There’s new evidence tying WCry ransomware worm to prolific hacking group
- Thread starter JournalBot
- Start date
I dunno, if we're speculating that WCry was nation state sponsored, wouldn't it make sense to use those resources to obfuscate the origin? I know that in an alternate reality where I created malware, I'd be doing my best to avoid a trail of breadcrumbs...
Again, as the article points out, attributing malware to specific groups is frequently fraught with errors. Unless we find a smoking gun, articles like this are interesting theatre but complete speculation.
Again, as the article points out, attributing malware to specific groups is frequently fraught with errors. Unless we find a smoking gun, articles like this are interesting theatre but complete speculation.
Upvote
-6
(20
/
-26)
Please correct me if I'm wrong on this, but aren't these sorts of things almost always successful on individuals/corporations that for whatever reason haven't updated their OS?
I totally get why some corporations haven't been kept up to date. I don't agree with it -- it's usually a profit margin -- but it can also be some shitty software choices that tie mission critical software to a specific OS. (I don't get why individuals don't keep themselves updated. If you're on mission critical stuff, use a VM.)
With that said, the corporations in play, and I understand that there are a lot of large, high profile targets, are the culprit here. I don't want to victim blame; it sucks when shit like this happens. But having worked primarily in larger companies for the past 15+ years as a senior software developer in various technologies, it never fails to amaze me how these companies make their technology decisions.
It's almost always the cheapest way possible, with minimal thought put in to how it may effect things a few years down the road, much less 5-10 years down the road (or more). It makes no sense. More and more, people and corporations depend on technology for their everyday operations, but they fail to see the benefit of hiring the right people and using the right technology to secure it. They short change entire IT departments for cost reasons, but then overspend on image instead of quality. The connection between the two isn't made for whatever reason. (A good product will advertise itself.)
It may be slowly changing, but as things like this prove, the backward thinking (let's spend the least to secure our most important assets) is still going strong.
I totally get why some corporations haven't been kept up to date. I don't agree with it -- it's usually a profit margin -- but it can also be some shitty software choices that tie mission critical software to a specific OS. (I don't get why individuals don't keep themselves updated. If you're on mission critical stuff, use a VM.)
With that said, the corporations in play, and I understand that there are a lot of large, high profile targets, are the culprit here. I don't want to victim blame; it sucks when shit like this happens. But having worked primarily in larger companies for the past 15+ years as a senior software developer in various technologies, it never fails to amaze me how these companies make their technology decisions.
It's almost always the cheapest way possible, with minimal thought put in to how it may effect things a few years down the road, much less 5-10 years down the road (or more). It makes no sense. More and more, people and corporations depend on technology for their everyday operations, but they fail to see the benefit of hiring the right people and using the right technology to secure it. They short change entire IT departments for cost reasons, but then overspend on image instead of quality. The connection between the two isn't made for whatever reason. (A good product will advertise itself.)
It may be slowly changing, but as things like this prove, the backward thinking (let's spend the least to secure our most important assets) is still going strong.
Upvote
37
(42
/
-5)
So here's where international politics gets interesting.
WannaCrypt hit predominantly in Russia / Eastern Europe according to Kapersky and MalwareTech's tracking map shows a heavy infection base in China.
Most security researchers (not all, mind you) believe that the Sony hack was done by, or on the orders of, the North Korean government.
China and Russia have traditionally been supportive of North Korea.
If the Sony hack and W/anna/Cry/Crypt are actually from the same group, and that group is North Korean in origin, it will be interesting to see if there is any reaction politically from China and Russia.
EDIT: where, yeah.
WannaCrypt hit predominantly in Russia / Eastern Europe according to Kapersky and MalwareTech's tracking map shows a heavy infection base in China.
Most security researchers (not all, mind you) believe that the Sony hack was done by, or on the orders of, the North Korean government.
China and Russia have traditionally been supportive of North Korea.
If the Sony hack and W/anna/Cry/Crypt are actually from the same group, and that group is North Korean in origin, it will be interesting to see if there is any reaction politically from China and Russia.
EDIT: where, yeah.
Upvote
38
(41
/
-3)
"So here's were international politics gets interesting."
You mean where, but I hope it was a typo.
:EFFin edits
You mean where, but I hope it was a typo.
:EFFin edits
Upvote
-17
(6
/
-23)
Frosty Grin
Ars Legatus Legionis
On one hand, this malware isn't targeted, so there was no intent to target Russia/China specifically. On the other hand, it's not like North Korea was Russia's and China's best buddy before. Russia and China just don't want instability in the region.
Upvote
25
(27
/
-2)
Perhaps that's where the exploit first got a foothold. as it was not targeted it makes sense that if the first PC hit was in Russia it would spread there first and eventually jump borders.
Upvote
7
(8
/
-1)
Seems like a pretty tightly run organization.
Otherwise, how would they evenly distribute the bitcoin ransom? A band of anonymous hackers would be susceptible to one of them pilfering all the wallets' contents.
This leads me to think that the group has a form of "In Real Life" knowledge of each other, so if one did steal all the "earnings", the others would know who to blame, instead of just a pseudonymous IRC handle or something.
Otherwise, how would they evenly distribute the bitcoin ransom? A band of anonymous hackers would be susceptible to one of them pilfering all the wallets' contents.
This leads me to think that the group has a form of "In Real Life" knowledge of each other, so if one did steal all the "earnings", the others would know who to blame, instead of just a pseudonymous IRC handle or something.
