Friday, June 16, 2017

WannaCry Ransomware Attack infected more systems internationally than previously reported

The number of computer systems compromised by the international WannaCry ransomware attack previous month was grossly underestimated, a cybersecurity expert told members of Congress on the day of Thursday.

The malware, which hit computer systems worldwide, involving those of the National Health Service in the United Kingdom (UK), is now considered to have infected 5 to ten times as several systems as previously recommended.

“Based on the velocity of the attack, assumed by sampling data we collected from our infrastructure presently blocking the attack, we consider that anywhere between 1 million to 2 million systems might have been affected in the hours prior to activating the kill switch, contrary to the immensely reported—and more conservative—estimate of 200,000 systems,” testified Salim Neino, CEO of vendor Kryptos Logic, at a joint hearing of the House Oversight and Research and Technology subcommittees.

WannaCry Ransomware attack initiated appearing in Europe and Asia on May 12 and quickly spread to the rest of the globe. Neino credits an employee of Kryptos Logic in the U.K. with stopping the fast-propagating worm attack by registering a domain linked with the malware.

“While inquiring the code of WannaCry Ransomware Attack, we recognized what looked like an anti-detection mechanism, which tested for the existence of a certain random-looking domain name,” Neino informed lawmakers. “Our team proceeded to register the domain associated to this mechanism and instructed it to one of the ‘sinkholes’ controlled by and hosted on the Kryptos Logic network infrastructure. We then noticed and confirmed that the propagation of the WannaCry attack had come to a standstill due to what we refer to as its ‘kill switch’ having been activated by our domain registration.”

Now, more than a month after registering that domain, Kryptos Logic has reduced more than 60 million WannaCry infection attempts worldwide, with about seven million of those from the U.S. The vendor assumed that those infections could have affected 10 million to 15 million unique systems had they not been stopped Neino contended.

“The greatest attack we thwarted and measured to date from WannaCry was not on the day of May 12 or 13, when the attack started, but began suddenly on the day of June 8 and 9 on a well-funded hospital in the east coast of the United States (US),” Neino added. “Another hospital was also hit on May 30 in another part of the country.”

Neino didn’t identify either system in his remarks. His testimony matches information contained in a Department of Health and Human Services alert released in early June notifying the healthcare industry that the agency was aware of 2 large multi-state hospitals systems that were “continuing to face significant challenges to operations due to the WannaCry malware.”

Although WannaCry Ransomware attack disrupted hospitals, telecommunications companies and other agencies globally, the U.S. infection rate was lower than that experienced in several parts of the world, and no federal agencies were affected.

“While WannaCry failed to compromise federal government systems, it is nearly certain that outcome was due in part to a measure of chance,” claimed Lamar Smith (R-Texas), chairman of the House Science, Space and Technology Committee, during Thursday’s hearing.

“Instead of seeing this outcome as a sign of bulletproof cybersecurity defenses, we must instead increase our vigilance to better recognize constantly evolving cybersecurity threats. This is specifically true since many cyber experts predict that we will experience an attack similar to WannaCry that is more sophisticated in nature, carrying with it an even greater possibility of widespread disruption and destruction,” Smith claims.

Since the initial WannaCry Ransomware attack last month, cybercriminals have targeted Kryptos Logic in an effort to disrupt its operations, in accordance to Neino. He said the company has “been under constant attack by unidentified attackers attempting to knock our systems offline, hence disabling the kill switch and further propagating the attack.” Although, so far, they have been unsuccessful.

WannaCry has been associated to the so-called Lazarus group that is affiliated with North Korea and is responsible for, among other cyber attacks, the 2014 Sony Pictures hack and the 2016 theft of $81 million from the Bangladesh Central Bank, according to Symantec CTO Hugh Thompson.

“WannaCry was distinctive and dangerous because of how quickly it spread,” testified Thompson. “It was the 1st ransomware-as-a-worm that had such a rapid global impact. Once on a system, it propagated autonomously by exploiting vulnerability in Microsoft Windows.”

Although, Gregory Touhill, former U.S. Chief Information Security Officer, described WannaCry as a “slow-pitch softball,” but warned that the next attack is likely to be a “high and tight fastball.” Touhill claimed the creators of Wannacry “overtly placed a kill-switch instruction set in the program’s code,” which a Kryptos Logic security researcher discovered and executed quickly to interrupt the attack.

“Next time, I don’t believe we’ll be so lucky,” he concluded. “We require stepping up our game and taking immediate actions across both the public and private sectors to better handle our cyber risk before the really fast pitches come flying into our networks.”

Thompson agreed that WannaCry was stopped before it could cause major damage, specifically in the U.S., which was the outcome of “good fortune” in minimizing the impact of the malware as much as anything else. “But, we’ll not always have luck on our side.”

 

No comments:

Post a Comment