RansomWare Attack!

Author Topic: RansomWare Attack!  (Read 1141 times)

0 Members and 1 Guest are viewing this topic.

Offline TahoeBlue

  • Global Moderator
  • Member
  • *****
  • Posts: 17,425
RansomWare Attack!
« on: May 13, 2017, 03:12:31 PM »
Attack of the killer robins!


https://techcrunch.com/2017/05/13/that-global-ransomware-attack-was-halted-apparently-by-accident/
That global ransomware attack was halted apparently by accident
Posted 4 hours ago by Devin Coldewey

Yesterday’s global ransomware attack was scary for several reasons, but quick action by a security researcher at MalwareTech at least put an end to its spreading — although the researcher didn’t realize it at the time.

The whole story is here, but the gist is this. The ransomware, as you may have heard, was spreading using an exploit disclosed from NSA records by the Shadow Brokers last month. It had the potential to spread quickly and far, as it in fact did, and in doing so attract the attention of IT people who would want to contain and study it.

UK health service hit by ransomware, amid possible global attack on systems

As a safety against this, the payload contained some code that queried a certain domain known to the authors to be unregistered. This is because some network environments, such as contained VMs in which to study malicious code, will capture all outgoing data, like an attempt to connect to a domain, and return traffic of its own choosing.

The ransomware wanted to avoid activating itself in an environment like this, so it was designed to ping a certain unregistered domain — say, afn38sj729.com — and if it returns anything but a DNS error, chances are that its traffic is being manipulated, so it shuts down to avoid further analysis.

| - - -

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
How to Accidentally Stop a Global Cyber Attacks
May 13, 2017 MalwareTech ms17-010, ransowmare, worm 85

So finally I’ve found enough time between emails and Skype calls to write up on the crazy events which occurred over Friday, which was supposed to be part of my week off (I made it a total of 4 days without working, so there’s that). You’ve probably read about the WannaCrypt fiasco on several news sites, but I figured I’d tell my story.

I woke up at around 10 AM and checked onto the UK cyber threat sharing platform where i had been following the spread of the Emotet banking malware, something which seemed incredibly significant until today. There were a few of your usual posts about various organisations being hit with ransomware, but nothing significant…yet. I ended up going out to lunch with a friend, meanwhile the WannaCrypt ransomware campaign had entered full swing.

When I returned home at about 2:30, the threat sharing platform was flooded with posts about various NHS systems all across the country being hit, which was what tipped me of to the fact this was something big. Although ransomware on a public sector system isn’t even newsworthy, systems being hit simultaneously across the country is (contrary to popular belief, most NHS employees don’t open phishing emails which suggested that something to be this widespread it would have to be propagated using another method). I was quickly able to get a sample of the malware with the help of Kafeine, a good friend and fellow researcher. Upon running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which i promptly registered.

Using Cisco Umbrella, we can actually see query volume to the domain prior to my registration of it which shows the campaign started at around 8 AM UTC.

While the domain was propagating, I ran the sample again in my virtual environment to be met with WannaCrypt ransom page; but more interestingly was that after encrypting the fake files I left there as a test, it started connecting out to random IP addresses on port 445 (used by SMB). The mass connection attempts immediately made me think exploit scanner, and the fact it was scanning on the SMB port caused me to look back to the recent ShadowBroker leak of NSA exploits containing….an SMB exploit. Obvious I had no evidence yet that it was definitely scanning SMB hosts or using the leaked NSA exploit, so I tweeted out my finding and went to tend to the now propagated domain.

Now one thing that’s important to note is the actual registration of the domain was not on a whim. My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I’m always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year.

Our standard model goes something like this.
1.Look for unregistered or expired C2 domains belonging to active botnets and point it to our sinkhole (a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them).
2.Gather data on the geographical distribution and scale of the infections, including IP addresses, which can be used to notify victims that they’re infected and assist law enforcement.
3.Reverse engineer the malware and see if there are any vulnerabilities in the code which would allow us to take-over the malware/botnet and prevent the spread or malicious use, via the domain we registered.

In the case of WannaCrypt, step 1, 2 and 3 were all one and the same, I just didn’t know it yet.

A few seconds after the domain had gone live I received a DM from a Talos analyst asking for the sample I had which was scanning SMB host, which i provided. Humorously at this point we had unknowingly killed the malware so there was much confusion as to why he could not run the exact same sample I just ran and get any results at all. As curious as this was, I was pressed for time and wasn’t able to investigate, because now the sinkhole servers were coming dangerously close to their maximum load.

