Category Archives: ransomware

Honda shuts down factory after finding NSA-derived Wcry in its networks

Enlarge (credit: S-8500)

The WCry ransomware worm has struck again, this time prompting Honda Company to halt production in one of its Japan-based factories after finding infections in a broad swath of its computer networks, according to media reports.

The automaker shut down its Sayama plant northwest of Tokyo on Monday after finding that WCry had affected networks across Japan, North America, Europe, China, and other regions, Reuters reported Wednesday. Discovery of the infection came on Sunday, more than five weeks after the onset of the NSA-derived ransomware worm, which struck an estimated 727,000 computers in 90 countries. The mass outbreak was quickly contained through a major stroke of good luck. A security researcher largely acting out of curiosity registered a mysterious domain name contained in the WCry code that acted as a global kill switch that immediately halted the self-replicating attack.

Honda officials didn't explain why engineers found WCry in their networks 37 days after the kill switch was activated. One possibility is that engineers had mistakenly blocked access to the kill-switch domain. That would have caused the WCry exploit to proceed as normal, as it did in the 12 or so hours before the domain was registered. Another possibility is that the WCry traces in Honda's networks were old and dormant, and the shutdown of the Sayama plant was only a precautionary measure. In any event, the discovery strongly suggests that as of Monday, computers inside the Honda network had yet to install a highly critical patch that Microsoft released in March.

Read 2 remaining paragraphs | Comments

Web host agrees to pay $1m after it’s hit by Linux-targeting ransomware

(credit: Aurich Lawson)

A Web-hosting service recently agreed to pay a $1 million to a ransomware operation that encrypted data stored on 153 Linux servers and 3,400 customer websites, the company said recently.

The South Korean Web host, Nayana, said in a blog post published last week that initial ransom demands were for five billion won worth of Bitcoin, which is roughly $4.4 million. Company negotiators later managed to get the fee lowered to 1.8 billion won and ultimately landed a further reduction to 1.2 billion won, or just over $1 million. An update posted Saturday said Nayana engineers were in the process of recovering the data. The post cautioned that that the recovery was difficult and would take time.

“It is very frustrating and difficult, but I am really doing my best, and I will do my best to make sure all servers are normalized,” a representative wrote, according to a Google translation.

Read 2 remaining paragraphs | Comments

There’s new evidence tying WCry ransomware worm to prolific hacking group

Enlarge (credit: Health Service Journal)

Researchers have found more digital fingerprints tying this month's WCry ransomware worm to the same prolific hacking group that attacked Sony Pictures in 2014 and the Bangladesh Central Bank last year.

Last week, a researcher at Google identified identical code found in a WCry sample from February and an early 2015 version of Contopee, a malicious backdoor used by Lazarus Group, a hacking team that has been operating since at least 2011. Additional fingerprints linked Lazarus Group to hacks that wiped almost a terabyte's worth of data from Sony Pictures and siphoned a reported $81 million from the Bangladesh Central Bank last year. Researchers say Lazarus Group carries out hacks on behalf of North Korea.

On Monday, researchers from security firm Symantec presented additional evidence that further builds the case that WCry, which is also known as WannaCry, is closely linked to Lazarus Group. The evidence includes:

Read 3 remaining paragraphs | Comments

Windows 7, not XP, was the reason last week’s WCry worm spread so widely

Enlarge (credit: Kaspersky Lab)

Eight days ago, the WCry ransomware worm attacked more than 200,000 computers in 150 countries. The outbreak prompted infected hospitals to turn away patients and shut down computers in banks and telecoms. Now that researchers have had time to analyze the self-replicating attack, they're learning details that shed new and sometimes surprising light on the world's biggest ransomware attack.

Chief among the revelations: more than 97 percent of infections hit computers running Windows 7, according to attacks seen by antivirus provider Kaspersky Lab. By contrast, infected Windows XP machines were practically non-existent, and those XP PCs that were compromised were likely manually infected by their owners for testing purposes. That's according to Costin Raiu, director of Kaspersky Lab's Global Research and Analysis Team, who spoke to Ars.

While the estimates are based only on computers that run Kaspersky software, as opposed to all computers on the Internet, there's little question Windows 7 was overwhelmingly affected by WCry, which is also known as "WannaCry" and "WannaCrypt." Security ratings firm BitSight found that 67 percent of infections hit Windows 7, Reuters reported.

Read 11 remaining paragraphs | Comments

More people infected by recent WCry worm can unlock PCs without paying ransom

Enlarge (credit: Ed Westcott / American Museum of Science and Energy)

New hope glimmered on Friday for people hit by last week's virulent ransomware worm after researchers showed that a broader range of PCs infected by WCry can be unlocked without owners making the $300 to $600 payment demand.

A new publicly available tool is able to decrypt infected PCs running Windows XP and 7, and 2003, and one of the researchers behind the decryptor said it likely works for other Windows versions, including Vista, Server 2008, and 2008 R2. The tool, known as wanakiwi, builds off a key discovery implemented in a different tool released Thursday. Dubbed Wannakey, the previous tool provided the means to extract key material from infected Windows XP PCs but required a separate app to transform those bits into the secret key required to decrypt files.

Matt Suiche, cofounder of security firm Comae Technologies, helped develop and test wanakiwi and reports that it works. Europol the European Union's law-enforcement agency, has also validated the tool. Suiche has published technical details here, and provided the following screenshot of the tool in action:

Read 6 remaining paragraphs | Comments

Windows XP PCs infected by WCry can be decrypted without paying ransom

Enlarge (credit: Adrien Guinet)

Owners of some Windows XP computers infected by the WCry ransomware may be able to decrypt their data without making the $300 to $600 payment demand, a researcher said Thursday.

Adrien Guinet, a researcher with France-based Quarkslab, has released software that he said allowed him to recover the secret decryption key required to restore an infected XP computer in his lab. The software has not yet been tested to see if it works reliably on a large variety of XP computers, and even when it does work, there are limitations. The recovery technique is also of limited value because Windows XP computers weren't affected by last week's major outbreak of WCry. Still, it may be helpful to XP users hit in other campaigns.

"This software has only been tested and known to work under Windows XP," he wrote in a readme note accompanying his app, which he calls Wannakey. "In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!"

Read 7 remaining paragraphs | Comments