NHS ransomware: UK government says it's North Korea's fault WannaCry happened

The Foreign Office said it will find, pursue and respond to the malicious activity

04/08/2017: WannaCry hackers 'blocked' from cashing ransomware bitcoins

WannaCry hackers who tried to launder their ransom money have been blacklisted by the exchange they used, digital asset exchange ShapeShift, according to Forbes.

ShapeShift allows customers to change Bitcoin into an alternative cryptocurrency without creating an account, but said the attackers' attempt to use the service to convert their bitcoins into Monero, an allegedly secure, private, and untraceable currency, broke its terms of service.

A spokesperson for ShapeShift toldForbes: "As of today, we have taken measures to blacklist all addresses associated with the WannaCry attackers that are known to the ShapeShift team, as is our policy for any transactions we deem breach our terms of service. We are closely watching the situation as it continues to unfold as to block any further addresses associated."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The hackers, who leveraged WannaCry against NHS hospitals and other business targets, attempted to move $36,922 of the $140,000, according to Chainalysis co-founder Jonathan Levin, speaking to Forbes.

The Shapeshift spokesperson added: "Any transactions made through ShapeShift can not be hidden or obscured and are thus 100% transparent, making laundering of any digital tokens impossible.

"Additionally, we are engaging directly with law enforcement involved with the WannaCry case and will assist them with any needs they may request to apprehend the perpetrators."

The WannaCry attack affected over 200,000 computers in 150 countries and demanded money for users to access their files.

Marcus Hutchins, the British security researcher who stopped the WannaCry attack, was charged by US authorities with creating and distributing the Kronos banking Trojanthis week. Hutchins, 23, tried to leave the US after attending the Black Hat and Defcon security conferences in Las Vegas, but was arrested at the airport.

WATCH: Learn more about the security threats facing businesses today and how to combat them in this free webinarWATCH NOW

Advertisement - Article continues below

Why WannaCry's creator could be Chinese

03/08/2017:WannaCry's $140,000 Bitcoin wallets are emptied

More than $140,000 in bitcoins paid by victims of the WannaCry attack have been moved from their online wallets.

Keith Collins, a technology reporter at Quartz, set up an online Twitter bot called "actual ransom" to monitor three Bitcoin wallets tied to the WannaCry attack which would post whenever money was moved from the wallets.

At 3am today, it reported the wallets held $142,361.51 which they had collected through 338 payments.

Starting at 4:10am there were a series of seven tweets saying that different amounts of money had been taken out, ranging from $19,318.06 to $27,514.04. The balance of the wallets are now zero.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Now, the money may be sent through a Bitcoin mixer which will help to obscure its trail. This mixer sends the money to a high volume address, such as an exchange, where legitimate money frequently passes. This is carried out in order to hide where the ransomware money eventually goes, as reported by Collins. The purpose of this is to confuse and obscure anyone who is following the money trail and can be thought of as "online laundering".

WannaCry affected more than 200,000 computers in 150 countries and blocked users from accessing their files. The files were only recoverable through a $300 to $600 Bitcoin payment. This ransomware exploited vulnerabilities in the Microsoft Cryptographic API built into Windows to create and hide a decryption key.

29/06/2017:WannaCry was "inevitable" due to NHS under-funding, says BCS

The NHS has been criticised for a lack of investment and accountability in IT security measures that allegedly led to the widespread Wannacry outbreak last month.

The Chartered Institute for IT (BCS) said that despite efforts with limited resources available, some hospital IT teams lacked access to trained, registered and accountable cyber security professionals with the power to assure hospital boards that computer systems were fit for purpose.

David Evans, director of community and policy at The Chartered Institute for IT, said that the healthcare sector has struggled to keep pace with cyber security best practice, and with a systemic lack of investment, ultimately, the Wannacry attack was an "inevitability".

Advertisement - Article continues below

"Patients should be able to trust that hospital computer systems are as solid as the first-class doctors and nurses that make our NHS the envy of the world," he said.

"Unfortunately, without the necessary IT professionals, proper investment and training the damage caused by the Wannacry ransomware virus was an inevitability, but with the roadmap we are releasing today, [that] will make it less likely that such an attack will have the same impact in the future."

BCS has joined forces with the Patient's Association, the Royal College of Nursing, BT and Microsoft to produce a blueprint that outlines steps NHS trusts should take to avoid another crippling cyber attack.

Most important was ensuring there are clearly laid out standards for accrediting relevant IT professionals. NHS boards are being urged to ensure they understand their responsibilities, and how to make use of registered cyber security experts. The blueprint also states that the number of properly qualified and registered IT professionals needs to be increased.

Advertisement
Advertisement - Article continues below

Almost 50 NHS Trusts were hit last month by Wannacry, with the ransomware encrypting computers and leaving them unusable in many areas of the health service, with hackers threatening that valuable files would be lost forever unless a ransom was paid.

23/06/2017:WannaCry isn't over. Honda was forced to shut a car manufacturing plant in Japan after being struck by the ransomware, while reports suggest Australian traffic cameras were knocked offline by the attack.

Advertisement - Article continues below

Honda shut its Sayama plant on Monday after being hit by the ransomware over the weekend, which then spread across the car maker's networks. The factory was back online the next day. It produces about 1,000 cars a day.

The car maker didn't say how it was infected, or why its systems were still at risk several weeks after the initial attack, which was halted when a security engineer triggered a kill switch. Microsoft has since released patches to prevent infection.

Honda isn't the only organisation to still be reeling from WannaCry. An Australian traffic control system was infected by the ransomware, though the 55 cameras continued working throughout the attack.

In this case, the spread of WannaCry was human error, after a contractor working for the government connected an infected device to the camera network. A patch is being rolled out to stop the infection, and any fines that are mistakenly doled out as a result of the incident will be refunded, the department of justice in Victoria said.