....

After about 5 minutes the employee came back with the news that the registration of the domain had triggered the ransomware meaning we’d encrypted everyone’s files (don’t worry, this was later proven to not be the case), but it still caused quite a bit of panic. I contacted Kafeine about this and he  linked me to the following freshly posted tweet made by ProofPoint researcher Darien Huss, who stated the opposite (that our registration of the domain had actually stopped the ransomware and prevent the spread).

,...


Now you probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me. The failure of the ransomware to run the first time and then the subsequent success on the second mean that we had in fact prevented the spread of the ransomware and prevented it ransoming any new computer since the registration of the domain (I initially kept quiet about this while i reverse engineered the code myself to triple check this was the case, but by now Darien’s tweet had gotten a lot of traction).

So why did our sinkhole cause an international ransomware epidemic to stop?

Talos wrote a great writeup explaining the code side here, which I’ll elaborate on using Darien’s screenshot
...

The reason which was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.

In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registartion of it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.

...

As well as the names & companies mentioned in this blog I’d like to give a shout out to:

NCSC UK – Their threat intelligence sharing program provided us with valuable information needed to first identify the malware family behind the attack. They also helped ensure our sinkholes were not mistaken for criminal controlled infrastructure so that we could feed them the information required to notify UK victims.

FBI & ShadowServer – They were a great help in getting non-UK victims notified of the infections in a very short span of time, even if it did mean me staying up all night to link in with them.

2sec4u – For reducing my workload today and providing free panic attacks.

Microsoft – By realeasing an out of bounds patch for unsupported operating systems such as Windows XP and Server 2003, people now are able to patch rather than having to attempt upgrades to newer system in order to be secured against this worm.

If you have anything to patch, patch it. If you need a guide, this one is being reguarly updated: https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware

Now I should probably sleep
Behold, happy is the man whom God correcteth: therefore despise not thou the chastening of the Almighty: For he maketh sore, and bindeth up: he woundeth, and his hands make whole ; He shall deliver thee in six troubles: yea, in seven there shall no evil touch thee. - Job 5

Offline TahoeBlue

  • Global Moderator
  • Member
  • *****
  • Posts: 17,425
Re: RansomWare Attack!
« Reply #1 on: May 13, 2017, 04:56:16 PM »


http://www.telegraph.co.uk/news/2017/05/13/british-22-year-old-jumped-around-excitement-finding-way-stop/
British 22-year-old jumped around in excitement after finding way to stop global cyber attack
By Telegraph Reporters 
 13 May 2017 • 2:56pm   

A British cyber expert has told how he jumped around in excitement after discovering a kill switch which halts the global spread of the malicious software currently infecting the NHS and organisations in more than 100 countries.

The 22-year-old researcher has been hailed as an 'accidental hero' online.

The anonymous blogger discovered that upon infecting a new computer, the virus contacts a remote web address and only starts taking files hostage if it finds that address unreachable.
 
Behold, happy is the man whom God correcteth: therefore despise not thou the chastening of the Almighty: For he maketh sore, and bindeth up: he woundeth, and his hands make whole ; He shall deliver thee in six troubles: yea, in seven there shall no evil touch thee. - Job 5

Offline TahoeBlue

  • Global Moderator
  • Member
  • *****
  • Posts: 17,425
Re: RansomWare Attack!
« Reply #2 on: May 13, 2017, 05:53:50 PM »
Drudge: IT'S NOT OVER...

https://apnews.com/770946e7df454d2e9acda3bdbd3ed425/Unprecedented-global-'ransomware'-attack-seeks-cash-for-data
Global ‘WannaCry’ ransomware cyberattack seeks cash for data
By SYLVIA HUI, ALLEN G. BREED and JIM HEINTZ
1 hour ago

LONDON (AP) — A global “ransomware” cyberattack, unprecedented in scale, had technicians scrambling to restore Britain’s crippled hospital network Saturday and secure the computers that run factories, banks, government agencies and transport systems in many other nations.

The worldwide effort to extort cash from computer users is so unprecedented that Microsoft quickly changed its policy, making security fixes available for free for the older Windows systems still used by millions of individuals and smaller businesses.
...

A malware tracking map showed “WannaCry” infections popping up around the world. Britain canceled or delayed treatments for thousands of patients, even people with cancer. Train systems were hit in Germany and Russia, and phone companies in Madrid and Moscow. Renault’s futuristic assembly line in Slovenia, where rows of robots weld car bodies together, was stopped cold.

