Malware on the march!

[Isgrimnur]

WannaCry?

Hospitals, schools, companies and governments around the world were assessing the damage Saturday after a massive cyberattack hit almost 100 countries, infecting computers with malware that demanded ransom payments.

No one has yet claimed responsibility for the worldwide attack, which some experts believe was inspired by a National Security Agency tool kit that was leaked last year.

Antivirus provider Avast reported that some 100,000 computers had been infected by the crippling malware and that the "WanaCrypt0r 2.0," as it is called, ransomware had been detected in 99 countries with Russia, Ukraine and Taiwan the top targets.

More than 20 British hospitals and major companies, including FedEx and Spain's largest telecom, were affected in Friday's hack. British Home Secretary Amber Rudd said 45 public health organizations had been hit and admitted that her officials had no idea who was behind the attack.

Auto makers Renault and Nissan were the latest multinationals to announce their computer systems had been compromised.

In Germany, customer information screens at railway stations were hit but there was no impact on services.

Russia's Interior Ministry also confirmed it had been hit, while Russia's central bank said it had thwarted the attack.

The malicious software — known as the Wanna Decryptor, or WannaCry — locks a system and its files from use unless money is paid to hackers.

The malware typically spreads through email phishing programs and had exploited a known bug in Microsoft Windows' operating system.

[Isgrimnur]

More coming

And there's worse news: At least two new variations of the malware have already been detected.
...
All it takes is for one computer on a network to be infected for all of the computers on that network to be compromised.

While Microsoft had stopped supporting older versions of Windows, it said it is pushing out special automatic updates to those systems to block the worm.

Unfortunately, those so-called legacy systems are disproportionately used by smaller companies with small technology staffs, which are unlikely to have blocked the infection before Microsoft's patch began rolling out, the cybersecurity firm Proofpoint Inc. said.

Even then, Microsoft's updates can be loaded only if a computer is powered back on — something that won't happen for the first time at potentially thousands of companies until Monday.
...
Chinese state media reported Monday that more than 29,000 institutions across the country — including universities, railway stations, hospitals and gas stations — had been infected. It cited the Threat Intelligence Center of Qihoo 360, a Chinese internet security services company.

Japanese broadcaster NTV reported 600 companies in that country had been hit, and automaker Nissan and the Hitachi conglomerate said they were addressing the problem at their units that were affected.
...
Analysts said you should not click the "check payment" or "decrypt" buttons in the popup message. Instead — if you're able to — download and install Microsoft patch MS17-010, available here, which should work on Windows systems going all the way back to Vista.

[xwraith]

Spent the weekend patching all systems, fortunately no issues.

[Daehawk]

Using Win 7 64 thats not been updated in 2 years. Shall see what happens.

[killbot737]

Using Win 7 64 thats not been updated in 2 years. Shall see what happens.

Get ze patch! And ONLY that patch.

[Daehawk]

I dont trust MS enough to do that. Most likely it will start nagging me to upgrade or will mess something up forcing me to upgrade. Im not leaving Win 7.

[Blackhawk]

You trust the hackers more?

[Daehawk]

Perhaps. I just dont think it will bother me. I have been smart enough not to open bad files for 23 years.

[Moliere]

WannaCry and Lazarus Group – the missing link?

The cryptic message in fact refers to a similarity between two samples that have shared code. The two samples Neel refers to in the post are:

A WannaCry cryptor sample from February 2017 which looks like a very early variant
A Lazarus APT group sample from February 2015p

[gilraen]

Linux ransomware worm, anyone?

A 7-year-old critical remote code execution vulnerability has been discovered in Samba networking software that could allow a remote attacker to take control of an affected Linux and Unix machines.
[...]
While Linux distribution vendors, including Red Hat and Ubuntu, have already released patched versions for its users, the larger risk is that from NAS device consumers that might not be updated as quickly.
Craig Williams of Cisco said that given the fact that most NAS devices run Samba and have very valuable data, the vulnerability "has potential to be the first large-scale Linux ransomware worm."