On May 12, telecommunication companies such as Spanish telco got hit by a ransomware attack.
Now, recent reports have revealed, the scale of the ransomware attack was much larger.
And it included targets such as hospitals in the UK.
Of course, all of that is still speculation but more and more experts are coming to the agreement that all these ransomware attacks may be connected after all.
As mentioned before, several organizations such as the hospitals in the UK and some Spanish telecommunication companies fell victim to ransomware attacks.
All of this happened on Friday the 12th (Friday the 13th in some countries) which is generally considered to be an unfortunate day in the western society.
Is there any proof?
Not that anyone cares about proof or Friday being an “unholy” day.
What people do care about is the ransomware attack that disrupted operations in so many organizations.
Researchers are now saying that this specific ransomware attack wasn’t carried out by a bunch of undergraduates from their dorm rooms.
This ransomware attack targeted companies all over the world in a planned campaign.
Moreover, this surge of consecutive ransomware attacks is still continuing as more and more organizations become victims to it.
Researchers still do not know the actual scale of the ransomware attack.
In fact, nobody really knows if all of the ransomware attacks are connected or if some of them are connected to one another.
Needless to say, most of the community affected by these ransomware attacks is still unclear as to what happened or who made it happen in its entirety.
According to a tweet from the MalwareHunter Team Twitter account (the researchers studying recent ransomware attacks), the new WanaCrypt0r 2.0 ransomware was spreading like hell.
The new ransomware also goes by the name of WCry/WannaCry.
The tweet was made some time on Friday morning.
What Is WannaCry ransomware
As the name suggests, it is a ransomware.
But of a new type.
It is basically a ransomware that tries to act like your average run of the mill piece of ransomware.
It locks down computers and then demands Bitcoin in return for decrypting the computer’s hard drive and files.
So what’s new about WannaCry?
According to the researchers, the WannaCry ransomware is different from typical ransomware in one key aspect:
WannaCry ransomware is fast.
It spreads at an alarming rate according to the researchers.
In fact, researchers have found out that the WannaCry malware infected victims in over 11 countries in just a few hours.
Victims of the WannaCry ransomware belonged to the following countries,
That’s according to the researcher’s team called the MalwareHunter Team.
As we have already mentioned before, one of the victim organizations was Telefonica.
Telefonica is one of the largest Spanish telecommunications companies.
Of course, we should mention here, that this is according to a report that was published in the Spanish publication that goes by the name of El Mundo.
If you click on the link above and actually read the report, you’ll find that Telefonica actually informed their employees about the attack.
The company informed its employees to shut down their computers.
According to the report, it was all too late.
Because over 85 percent of the employee computers fell victim to the ransomware according to the report.
As mentioned before, this type the computers were infected with a brand new version of WannaCry malware.
El Mundo also uploaded a photo of the message that the victims received on their monitors.
The photo basically informed the user (starting with the word “oops”) that their files had been encrypted.
Allegedly this is what the Telefonica machine read when the ransomware attack infected their machines.
What about the warning then?
Interestingly enough, the ransomware warning was very similar to the one that came on the screens of employees who were working in a hospital in the UK on Friday.
Motherboard received a message from one of the infected victims and it read some very similar to the Telefonica machines.
The message said that the user had only three days to submit the payment and after that, the price would be doubled.
Moreover, the message conveyed that if the user didn’t pay within seven days, the user would not be able to recover his/her files for all time to come.
A second, allegedly a victim of the ransomware attack, National Health Service Trust contacted Motherboard and confirmed the attack.
The trust said in a statement that it too had become a victim of a ransomware attack.
Moreover, it described what happened to it as a form of cyber attack.
The statement from East and North Hertfordshire NHS Trust read that immediately on the discovery of the problem, the Trust acted to protect its IT system.
It did that by shutting them down.
Moreover, the statement said, the cyber attack meant that the Trust’s telephone system was not able to accept incoming calls.
However, the trust did not confirm whether the cyber attack was just another cyber attack or actually a ransomware attack.
And because of that, it is still uncertain if the cyber attack on UK hospitals is connected to the larger ransomware attack campaign.
In other words, the situation regarding the scale and connectedness of the WannaCry ransomware attack is murky.
Just to recap, several NHS Trusts in the UK, allegedly, fell victim to a targeted ransomware attack.
Here is the problem:
When reporters at Motherboard contacted these NHS Trusts for a comment, none of them furnished Motherboard with a response.
Not cool right?
The Spanish Targets
After the initial attacks on Friday, the Spanish computer emergency response team, CN- CERT, made public an advisory which was linked to the latest ransomware attacks.
The official announcement was a rather long one.
And not in English.
The translated version of the official statement said that the ransomware, a version of WannaCry, infected the machines by encrypting all its files.