In Brazil, the social security system had to disconnect its computers and cancel public access. The state-owned oil company Petrobras and Brazil’s Foreign Ministry also disconnected computers as a precautionary measure, and court systems went down, too.
...


The security holes it exploits were disclosed weeks ago by TheShadowBrokers, a mysterious group that published what it said are hacking tools used by the NSA. Microsoft swiftly announced that it had already issued software “patches” to fix those holes, but many users haven’t yet installed updates or still use older versions of Windows.

Microsoft had made fixes for older systems, such as 2001′s Windows XP, available only to mostly larger organizations, including Britain’s National Health Service, that paid extra for extended technical support.

In light of Friday’s attacks, Microsoft announced that it’s making the fixes free to all.

Behold, happy is the man whom God correcteth: therefore despise not thou the chastening of the Almighty: For he maketh sore, and bindeth up: he woundeth, and his hands make whole ; He shall deliver thee in six troubles: yea, in seven there shall no evil touch thee. - Job 5

Offline jofortruth

  • Member
  • *****
  • Posts: 17,771
    • The Great Deception
Don't believe me. Look it up yourself!

The Great Deception - Forum/Library - My Research
http://z4.invisionfree.com/The_Great_Deception/index.php?showforum=110

Offline jofortruth

  • Member
  • *****
  • Posts: 17,771
    • The Great Deception
Re: RansomWare Attack!
« Reply #4 on: May 15, 2017, 11:24:37 AM »
PUTIN: MALWARE CREATED BY INTELLIGENCE SERVICES CAN BACKFIRE ON ITS CREATORS
The ransomware was apparently developed in the US, Putin said

https://www.infowars.com/putin-malware-created-by-intelligence-services-can-backfire-on-its-creators/
Don't believe me. Look it up yourself!

The Great Deception - Forum/Library - My Research
http://z4.invisionfree.com/The_Great_Deception/index.php?showforum=110

Offline TahoeBlue

  • Global Moderator
  • Member
  • *****
  • Posts: 17,425
Re: RansomWare Attack!
« Reply #5 on: May 15, 2017, 11:32:33 AM »
http://www.drudgereport.com


https://www.wsj.com/articles/microsoft-complains-state-hacking-tools-fuel-cyberattack-risks-1494803026
Microsoft Claims Stolen U.S. Government Computer Code Fuels Cyberattack

Says software used in the global cyber assault Friday was stolen [ "stolen" RIIGGGHHHTTT ] from National Security Agency
Behold, happy is the man whom God correcteth: therefore despise not thou the chastening of the Almighty: For he maketh sore, and bindeth up: he woundeth, and his hands make whole ; He shall deliver thee in six troubles: yea, in seven there shall no evil touch thee. - Job 5

Offline TahoeBlue

  • Global Moderator
  • Member
  • *****
  • Posts: 17,425
Re: RansomWare Attack!
« Reply #6 on: May 15, 2017, 11:39:45 AM »
https://cointelegraph.com/news/bitcoin-becomes-media-scapegoat-as-nsa-derived-ransomware-hits-99-countries
By Joseph Young
MAY 14, 2017
Bitcoin Becomes Media Scapegoat as NSA-Derived Ransomware Hits 99 Countries

A global ransomware attack derived from a leaked NSA tool successfully breached into 100,000 computer systems and servers across 99 countries. During the first day of the attack, the focus was set on Bitcoin instead, which had minimal involvement in the ransomware attack, rather than the use of an NSA tool developed using taxpayers’ capital.

What actually happened

On May 12, the WannaCry ransomware began to spread across the world, attacking 75,000 computers in a matter of hours. According to MalwareTech, WannaCry targeted and encrypted 100,000 computers in a period of 24 hours, quickly becoming the largest ransomware attack in history.

The WannaCry ransomware, which is also known as WanaCrypt0r 2.0, infected some of the world’s largest corporations and organizations including the National Health Service (NHS) hospitals in the UK, FedEx and Telefonica. The malware targeted a wide range of industries including the education industry.

As a result, companies weren’t able to carry out operations and hospitals across the UK struggled to serve patients as their databases and servers became encrypted.

On May 13, Russia Today (RT) further revealed that computers at Russia’s Interior Ministry and the country’s largest telecommunications company Megafon also fell victim to the WannaCry ransomware. In an interview with RT, Megafon spokesperson Pyotr Lidov stated:


"The very virus that is spreading worldwide and demanding $300 to be dealt with has been found on a large number of our computers in the second half of the day today.”


