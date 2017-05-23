(Corrects spelling of first name in paragraph 22 of May 18
story to Salim from Samil)
* WannaCry infections still at high levels in China,
Russia-report
* Ransomware crashes old Windows versions, limiting
spread-experts
* Global attack disproportionately targets Windows 7
users-BitSight
* Failure to heed patch warnings; turn off unneeded apps
blamed
By Eric Auchard
FRANKFURT, May 18 Two-thirds of those caught up
in the past week's global ransomware attack were running
Microsoft's Windows 7 operating system without the latest
security updates, a survey for Reuters by security ratings firm
BitSight found.
Researchers are struggling to try to find early traces of
WannaCry, which remains an active threat in hardest-hit China
and Russia, believing that identifying "patient zero" could help
catch its criminal authors.
They are having more luck dissecting flaws that limited its
spread.
Security experts warn that while computers at more than
300,000 internet addresses were hit by the ransomware strain,
further attacks that fix weaknesses in WannaCry will follow that
hit larger numbers of users, with more devastating consequences.
"Some organisations just aren't aware of the risks; some
don't want to risk interrupting important business processes;
sometimes they are short-staffed," said Ziv Mador, vice
president of security research at Trustwave’s Israeli SpiderLabs
unit.
"There are plenty of reasons people wait to patch and none
of them are good," said Mador, a former long-time security
researcher for Microsoft.
WannaCry's worm-like capacity to infect other computers on
the same network with no human intervention appear tailored to
Windows 7, said Paul Pratley, head of investigations & incident
response at UK consulting firm MWR InfoSecurity.
Data from BitSight covering 160,000 internet-connected
computers hit by WannaCry, shows that Windows 7 accounts for 67
percent of infections, although it represents less than half of
the global distribution of Windows PC users.
Computers running older versions, such as Windows XP used in
Britain's NHS health system, while individually vulnerable to
attack, appear incapable of spreading infections and played a
far smaller role in the global attack than initially reported.
In laboratory testing, researchers at MWR and Kyptos say
they have found Windows XP crashes before the virus can spread.
Windows 10, the latest version of Microsoft's flagship
operating system franchise, accounts for another 15 percent,
while older versions of Windows including 8.1, 8, XP and Vista,
account for the remainder, BitSight estimated.
COMPUTER BASICS
Any organisation which heeded strongly worded warnings from
Microsoft to urgently install a security patch it labelled
“critical” when it was released on March 14 on all computers on
their networks are immune, experts agree.
Those hit by WannaCry also failed to heed warnings last year
from Microsoft to disable a file sharing feature in Windows
known as SMB, which a covert hacker group calling itself Shadow
Brokers had claimed was used by NSA intelligence operatives to
sneak into Windows PCs.
"Clearly people who run supported versions of Windows and
patched quickly were not affected", Trustwave's Mador said.
Microsoft has faced criticism since 2014 for withdrawing
support for older versions of Windows software such as
16-year-old Windows XP and requiring users to pay hefty annual
fees instead. The British government cancelled a nationwide NHS
support contract with Microsoft after a year, leaving upgrades
to local trusts.
Seeking to head off further criticism in the wake of the
WannaCry outbreak, the U.S. software giant last weekend released
a free patch for Windows XP and other older Windows versions
that it previously only offered to paying customers.(reut.rs/2qvSPUR)
Microsoft declined to comment for this story.
On Sunday, the U.S. software giant called on intelligence
services to strike a better balance between their desire to keep
software flaws secret - in order to conduct espionage and cyber
warfare - and sharing those flaws with technology companies to
better secure the internet (reut.rs/2qAOdLm).
Half of all internet addresses corrupted globally by
WannaCry are located in China and Russia, with 30 and 20 percent
respectively. Infection levels spiked again in both countries
this week and remained high through Thursday, according to data
supplied to Reuters by threat intelligence firm Kryptos Logic.
By contrast, the United States accounts for 7 percent of
WannaCry infections while Britain, France and Germany each
represent just 2 percent of worldwide attacks, Kryptos said.(tmsnrt.rs/2qIUckv)
DUMB AND SOPHISTICATED
The ransomware mixes copycat software loaded with amateur
coding mistakes and recently leaked spy tools widely believed to
have been stolen from the U.S. National Security Agency,
creating a vastly potent class of crimeware.
"What really makes the magnitude of this attack so much
greater than any other is that the intent has changed from
information stealing to business disruption", said Salim Neino,
32, chief executive of Los Angeles-based Kryptos Logic.
Last Friday, the company's British-based 22-year-old data
breach research chief, Marcus Hutchins, created a "kill-switch",
which security experts have widely hailed as the decisive step
in halting the ransomware's rapid spread around the globe.
WannaCry appears to target mainly enterprises rather than
consumers: Once it infects one machine, it silently proliferates
across internal networks which can connect hundreds or thousands
of machines in large firms, unlike individual consumers at home.
An unknown number of computers sit behind the 300,000
infected internet connections identified by Kryptos.
Because of the way WannaCry spreads sneakily inside
organisation networks, a far larger total of ransomed computers
sitting behind company firewalls may be hit, possibly numbering
upward of a million machines. The company is crunching data to
arrive at a firmer estimate it aims to release later Thursday.
Liran Eshel, chief executive of cloud storage provider CTERA
Networks, said: "The attack shows how sophisticated ransomware
has become, forcing even unaffected organisations to rethink
strategies."
ESCAPE ROUTE
Researchers from a variety of security firms say they have
so far failed to find a way to decrypt files locked up by
WannaCry and say chances are low anyone will succeed.
However, a bug in WannaCry code means the attackers cannot
use unique bitcoin addresses to track payments, security
researchers at Symantec found this week. The result: "Users
unlikely to get files restored", the company's Security Response
team tweeted.
The rapid recovery by many organisations with unpatched
computers caught out by the attack may largely be attributed to
back-up and retrieval procedures they had in place, enabling
technicians to re-image infected machines, experts said.
While encrypting individual computers it infects, WannaCry
code does not attack network data-backup systems, as more
sophisticated ransomware packages typically do, security experts
who have studied WannaCry code agree.
These factors help explain the mystery of why such a tiny
number of victims appear to have paid ransoms into the three
bitcoin accounts to which WannaCry directs victims.
Less than 300 payments worth around $83,000 had been paid
into WannaCry blackmail accounts by Thursday (1800 GMT), six
days after the attack began and one day before the ransomware
threatens to start locking up victim computers forever. (Reuters
graphic: [tmsnrt.rs/2rqaLyz)
The Verizon 2017 Data Breach Investigations Report, the most
comprehensive annual survey of security breakdowns, found that
it takes three months before at least half of organisations
install major new software security patches.
WannaCry landed nine weeks after Microsoft's patch arrived.
"The same things are causing the same problems. That's what
the data shows," MWR research head Pratley said.
"We haven't seen many organisations fall over and that's
because they did some of the security basics," he said.
(Editing by Philippa Fletcher)