This is the latest I have on the Ransomware attack.

May 13, 2017
| No Comments

This is the latest I have on the Ransomware attack.

You just can’t make this stuff up!

From the UK news source The Guardian:
https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

Here’s the short version of the story:

A while back a group of hackers, who call them selves “Shadow Brokers” stole a bunch of software “tools” from the NSA (National Security Agency”. These tools were engineered as cyber-weapons for use against America’s enemies.

On Thursday or Friday (depending on your geographic location) Shadow Brokers activated one of those tools. It started sending out emails to thousands of preselected email addresses. When the recipient opened that email, the software infected the user’s computer and sent out more emails to addresses it found it what was now a “host” computer. Simultaneously it denied the computer’s owner access to his machine. The message displayed on the computer (in 28 languages) offered in return for $300 to be paid in BitCoin (a form of digital money).

It seems to have started in the UK and essentially shut down many businesses including hospitals. The hospitals had to stop operating because they couldn’t send emails (say from a doctor to the hospital’s lab requesting tests for a particular patient), telephones that used VOIP (Voice Over Internet Protocol) went dead and it became impossible to access patient records stored on the hospital’s computers.

The attack seems to have been halted by a 22 year old cybersecurity researcher in England.

“I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”

In other words, Shadow Brokers had created a built-in “off” switch, in case they ever wanted to pause or stop the spread of the malware.

The malware would check to see if there was a website at a fictitious website domain name. If it looked for that domain name and nothing was there, the malware would continue spreading. If it found a website to be there, the malware would shut down.

This clever lad saw the domain name in the code and found that the domain name had not been registered. Since it was available for purchase, he bought it and slapped up a holding page, a sort of internet “coming soon” announcement. That stopped the spread of the attack. WOW!

The takeaways:

1) The spread of the malware has been stopped. For now.

2) Shadow Brokers will likely tweak the code to make the “off” switch harder to find and attack again, possibly in the coming days.

3) Computers that are infected are not helped by this development. The spread of the malware has been stopped or slowed but that is all.

4) Microsoft has a patch to protect against further attacks. Turn on “Automatic Updates” run the application and then restart your computer.

5) That patch will not work for machines running Microsoft’s Windows XP operating system (don’t know about Windows 7 yet). Millions of individuals and companies (including schools and libraries) have kept the ancient XP operating system because of its ease-of-use. Microsoft hasn’t supported Windows XP since April 8, 2014. Here’s Microsoft’s official announcement:

“After 12 years, support for Windows XP ended April 8, 2014. There will be no more security updates or technical support for the Windows XP operating system. It is very important that customers and partners migrate to a modern operating system such as Windows 10”

What can I do to protect myself? On all machines NOT running Windows XP:

A) BACK UP EVERYTHING FROM YOUR COMPUTER TO AN EXTERNAL HARDDRIVE!

B) turn on Microsoft Windows Automatic update and run it.

C) if not already installed, get a good solid anti-virus program.

Norton Security
https://us.norton.com/norton-security-antivirus

Malwarebytes
https://www.malwarebytes.com/

The writers at TechWorld have other recommendations

http://www.techworld.com/security/best-ransomware-removal-tools-how-clean-up-cryptolocker-cryptowall-extortion-malware-3626974/

D) When you get new email treat every email as suspect. Malware often takes over a host computer’s email program and send new infected emails to everyone in the address book. The email may have come from a trusted source that is known to you, but that person or company may no longer have control of that computer.

Addition Resource:
Microsoft Security Essentials Definition Update May 15, 2017

Categories: Uncategorized