Leaked NSA tools used in global cyber attack, analysts say

Randall Craig
May 15, 2017

Earlier this weekend, hospitals in the United Kingdom as well as Telefonica, FedEx and other businesses were hit by a significant ransomware attack that compromised more than 75,000 computers in over 99 countries across the globe.

The software giant is taking this "highly unusual" step to fight back against the WannaCrypt ransomware cyber attacks that have so far hit almost 100 countries around the world.

The attack has locked computers and blocked access to patient files.

Speaking to CRN David Lannin, director of technology at security VAR Sapphire, said initial indications are that hackers exploited a vulnerability that Microsoft released a patch for in March.

Tens of thousands of users from London to St. Petersburg logged on Friday to find ominous threats to delete their suddenly encrypted computer files, unless they cough up $300 or more in Bitcoin payments to the unknown perpetrators, security experts and intelligence officials told ABC News on Saturday.

The WannaCry ransomware is spread through hidden viruses linked in word documents and PDF files sent over email.

Huss is also anxious about copycats, who could "take the exploit code that was used in this attack and implement it into their own virus".

The effects were felt across the globe, with Russia's Interior Ministry and companies including Spain's Telefonica, FedEx Corp.in the USA and French carmaker Renault all reporting disruptions.

Britain's National Cyber Security Center says teams are working "round the clock" to restore hospital computer systems after a global cyberattack that hit dozens of countries forced British hospitals to cancel and delay treatment for patients. "But there's clearly some culpability on the part of the USA intelligence services". Intelligence officials wouldn't comment on the authenticity of the claims. "The U.S. government is better suited to react and respond to something like this than some other countries because of years of work between the private sector and the government".

The ransomware appears to be one of several tools belonging to the National Security Agency (NSA) that a hacking group known as The Shadow Brokers has been leaking to the web over the past several months. "Or we could potentially see copycats mimic the delivery or exploit method they used".

The ransomware exploited a vulnerability that has been patched in updates of recent versions of Windows since March, but Microsoft didn't make freely available the patch for Windows XP and other older systems. "It's one that Microsoft delivered a solution for, but a lot of people haven't used it".

How does the ransomware attack happen?

"I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental", wrote the researcher, who uses the Twitter name @MalwareTechBlog. That low-priced move redirected the attacks to the server of Kryptos Logic, the security company he works for. "We verified it and turned the information over to the Federal Bureau of Investigation". "We are implementing remediation steps as quickly as possible".

While this attack has slowed, experts warn that networks remain vulnerable. Regarding that unusual move, Microsoft's blog post states, "This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind".

More than 45,000 WannaCrypt attacks have been recorded around the world, including in the UK, US, Russia, Ukraine, India, China, Italy, Spain, and Egypt.

Other reports by Ligue1talk

Discuss This Article