by Lazarus on machines that are infected by early versions of WannaCry. AFP says that South Korean internet security firm Hauri has warned that North Korea has been ramping up ransomware attacks to earn hard currency in light of economic sanctions, and will continue to do so using additional leaked NSA cyber weapons.
But WannaCry authors have made some serious mistakes. They have no means by which to tell who has paid them, and they have not included an automated way to decrypt the files on targeted machines. So there is no incentive for victims to pay the ransom. Not surprisingly, they haven’t collected much at all. Lazarus Group, on the other hand, has a reputation for being incredibly professional, pulling off such sophisticated hacks as the Sony Pictures hack, and an eighty-one million dollar theft from Bangladesh Bank, so there is significant skepticism in the hacker community regarding this attribution.
Ironically, Proofpoint reports that the Adylkuzz crypto-miner worm, which was spreading as early as April 24th, has limited the victim pool for WannaCry. This malware exploits the same weaknesses and NSA hacking tools that WannaCry used, but in a far more devious manner. When Adylkuzz breaks into a computer, it seals the hole behind it and installs cryptocurrency miner software which mines a new BitCoin alternative called Monero.
The worm runs in the background, so many victims will notice the reduction in system performance but never know why. Aylkuzz and its cousins don’t steal your money; they steal the processing power of the machines they infect, as well as internet bandwidth those machines can access. The servers spreading Adylkuzz are incredibly aggressive. Every vulnerable computer that Proofpoint put on the Internet was infected by Adylkuzz very quickly. It may very well be that Adylkuzz inoculated the majority of the WannaCry vulnerable systems. If true, this would be like a common cold infection serving as a vaccine for Ebola.
So in this digital wild west where powerful governments and criminal conspiracies run amok, it just might be that a young British guy with an obsession for malware and some other hackers with a scheme to make a little money have saved the Internet, for now.