Copycat Hackers Planning to Join Global Ransomware Heist

Attack may have originated in UK, and cybercriminals created at least 6 variants
By Joshua Philipp, The Epoch Times
May 17, 2017 1:10 pm Last Updated: May 21, 2017 8:16 pm

Additional hacker groups are planning to join the recent wave of global cyberattacks that have so far hit thousands of organizations—including factories, banks, and government agencies—in more than 150 countries, affecting more than 300,000 computers. Meanwhile, cybersecurity experts have been scrambling to determine who was responsible for the first wave of attacks.

“There are people copycatting the malware as of right now to try to get on the gravy train,” said Michael Gafford, CEO of Equation Security, a darknet intelligence and software company.

Some of the chatter, according to Gafford, is taking place on cybercrime forums on the darknet, and Equation Security also has intercepted communications of a known “specific faction” that is discussing joining in as well. The darknet is an alternate internet, only accessible with specialized software, that has marketplaces and forums used by criminal groups to buy, sell, and conspire.

Hackers are also already altering the virus code to create new attacks. Darknet data collected by William Welna, co-founder of Equation Security, shows that efforts to add additional functions to the WannaCry malware used in the attacks are already well underway. Gafford said they’ve already seen around six different variants.

WannaCry spreads between computers by exploiting a known Windows vulnerability and does not require the user to make a mistake—unlike most forms of malware—in order to infect the machine.

After the computers are infected, the cybercriminals behind the attacks then lock the systems down and charge the owners a fee to regain access, using what’s referred to as ransomware.

Users affected by WannaCry attacks receive an alert on their computers stating, “Ooops, your files have been encrypted!” A window beneath tells users how to pay the ransom to unlock their machines and recover their files. It also shows a timer counting down the seven days they’ve been given to make the payment. It threatens users that a “free event” in six months awaits anyone who doesn’t pay.

A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in  Mountain View, Calif.,  (Courtesy of Symantec/Handout via REUTERS)
A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, Calif., (Courtesy of Symantec/Handout via REUTERS)

To add insult to injury, Microsoft had already released a patch in March to guard against such attacks—close to two months before the WannaCry attacks hit.

In other words, many of the infections were avoidable—administrators may have simply failed to install the patch. This may help explain why most of the successful breaches took place outside the United States, especially in China and Russia, where outdated and pirated software would be more common.

President Donald Trump signed a cybersecurity executive order on May 11 that holds agencies accountable for breaches, stating, “The president will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises.”

‘Smart’ Devices at Risk

*
*

Gary Miliefsky, CEO of counterintelligence technology company SnoopWall, said that even if vulnerable machines get patched, “this is a preview of the type of malware that’s to come.”

He said this holds especially true for internet-of-things devices—including “smart” toys, digital televisions, and household electronics with internet connections—which are rarely released with security in mind. “I would guarantee anything with ‘smart’ in its title will start getting hit with this malware.”

Many medical devices are vulnerable to the virus, since they run older operating systems. Xu Zou, CEO of ZingBox, a provider of internet-of-things security to health care organizations, stated in a press release that close to 11 percent of medical devices are Windows-based and “almost all of them (99.8%) are based on legacy [operating systems] susceptible to WannaCry.”

Microsoft only recently, on May 13, issued a patch for older operating systems, including Windows 8 and Windows XP.

Tracking the Criminals

Tracing internet crime requires entering a maze in which things may not truly be as they appear.

The current hunt for the perpetrators of the WannaCry attacks has been influenced by a May 15 tweet by Google researcher Neel Mehta, in which he demonstrated similarities between the WannaCry code and the code used in attacks by the Lazarus APT hacker group.

However, attribution based on similarities in code doesn’t always say much. Hacker groups tend to buy, sell, and share code.

Some cybersecurity experts followed up on the tweet. Cybersecurity company Kaspersky reported on its Securelist blog that it “refers to a similarity between two samples that have shared the code.” Kaspersky speculated the similarities could tie the attack to Lazarus APT.

This has gained headlines because Lazarus APT is often reported to be tied to North Korea. According to Epoch Times sources, however, it is not tied to the communist state but instead operates as an international cybercrime syndicate with prominent actors in the United Kingdom.

Lazarus APT does have a series of big-time crimes attributed to it. The group was allegedly responsible for the 2014 Sony attack that brought the media giant to its knees using wiper malware (an attack that has also falsely been blamed on North Korea, according to The Epoch Times sources). It has been blamed for the 2016 bank heist in which $81 million was electronically lifted out of the accounts of the Bangladesh Central Bank—vulnerabilities for which first appeared on a Chinese hacker black market, as The Epoch Times reported in June 2016.

Gafford said that based on darknet chatter and other data his firm has seen, “the U.K. looks like it could be ground zero” for the WannaCry attacks.

Who Released the Code?

Patients and family wait for their turn to register at Dharmais Hospital, Indonesia's biggest cancer hospital, after the institution suffered the Ransomware cyber attack affecting scores of computers in Jakarta, Indonesia, on May 15, 2017. (REUTERS/Darren Whiteside)
Patients and family wait for their turn to register at Dharmais Hospital, Indonesia’s biggest cancer hospital, after the institution suffered the ransomware cyber attack affecting scores of computers in Jakarta, Indonesia, on May 15, 2017. (REUTERS/Darren Whiteside)

According to Gafford of Equation Security, a cybercrime group called The Shadow Brokers is responsible for the WannaCry virus falling into the hands of criminals. This is corroborated by another source who is in a position to know.

Miliefsky of SnoopWall can confirm that The Shadow Brokers held the virus.

“They got ahold of weaponized NSA software that allowed you to worm your way around the internet, in all versions of Windows,” said Miliefsky.

Sources say The Shadow Brokers tried selling a batch of cyberweapons, including WannaCry, but after failing to find a buyer, the group began releasing the weapons to the public in March.

Weston Wheelehan (R) and Jeremiah Steptoe, CEO of CyberCentric, give a demonstration of their cybersecurity platform during the TechCrunch Disrupt event in New York on May 15. (REUTERS/EDUARDO MUNOZ)
Weston Wheelehan (R) and Jeremiah Steptoe, CEO of CyberCentric, give a demonstration of their cybersecurity platform during the TechCrunch Disrupt event in New York on May 15. (REUTERS/EDUARDO MUNOZ)

The Epoch Times published an exclusive story in December 2016 that showed the Shadow Brokers Twitter account is tied to a man in Kurgan, Russia, whose first name is Kirill and who runs a video game marketplace. Some analysts believe—although it’s still not certain—that the group’s hacking tools were provided by former NSA contractor Harold T. Martin III, who is facing 20 criminal counts for stealing highly classified information from the U.S. government.

The Shadow Brokers released a batch of files in April, allegedly as an act of vengeance after the Trump administration launched strikes on a Syrian airfield—done in retaliation after Syrian government forces used chemical weapons on civilians, killing 72 people, including 20 children.

On April 8, The Shadow Brokers published a statement on the blogging platform Medium, filled with the odd grammar and twists of logic that have characterized its previous statements—a factor that in the past led many to question whether it was legitimate.

At the end, however, it released a password to unlock a previously encrypted file containing the NSA cyberweapons, stating it “wishes we could be doing more, but revolutions/civil wars taking money, time, and people” and that the file release was “our form of protest.” Thus, The Shadow Brokers made available, not for profit but out of malice, more tools to wreak destruction on the internet.