Widespread Ransomware `Wannacry´ Linked to NSA Exploit

Widespread Ransomware `Wannacry´ Linked to NSA Exploit

11668
4
SHARE
ransomware

According to many reports across the web, a string of ransomware attacks has infected thousands of businesses from 99 countries worldwide. Sources say over 75,000 users globally were affected because of leaked NSA exploit published by the hacker group the Shadow Brokers.

Also read: Why South Korean Bitcoin Adoption Could Outpace Most Other Countries This Year

Wana Ransomware Infects 75,000 Computers Worldwide

A massive epidemic has recently stricken in close to a hundred countries, with more than 75,000 detections of the ransomware called Wanacryptor 2.0 (Wana). According to the Avast security blog and Krebs on Security a significant portion of businesses targeted stemmed from Taiwan, the Ukraine, and Russia. Additionally, a string of hospitals from Europe was attacked, Chinese Universities, the UK’s National Health Service (NHS), and the Spanish telecommunications giant Telefonica.

The Wana software is a malicious protocol that encrypts an individual or company’s files and demands a ransom to unlock the content. Reports from the Financial Times and other news outlets say the tool is linked to the group the Shadow Brokers and the recently leaked NSA exploits. Krebs on Security also details the ransomware is spreading due to a backdoor in Windows software.

“There are indications the malware may be spreading to vulnerable systems through a security hole in Windows that was recently patched by Microsoft,” the security firm details.

Widespread Ransomware Infecting Thousands Linked to NSA Exploit

Windows Vulnerability  

Wana infects a computer using the extension WNCRY which is tethered to the encrypted files. Malware Hunter Team was the first to notice the Wana malware and told the public a few weeks ago. The attack not only encrypts files but also downloads the latest Tor client for ransomware communications. To unlock the computer’s files, some amount of bitcoin must be sent to an address provided by the software. According to CCN-CERT, the tool attacks a vector in the Windows Server Message Block protocol, which has enabled the ransomware to spread exponentially across 75,000+ operating systems globally.

Widespread Ransomware Infecting Thousands Linked to NSA Exploit

There are over 100 strains of ransomware, but this particular case is being called the worst malware epidemic yet. One that also involves a Windows exploit allegedly crafted by the U.S. National Security Agency. So far reports detail a few businesses around the world are refusing to pay the ransom and some security groups believe a remedy will be found soon.

However, the attackers have so far accumulated at least 6.46 BTC (US$ 10,000) between three addresses hard-coded into the software. Investigators say they find it odd the attackers chose to use the same bitcoin addresses.

What do you think about the ransomware epidemic? Let us know in the comments below.


Images via Shutterstock, and Bleeping Computer. 


At News.Bitcoin.com all comments containing links are automatically held up for moderation in the Disqus system. That means an editor has to take a look at the comment to approve it. This is due to the many, repetitive, spam and scam links people post under our articles. We do not censor any comment content based on politics or personal opinions. So, please be patient. Your comment will be published.  

  • Duh! Using the same address is leaving a mark or a free counter just for your viewing pleasure, be careful pulling on that string… They probably replaced the NSA Internal Server address in lieu of a BTC address to make the ransom part of the public ledger forever, there may be a message contained in the address like you could do with a BIP password. We really need better more imaginative people on this investigation. Cryptography requires personality and imagination and a significant interest in the use of numbers used as messages, variables, and triggers. Seriously, it is a very critical moral issue to hit Healthcare. I think the big reason it was done is to shine a light on the #1 place where identity is stolen, anyplace you use insurance. The Intent of not profiting from the intrusion stands out. The Target stands out. I think whoever launched the attack is making a very big statement, Do Not Trust Your Personal Details To Health Care Providers. As well as encouraging Microsoft Users to Stop Using Administrator Defaults and relying on Third Party Services. Most all insurance forms and installed software advise and have you sign off on the lack of security. They hold 0% liability for your information being stolen as they request and hold your personal information in lieu of services. It all should make you very cautious and speak out and asking why anyone needs your personal details to render services. A receipt after payment should be all that is legal and required as proof of services rendered. You should all be asking yourselves why would the NSA require such tools, why did they use secret funding to build them, what did they do to test them, and how come it was in a place to be stolen? The NSA should be dissolved, their integrity is being eroded with every leak, drip by sneaky drip. Your Governments opened a huge hole in funding taxpayer initiatives like so-called Free Health Care, when they fail to protect the Digital Records prior to rendering Services. You would think Governments would prioritize security tools over hacking tools. I guess breaking things first is more romantic than building the unbreakable. We need to demand much better from our institutions through demand and choice, be more frugal and aware. Pick up a good book on cryptography and learn of what is right in front of you and why the hackers(blackhats and whitehats) used it.

  • Buddy Bell

    Patrick is right about the counter. And why 300 dollar ransom? Sure it’s affordable for alot but when you’re pulling in big fish like FEDX why 300 bucks? Maybe Red Hat is behind this. The CIA and Microsoft both should be toast for this but we all know what’s next. Why of course it’s BITCOIN’s fault!

    • 300 could be something related to the Spartan story. Maybe covering a retreat of a larger force. Or, maybe the prophecy of the Oracle of Delphi; O ye men who dwell in the streets of broad Lacedaemon! Honor the festival of the Carneia!! Otherwise, Either your glorious town shall be sacked by the children of Perseus,
      Or, in exchange, must all through the whole Laconian country Mourn for the loss of a king, descendant of great Heracles. Or, maybe just the demise of a Leader like Leonidas. 300 can keep you looking for sometime; prime numbers, 0300 British Government Area Code, Wiki stuff:

      Three hundred is:

      In bowling, a perfect score, achieved by rolling strikes in all ten frames (a total of twelve strikes)
      The lowest possible Fair Isaac credit score
      Three hundred ft/s is the maximum legal speed of a shot paintball
      In the Hebrew Bible, the size of the military force deployed by the Israelite judge Gideon against the Midianites (Judges 7:7-8)
      According to Islamic tradition, 300 is the number of ancient Israeli king Thalut’s soldiers victorious against Goliath’s soldiers
      According to Herodotus, 300 is the number of ancient Spartans resisting one million Persian invaders during the Battle of Thermopylae
      In Islamic history, 300 is the number of Muhammad’s followers victorious in the Battle of Badr
      Three hundred is the number of families followers of Jewish heretic Sabbatai Zevi forced to convert to Islam by the Ottoman Sultan and became the ancestors of Donmeh
      Three hundred is the number of seats in the Hellenic parliament

      Many more…

    • Buddy Bell

      Sorry I misstated it was the CIA. It was the NSA that had the code hacked off their network and held back the knowledge of the hole in Microsoft’s OS from Microsoft.