30/05/2017: Why WannaCry's creator could be Chinese

The creator of WannaCry may be Chinese, according to a fresh analysis of the notices sent to victims of the ransomware, including NHS trusts, earlier this month.

Advertisement - Article continues below

Flashpoint's research concludes that the native language of the author, or authors, may have been Chinese, and that while they were familiar with the English language, were not native speakers.

The security firm's analysis found that nearly all of the ransom notes for WannaCry were translated using Google Translate and that only three languages; English and the two Chinese versions (simplified and traditional) were likely to have been written by a human, instead of translated by a machine.

Advertisement
Advertisement - Article continues below

The researchers deduced that the English note appeared to be written by someone with a strong command of English, although it apparently contained a glaring grammatical error (which Flashpoint did not detail) suggesting the speaker is non-native or poorly educated.

They also found that while the English note was the source text for machine translation into the other languages, the Chinese ransom note served as the original source for the English version, because it "contains content not in any of the others, though no other notes contain content not in the Chinese".

This means it's possible that Chinese is the writer or writers' native tongue, but other languages cannot be ruled out. Flashpoint added: "It is also possible that the malware author(s)' intentionally used a machine translation of their native tongue to mask their identity. It is worth noting that characteristics marking the Chinese note as authentic are subtle. It is thus possible, though unlikely, that they were intentionally included to mislead.

Experts had previously pointed to North Korea as the creator of the ransomware that shut down NHS hospitals earlier this month, though a think tank last week aired its doubts over this attribution, questioning suspect the Lazarus Group's alleged links to the country.

Advertisement - Article continues below

The cyber attack infected more than 200,000 computers in 150 countries. The FBI, Europol and the UK's National Crime Agency are investigating who was responsible for the attack.

Multiple security experts have said that the majority of computers infected by WannaCry were running Windows 7, in contrast to previous assumptions that it was unpatched XP machines responsible for the quick spread of the ransomware.

WannaCry blocked users from accessing files which were only recoverable through a $300 to $600 Bitcoin payment. The ransomware exploited vulnerabilities in the Microsoft Cryptographic API built into Windows to create and hide a decryption key.

24/05/2017:North Korea may not be behind WannaCry

As experts point to North Korea as the creator of WannaCry ransomware that shut down NHS hospitals earlier this month, one sceptical note still sounds.

Cyber security vendors including Symantec have linked WannaCry to the Lazarus Group, allegedly a group of North Korean hackers, but a think tank has called for caution amid the finger-pointing.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"To be abundantly clear, the recent speculation concerning WannaCry attributes the malware to the Lazarus Group, not to North Korea, and even those connections are premature and not wholly convincing," wrote James Scott, a senior fellow at the Instiutute for Critical Infrastructure Technology (ICIT).

He added: "Lazarus itself has never been definitively proven to be a North Korean state-sponsored advanced persistent threat."

The comments follow multiple vendors blaming North Korea for initiating the ransomware, which locked files and demanding Bitcoin payments to release them at 16 NHS organisations, among other targets, though the NHS initially found no evidence of personal data being compromised.

"From all that we see, the technical evidence points to the fact that this is Lazarus," Symantec investigator Eric Chien told the New York Times on Monday.

The publication referred to "digital crumbs" that the cyber security firm had traced to previous attacks widely attributed to North Korea, like the Sony Pictures hack in late 2014.

Symantec also found similar tools and computer code in the WannaCry attack to previous hacks on South Korean targets.

Advertisement - Article continues below

But ICIT claimed the Lazarus Group was a "cyber-mercenary" outfit, and Scott said of the similarity between the malware tools used in WannaCry and previous attacks: "These claims should not be seen as overly definitive despite their presentation because Lazarus was known for borrowing code from other malware and because it remains possible that outdated Lazarus malware was captured by the WannaCry threat actors and occasionally used as a template for their less sophisticated malware development."

He added: "At best, WannaCry either borrowed heavily from outdated Lazarus code and failed to change elements, such as calls to C2 servers, or WannaCry was a side campaign of a minuscule subcontractor or group within the massive cybercriminal Lazarus APT."

22/05/2017:NHS ransomware: Wannacry spread via Windows 7, not XP

The majority of computers infected by WannaCry were running Windows 7, according to multiple security experts - and contrary to assumptions that unpatched XP machines were to blame for the ransomware's quick spread.

Advertisement
Advertisement - Article continues below

When the ransomware shut down NHS hospital systems on 12 May, Microsoft had already issued a patch for the vulnerability being abused to spread the infection, but Windows XP users only got that patch if they were paying for custom support, as the two-decade-old OS is out of standard support.That left many assuming XP was the main attack vector, with 90% of NHS trusts still using the OS at the end of last year.

However, it instead appears to be down to organisations and individuals failing to run keep Windows up to date.

Advertisement - Article continues below

Kaspersky Labs released data showing Windows 7 dominated infections at 97%, with negligible numbers of Windows XP infections. Windows 10 was unaffected, as the vulnerability didn't infect the latest OS. Those figures are for PCs running Kaspersky software.

That data was backed up by a Reuters-commissioned report by BitSight, which suggested two-thirds of PCs infected by WannaCry were running Windows 7 without the latest security patches. The report suggested XP could be infected, but didn't help spread the ransomware, with the OS handily crashing before WannaCry can spread.

Hackers have been trying to restart the WannaCry attack by targeting the domain that acted as a kill-switch and was set up by a 22-year-old British security researcher, who goes by MalwareTech online. They've been using Mirai botnets to run a DDoS attack to target the servers, he noted.

WATCH: Learn more about the security threats facing businesses today and how to combat them in this free webinar WATCH NOW

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020