Moreover, the ransomware achieved this by using a remote command execution vulnerability through SMB.
The ransomware attack then moved ahead and distributed itself to other Windows machines present on the same network.
Additionally, the post also pointed to MS17-010 which is basically a security update for Windows SMB Server.
Microsoft published a security update for Windows SMB Server on March 14.
The vulnerabilities still exist though.
Most of them are related to online exploits.
A hacker group by the name of The Shadow Brokers releases these exploits to target computer machines.
In fact, The Shadow Brokers has regularly dumped perfectly working hacking tools as well.
The group stole those dumped hacking tools from the NSA.
Microsoft Did Do Its Job. To Some Extent
Although it has to be said that Microsoft did indeed put out a patch for cyber attacks related to MS17-010.
So why did the users get infected?
Apparently, the end-users did not bother to install the updated fixes.
Motherboard investigated the problem and found that the NHS (National Health Service) in the UK ran hundreds of computer machines that had Windows XP installed on them as their primary operating system.
As we all know, Windows XP came out back in the year 2001.
In fact, Microsoft ended its support for the platform ages ago.
Nevertheless, and to Microsoft’s credit, the company has started to roll out a one-off patch for Windows XP which is expected to protect users against ransomware attack like the ones that happened a couple of days ago.
Secure Messaging Applications Aren’t That Secure It Turns Out
You don’t need to be a victim of a ransomware attack to have your details stolen it seems.
And you know the best part?
The best part is the “secure” messaging apps don’t even tell you that they do so.
They also hide behind modern terms to calm down the users as far as their privacy is concerned.
And perhaps they are forced to do so as well.
After All the messaging marketplace is pretty much flooded at the moment.
There are so many messaging apps that claim to be “secure” and while some are true to their word, many are not.
You have the Signal messaging app which does put user privacy as its first priority.
Then you have the industry giants such as WhatsApp.
WhatsApp has stolen the march on its rivals by adding a great end-to-end encryption feature.
The feature comes installed by default on its established products.
Basically, all secure messaging apps shoot for the same objective.
Which is to allow users to communicate in a secure manner.
To be honest, most of the messaging apps to do.
But there is still a great amount of variety when it comes to these secure messaging apps.
The one we want to talk about is Wire.
It is also a messaging app that is available for Android, desktop, and iOS.
The only difference is that the company keeps a list on all its customers.
What does this list contain?
Well, basically all the people you have ever contacted via the messaging app.
The company keeps that information until you delete your account.
Wire Isn’t Necessarily Bad For Everyone
But for some, it might be.
In other words, whether Wire is an appropriate messaging app for you or not depends on your use.
And your own threat level.
Wire does not require its users to register via a phone number.
You can just sign up.
But, as we mentioned before, Wire has made the conscious decision that it will store user data in a plain text file.
And that might be a problem for users who are extra privacy conscious.
Wire is also open source.
And that’s how researcher Thomas H.Ptacek found out that Wire stored its user contact list on a plain text file.
The previous Wednesday, he even tweeted about it and asked the question why did Wire’s database schema include a plaintext storage of threads between users.
He also put out a link to a little bit of Wire’s code.
Wire responded to the tweet with a tweet of its own.
The messaging service said that it was done solely to help the company sync user conversations across multiple devices.
And we’re talking about competitors, then perhaps this is a good time to mention that Signal is quite bad at syncing user messages.
Motherboard confirmed from Alan Duric, co-founder, and CEO of Wire, in an email that this was indeed the case.
The CEO also mentioned that the list of contacts Wire users communicated with was kept till the user decided to delete his/her Wire account.
He also wrote that all connections along with emails, phone numbers and usernames were removed from the company’s servers when a user deleted his/her account.
With that said, the CEO alluded that the company might alter its approach.
Wire Might Change
Duric added that the company was specifically exploring alternative methods to manage connections between end-users in the context of multi-device messaging.
Of course, some users will not buy that argument.
While others will.
For some, sacrificing a little amount of convenience (multi-device sync) is nothing if it means their metadata is secure.
While for others, the knowledge that their conversations related metadata is stored in plain text is not enough to leave a messaging service.
The assistant professor at Johns Hopkins University, Matthew Green, in a conversation with Motherboard, pointed out that keeping all conversation metadata in a database forever does not seem like a great plan.
And perhaps it isn’t.
Will Wire change its policy?
And will the NHS upgrade its thousands of computer machines to at least Windows 8 if not Windows 10?
Will law enforcement agencies be able to catch the criminals behind such as large-scale ransomware attack?
And while we’re talking about security, when will security companies be able to come up with a foolproof system to protect our most critical of infrastructures?
Let us know your thoughts in the comments section below.
For more stories like this one, don’t forget to subscribe to Security Gladiators.