...
Why Bitcoin got blamed, again

Bitcoin was the helm of global media attention because the WannaCry ransomware demanded victims to pay ransom in Bitcoin in order to receive decryption keys to regain access to their encrypted files. Some major media outlets including the New York Times blamed Bitcoin for the WannaCry ransomware attack, emphasizing the “anonymity” of Bitcoin.

Obviously and evidently, Bitcoin is not anonymous in nature. In fact, in its coverage, the New York Times contradicted itself by stating that Bitcoin is anonymous but a startup called Elliptic was able to trace payments back to the accounts of the WannaCry ransomware distributors. Hence, if Elliptic was able to trace transactions or ransom payments to the accounts of the cyber criminals, Bitcoin is not anonymous and is transparent.

Moreover, as Bitcoin and security expert Andreas Antonopoulos noted, Bitcoin had minimal involvement in the ransomware attack solely because Bitcoin was the currency of choice for the ransom payments. If it wasn’t for Bitcoin, the criminals would have used other methods that are much harder to track and trace.
...

According to analysis, the WannaCry ransomware attack spreads exponentially due to its SMB exploit and remote hijacking on vulnerable computers. Every online IP address exploited by the WannaCry ransomware can get encrypted.

It is likely that more victims will emerge in the next few days as the ransomware attack spreads ever further across the globe.


| - - - -

http://news.morningstar.com/all/printNews.aspx?article=/BW/BWIPREM20170513005028_univ.xml

Elliptic’s Rapid Response to Ransomware: a 4-Step Plan for Readiness, Resolution, and Identifying the Attacker5-13-17 11:59 AM EDT
Elliptic’s Rapid Response to Ransomware: a 4-Step Plan for Readiness, Resolution, and Identifying the Attacker

Friday's cyberattack on tens of thousands of computers around the world revealed businesses' and other organizations' vulnerability to ransomware and extortion. Elliptic (www.elliptic.co) is a Bitcoin intelligence firm that can guide banks and corporations through the ransomware process and work with law enforcement to identify the attackers.

“Through our extensive Bitcoin ransomware work in the United States, United Kingdom, and Europe, we have put together a comprehensive plan for ransomware readiness”, says Dr. James Smith, Elliptic’s co-founder and CEO.

“Most ransomware attacks follow the same general pattern,” explains Elliptic co-founder and lead investigator Dr. Tom Robinson. “The victim is given a Bitcoin (or other cryptocurrency) payment address, and a deadline to make payment. Most people incorrectly assume there is nothing that can be done to identify the perpetrator after payment is made.”

Elliptic works with clients to deploy a four-step plan for ransomware readiness and response, including measures to identify the attacker.

1. Assess the risk

Not all ransomware is worth paying. Elliptic's team of experts may be able to decrypt the ransomware; or there may be indications that the attacker will not decrypt your machine even after payment. In the case of last week’s WannaCry attack, there is no evidence at the time of writing that the attacker will ever decrypt the compromised machines.

Based on its deep experience and extensive network in ransomware investigations, Elliptic provides clients with an expert recommendation on whether to proceed with the ransomware payment.

2. Obtain the Bitcoins

Ransomware operations usually demand payment quickly, sometimes in as little as 24 hours. It can be difficult for a company to secure large quantities of bitcoins at short notice. “Most Bitcoin exchanges have Know Your Customer (KYC) policies that prohibit them from selling new clients a significant amount of bitcoins," explains Dr. Robinson. "Often a company will have the cash ready to purchase bitcoins, but the exchange cannot legally open an account and complete the transaction before the ransom is due.”

Elliptic helps its clients draw up a plan to rapidly access large volumes of bitcoins and other cryptocurrencies in case of a ransomware attack. Elliptic can help clients obtain bitcoins through its network of exchanges and liquidity providers.

3. Make the payment

Large Bitcoin payments can be confusing for companies that are not used to dealing in cryptocurrencies. “Constructing a large Bitcoin transaction is a technical process. You need to define the right transaction fee, verify the destination, and sign the transaction appropriately.”, explains Dr. Robinson. “Too low a fee and your transaction might never clear; send it to the wrong address and your bitcoins are gone forever. It’s also important that the ransomer knows which of their victims is making the payment.”

Elliptic will prepare and execute your transaction, or we can also dispatch one of our experts to your location to perform the transaction on the premises.

