The fallout from WannaCry continues, with the latest victims being major organisations in Australia and Japan.
WannaCry isn't over. Fifty-five speed and red light cameras across Victoria have been infected with the ransomware, according to iTnews. As a result, Victoria Police has decided to cancel almost 600 speeding and red light fines issued over the past two and a half weeks.
In this case, the spread of WannaCry appeared to be human error, after it was revealed a contractor working for the government connected an infected device to the camera network. A patch is being rolled out to stop the infection.
Victoria Police isn't the only organisation to still be reeling from WannaCry. Honda was forced to shut a car manufacturing plant in Japan after being struck by the ransomware.
Honda shut its Sayama plant last week after being hit by the ransomware over the weekend, which then spread across the car maker's networks. The factory was back online the next day. It produces about 1,000 cars a day.
The car maker didn't say how it was infected, or why its systems were still at risk several weeks after the initial attack, which was halted when a security engineer triggered a kill switch. Microsoft has since released patches to prevent infection.
WannaCry, also known as WanaCryptor or WCry, infected over 300,000 computers in 150 countries, including at least 12 Australian small businesses. The FBI, Europol and the UK's National Crime Agency are investigating who was responsible for the attack. WannaCry blocked users from accessing files which were only recoverable through a US$300 to US$600 Bitcoin payment.
If you think your business has been infected, the Australian Cyber Security Centre recommends that you contact ACORN (the Australian Cyber Crime Online Reporting Network). See our ransomware survival guide for further guidance. For prevention tips, see our ransomware defence guide.
Wannacry spread via Windows 7, not XP
Earlier, multiple security experts reported that the majority of computers infected by WannaCry were running Windows 7 – contrary to assumptions that unpatched XP machines were to blame for the ransomware's quick spread.
When the ransomware spread around the world on 12 May, Microsoft had already issued a patch for the vulnerability being abused to spread the infection, but Windows XP users only got that patch if they were paying for custom support, as the two-decade-old OS is out of standard support. That left many assuming XP was the main attack vector.
However, it instead appears to be down to organisations and individuals failing to run keep Windows up to date.
Kaspersky Labs released data showing Windows 7 dominated infections at 97%, with negligible numbers of Windows XP infections. Windows 10 was unaffected, as the vulnerability didn't infect the latest OS. Those figures are for PCs running Kaspersky software.
That data was backed up by a Reuters-commissioned report by BitSight, which suggested two-thirds of PCs infected by WannaCry were running Windows 7 without the latest security patches. The report suggested XP could be infected, but didn't help spread the ransomware, with the OS handily crashing before WannaCry can spread.
Hackers have been trying to restart the WannaCry attack by targeting the domain that acted as a kill-switch and was set up by a 22-year-old British security researcher, who goes by MalwareTech online. They've been using Mirai botnets to run a DDoS attack to target the servers, he noted.
Why WannaCry's creator could be Chinese
Previously, it was revealed the creator of WannaCry may be Chinese, according to analysis of the notices sent to victims of the ransomware.
Research by security firm Flashpoint concluded that the native language of the author, or authors, may have been Chinese, and that while they were familiar with the English language, were not native speakers.
The firm's analysis found that nearly all of the ransom notes for WannaCry were translated using Google Translate and that only three languages; English and the two Chinese versions (simplified and traditional) were likely to have been written by a human, instead of translated by a machine.
The researchers deduced that the English note appeared to be written by someone with a strong command of English, although it apparently contained a glaring grammatical error (which Flashpoint did not detail) suggesting the speaker is non-native or poorly educated.
They also found that while the English note was the source text for machine translation into the other languages, the Chinese ransom note served as the original source for the English version, because it “contains content not in any of the others, though no other notes contain content not in the Chinese”.
This means it's possible that Chinese is the writer or writers' native tongue, but other languages cannot be ruled out. Flashpoint added: “It is also possible that the malware author(s)' intentionally used a machine translation of their native tongue to mask their identity. It is worth noting that characteristics marking the Chinese note as authentic are subtle. It is thus possible, though unlikely, that they were intentionally included to mislead.”
Flashpoint’s research contradicted previous claims that the creator could be North Korean.
Multiple security researchers discovered similarities between the code used in early versions of WannaCry and attacks on targets including Bangladeshi and Polish banks and Sony Pictures – attacks that were later attributed to North Korean hackers known as Lazarus.
“The scale of the Lazarus operations is shocking,” Kaspersky Lab researchers said in a blog post.
The links were pointed out by a Google researcher on Twitter, and Symantec agreed: “From all that we see, the technical evidence points to the fact that this is Lazarus,” Symantec investigator Eric Chien told the New York Times.
The publication referred to "digital crumbs" that the cyber security firm had traced to previous attacks widely attributed to North Korea, like the Sony Pictures hack in late 2014.
However, Kaspersky researchers noted that this could be a ‘false flag operation’, designed to trick experts into thinking the attacks were carried out by someone else.
Researchers noted that the code linking WannaCry to the Lazarus attacks was not present in the latest sample of the malware, meaning that the perpetrators could be trying to cover their tracks. Kaspersky Labs called for further scrutiny.
“For now, more research is required into older versions of Wannacry,” the post said. “We believe this might hold the key to solve some of the mysteries around this attack.”
Indeed, others noted that such code overlap doesn't prove anything other than the fact hackers borrow and steal from each other.
“The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator,” FireEye researcher John Miller told Newsweek.
James Scott, a senior fellow at the Instiutute for Critical Infrastructure Technology (ICIT), noted: “To be abundantly clear, the recent speculation concerning WannaCry attributes the malware to the Lazarus Group, not to North Korea, and even those connections are premature and not wholly convincing.”
“Lazarus itself has never been definitively proven to be a North Korean state-sponsored advanced persistent threat.”
ICIT claimed the Lazarus Group was a “cyber-mercenary” outfit, and Scott said of the similarity between the malware tools used in WannaCry and previous attacks: "These claims should not be seen as overly definitive despite their presentation because Lazarus was known for borrowing code from other malware and because it remains possible that outdated Lazarus malware was captured by the WannaCry threat actors and occasionally used as a template for their less sophisticated malware development.
“At best, WannaCry either borrowed heavily from outdated Lazarus code and failed to change elements, such as calls to C2 servers, or WannaCry was a side campaign of a minuscule subcontractor or group within the massive cybercriminal Lazarus APT.”
Whoever the culprits are, they haven’t made much cash from the disruption their hack has caused. A White House spokesperson said that while 300,000 computers around the world were infected, only about US$70,000 in ransom had been paid, according to a Reuters report.
Microsoft points to NSA leaks
Earlier, Microsoft confirmed the exploits used by the perpetrators behind WannaCry were stolen from the US National Security Agency.
In a blog post, Microsoft’s legal counsel Brad Smith said companies like his own were “increasingly among the first responders” in such attacks, and that online security is a “shared responsibility between tech companies and customers”.
Customers – be they individuals or corporations – need to keep their machines updated, but Smith admitted that’s not always easy, adding “we are dedicated to developing further steps to help ensure security updates are applied immediately to all IT environments”.
Such work is made harder when governments are stockpiling – and then losing – vulnerabilities, he added, confirming that the exploits abused to infect the NHS and the other organisations on Friday were indeed those stolen by the NSA earlier this year.
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” he said. “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.”
Smith said the attack should be a “wake-up call” to governments on cybersecurity. “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world,” he said. “We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”