4. Identify the attacker

Bitcoin transactions are difficult but not impossible to trace. Elliptic has developed advanced Bitcoin investigation software and employs a team of investigators with advanced degrees in computer science and decades of experience in the world’s top law enforcement agencies. Elliptic’s software and investigators have delivered actionable intelligence to identify ransomware and cyber-extortion attackers in the US, UK, and EU. “We are able to connect the dots between Bitcoin activity and real world actors,” says Dr. Smith. “We only provide our forensic investigation services in collaboration with law enforcement, and we have a very high success rate in delivering actionable intelligence on complex Bitcoin investigations.”

Dr. Robinson adds: “We actively trace proceeds of ransomware and cyber extortion, and we alert our Bitcoin exchange customers if they receive illegal funds. Our goal is to defeat ransomware by making it extremely difficult to launder the proceeds of these crimes.”

If you are interested in learning more about Elliptic’s products and services, please complete the contact form at www.elliptic.co

About Elliptic

We reveal the truth behind Bitcoin activity. Elliptic’s team of computer scientists and former law-enforcement agents has developed software to make Bitcoin activity more transparent and accountable. Today the world’s largest banks and Bitcoin exchanges use Elliptic software to monitor billions of dollars in Bitcoin transactions every month, and the top law enforcement agencies use Elliptic software to investigate Bitcoin’s role in cases of terrorist financing, arms trafficking, child pornography, and blackmail. Elliptic’s software is recognized in the Bitcoin industry as the standard for regulatory compliance and forensic investigations.

Elliptic is based in London and Washington DC.

Comms Crowd for Elliptic
Sam Howard
sam@commscrowd.com

View source version on businesswire.com:  http://www.businesswire.com/news/home/20170513005028/en/
Behold, happy is the man whom God correcteth: therefore despise not thou the chastening of the Almighty: For he maketh sore, and bindeth up: he woundeth, and his hands make whole ; He shall deliver thee in six troubles: yea, in seven there shall no evil touch thee. - Job 5

Offline TahoeBlue

  • Global Moderator
  • Member
  • *****
  • Posts: 17,425
Re: RansomWare Attack!
« Reply #7 on: May 15, 2017, 01:42:54 PM »
I don't know but I know my internet is under attack ,,,
Behold, happy is the man whom God correcteth: therefore despise not thou the chastening of the Almighty: For he maketh sore, and bindeth up: he woundeth, and his hands make whole ; He shall deliver thee in six troubles: yea, in seven there shall no evil touch thee. - Job 5

Offline jofortruth

  • Member
  • *****
  • Posts: 17,771
    • The Great Deception
Re: RansomWare Attack!
« Reply #8 on: May 15, 2017, 06:30:50 PM »
Microsoft Blames Global Cyberattack on Leaked NSA Code, Warns U.S. Government over Cyberweapons

http://www.breitbart.com/tech/2017/05/15/microsoft-blames-global-cyberattack-on-leaked-nsa-code-warns-u-s-government-over-cyberweapons/
Don't believe me. Look it up yourself!

The Great Deception - Forum/Library - My Research
http://z4.invisionfree.com/The_Great_Deception/index.php?showforum=110

Online chris jones

  • Member
  • *****
  • Posts: 21,373
Re: RansomWare Attack!
« Reply #9 on: May 15, 2017, 10:08:50 PM »
I don't know but I know my internet is under attack ,,,
               Hi t.. Relutantly I have to admit I know a guy who has had several computers wiped, blocking of posts, hacking to beat the band, among many other methods of interference in his personell life, financing, etc.
               This poor slob won`t stop, though he has been advised through channels that interfere in several aspects of his life. If my buddy were not so hard headed he would shut down any and all high tech and avoid this ongoing sh**storm of interference. I attempted to reason with him, the problem is he is a mutt determined to say what is on his mind. We are all well aware the NSA, DARPA, among others have been color coding for decades, the todays tech has made it  peice of cake to enter anyones life they so choose. One peice of advise, please don`t answer with any truthfull , logical statement to the MSM nor cable nets that would draw attention. We on this site are definelty flaged, most likely low grade, nevertheless flaged.

Offline TahoeBlue

  • Global Moderator
  • Member
  • *****
  • Posts: 17,425
Re: RansomWare Attack!
« Reply #10 on: May 16, 2017, 05:25:43 PM »
http://www.zerohedge.com/news/2017-05-15/second-wave-ransomware-cyberattack-begins-spread-wever-never-seen-anything
New Variant Of "WannaCry" Virus Emerges Infecting 3,600 Computers Per Hour
by Tyler Durden
May 15, 2017 7:24 PM

Update: according to the latest data from Check Point Software, cited by Reuters, a new variant of the WannaCry ransomware is now infecting on average 3,600 computers per hour.

Governments and companies around the world began to gain the upper hand against the first wave of the unrivaled global cyberattack this morning.

    More than 200,000 computers in at least 150 countries have so far been infected, according to Europol, the European Union’s law enforcement agency. The U.K.’s National Cyber Security Centre said new cases of so-called ransomware are possible “at a significant scale.”

    "For now, it does not look like the number of infected computers is increasing," said a Europol spokesman. "We will get a decryption tool eventually, but for the moment, it’s still a live threat and we’re still in disaster recovery mode."

The initial attack was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts warned the hackers were likely to mount a second attack because so many users of personal computers with Microsoft operating systems couldn’t or didn’t download a security patch released in March that Microsoft had labeled “critical.”
...
Behold, happy is the man whom God correcteth: therefore despise not thou the chastening of the Almighty: For he maketh sore, and bindeth up: he woundeth, and his hands make whole ; He shall deliver thee in six troubles: yea, in seven there shall no evil touch thee. - Job 5

Offline TahoeBlue

  • Global Moderator
  • Member
  • *****
  • Posts: 17,425
Re: RansomWare Attack!
« Reply #11 on: May 25, 2017, 01:50:48 PM »
http://www.telegraph.co.uk/technology/2017/05/25/hackers-hiding-computer-viruses-film-subtitles-experts-warn/
Hackers are hiding computer viruses in film subtitles, security experts warn

The attacks are embedded within the subtitle files that accompany many illegally downloaded films, and easily bypass security software and antivirus programs designed to keep computers safe.

Check Point, the security group that discovered the flaw, said millions of people who use video software including to stream or play films and TV shows on computers could be at risk.
 
They warned that the attack lets hackers take "complete control" over any type of device using the software, including smart TVs. It identified four programs - VLC, Kodi, Popcorn Time and Stremio - but said there could be more.

...

[ Here is the kicker : ]

Many videos do not come with their own subtitles, but computer media players often automatically download special files from a central online repository.  Because they are perceived as harmless text files and use a variety of different formats, the software does not check them for viruses.
...

VLC, Kodi, Popcorn Time and Stremio said they had developed patches to protect against the attack, although many users will not have updated to the latest software. The latest versions of the software are available to download on their websites
Behold, happy is the man whom God correcteth: therefore despise not thou the chastening of the Almighty: For he maketh sore, and bindeth up: he woundeth, and his hands make whole ; He shall deliver thee in six troubles: yea, in seven there shall no evil touch thee. - Job 5

Offline TahoeBlue

  • Global Moderator
  • Member
  • *****
  • Posts: 17,425
Re: RansomWare Attack!
« Reply #12 on: June 28, 2017, 11:44:18 AM »
http://www.reuters.com/article/us-cyber-attack-idUSKBN19I1TD?il=0
New computer virus spreads from Ukraine to disrupt world business
Cyber Risk | Wed Jun 28, 2017 | 10:56am EDT

By Eric Auchard, Jack Stubbs and Alessandra Prentice | FRANKFURT/MOSCOW/KIEV

A cyber attack wreaked havoc around the globe on Wednesday, crippling thousands of computers, disrupting operations at ports from Mumbai to Los Angeles and halting production at a chocolate factory in Australia.

The virus is believed to have first taken hold on Tuesday in Ukraine where it silently infected computers after users downloaded a popular tax accounting package or visited a local news site, national police and international cyber experts said.

The malicious code locked machines and demanded victims post a ransom worth $300 in bitcoins or lose their data entirely, similar to the extortion tactic used in the global WannaCry ransomware attack in May.


More than 30 victims paid up but security experts are questioning whether extortion was the goal, given the relatively small sum demanded, or whether the hackers were driven by destructive motives rather than financial gain.

Hackers asked victims to notify them by email when ransoms had been paid but German email provider Posteo quickly shut down the address, a German government cyber security official said.

Ukraine, the epicenter of the cyber strike, has repeatedly accused Russia of orchestrating attacks on its computer systems and critical power infrastructure since its powerful neighbor annexed the Black Sea peninsula of Crimea in 2014.
....
Behold, happy is the man whom God correcteth: therefore despise not thou the chastening of the Almighty: For he maketh sore, and bindeth up: he woundeth, and his hands make whole ; He shall deliver thee in six troubles: yea, in seven there shall no evil touch thee. - Job 5