Upvote
16
(17
/
-1)
Not because it those countries were specifically targeted though, the relatively high population of PCs running old/pirated/unpatched copies of Windows OS just resulted in a higher than average infection rate.
Upvote
22
(22
/
0)
Upvote
-11
(3
/
-14)
There are benefits to code sharing, even for hackers.
Off topic, but I am finding it interesting that many seem to be defending North Korea (based on comments in the previous article) or are at least resistant to the idea that this could be nation-state sponsored or that the provenance could point to Lazarus. We should follow the facts wherever they lead. In the absence of direct evidence that these code similarities and other linkages are intentionally designed to obfuscate, then Occam's razor should apply to how we interpret the facts (allowing of course for uncertainty).
Upvote
13
(15
/
-2)
I would expect nation state hackers to display a bit more competence than the people who did wannacry. There is no part of that code that is even remotely well done (except the NSA part I guess). Looks more like some script kiddies with copy paste than some serious organisation.
Also the Sony hack attribution to NK was always iffy at best but since it did leak how US government and media were colluding it was important to blame some "evil" country to draw away the attention from the actual information released in the hack. Even Dan just talks about deleted data and not the content of the leaks.
Upvote
-4
(6
/
-10)
Problem is that connection between Lazarus group and NK was always more wishful thinking than anything else. There was never any evidence presented for the connection except a need to blame the hack and subsequent leaks on someone to mask the content of the leaks.
Upvote
-3
(8
/
-11)
[url=https://arstechnica.co.uk/civis/viewtopic.php?p=33372685#p33372685:udtlz86q said:
... You don't quite get how this works do you ?
And I'm not sure why you have quotation emphasis on people, unless robots with a taste for bitcoins have been able to write some malicious software and distribute it.. They are still people..
Upvote
27
(28
/
-1)
Have people died because of this? If not, why would anyone be tried for murder or manslaughter?
Whatever you think of them, the ones who created WCry are still people just like anyone else.
What purpose would it serve to lock people away for a crime they didn't commit, other than to make you feel better? I would prefer a democracy to require proof in order to convict someone.
Upvote
25
(26
/
-1)
Judging from the first few comments here and the number of posts that they did. Is it really so conspiratorial for me to think that some of them were posted at the behest of the country this hack is being attributed to? Hmm...
Upvote
-8
(3
/
-11)
[url=https://arstechnica.co.uk/civis/viewtopic.php?p=33372753#p33372753:1k30dcnb said:
Nobody has died because of this, you have gotten very carried away about how much this affected the NHS (guessing you're an avid reader of the DailyMail), machines were taken offline in a precautionary manner, to prevent spreading..
I don't condone the cretins who distributed it, but your ignorant attitude doesn't help at all.
Upvote
29
(30
/
-1)
[url=https://arstechnica.co.uk/civis/viewtopic.php?p=33372147#p33372147:23avw0wx said:
Not always profit related. We run business-critical software that will only works up to a certain patch date until the vendor updates their software. In medical situations, lots of equipment has to be validated for use, and any change to the system means re-validation. Again, you can be "held to ransom" until the supplier/manufacturer agrees that the latest patches etc are compliant with their equipment (or vice-versa).
It's not like IT people in large corporations want to be behind on patching (it's quite the opposite for 99.999% of them), but most of the time, the IT department is (for want of a better phrase) held to ransom by the business. It's a constant push-pull cycle, that most of the time upper management and business directors win.
Upvote
11
(11
/
0)
Holy crap at everyone calling for heads to be rolling already!
More definitely could have been done to prevent this - AFAIK some really simple firewall rules that would have been in place for no reason other than due diligence - they certainly are on my home router - for one.
But if you think the IP's you see in your logs are where this crap actually originated out of, no way.. takes a little more investigation.
Edit: home router is not you typical home router/firewall, used Cisco stuff bought cheap off Ebay but routes 1GB internally no problem. We're not talking Netgear or Dlink junk. But still - turn off upnp and inbound access, and filter outbound access to the web and you should be good unless you click on stupid emails.
More definitely could have been done to prevent this - AFAIK some really simple firewall rules that would have been in place for no reason other than due diligence - they certainly are on my home router - for one.
But if you think the IP's you see in your logs are where this crap actually originated out of, no way.. takes a little more investigation.
Edit: home router is not you typical home router/firewall, used Cisco stuff bought cheap off Ebay but routes 1GB internally no problem. We're not talking Netgear or Dlink junk. But still - turn off upnp and inbound access, and filter outbound access to the web and you should be good unless you click on stupid emails.
Upvote
0
(3
/
-3)
Let me elighten you on that (being an east-european):
The majority of Windows installations In this region are using stolen activation keys. For this to work, Windows Update must be turned off, otherwise you might wake up with a beatiful message: "You might be victim to software contrafitting" and a black screen.
For a few years now, Windows 7 has been extremely good at keeping tout pc safe even without security updates, so people started tout beleive that the dangers of windows past are behind them.
Even worse, I know a lot of IT professional that deal with legitimate copies of Windows that turned WinUpdate off tout not be bothered with problems that may arrise with new software, because it"s already "safe enough".
Windows 10, however, is known to send user data back to Microsoft and people believe it is prone to be " blocked" by Microsoft of you do not buy your copy. So, no love for Win10 in eastern Europe.
Upvote
17
(19
/
-2)
If questionable copies of Win 7 are what you're forced to use - sorry: there are still ways it could be dealt with.
Upvote
5
(6
/
-1)
Tagging people or groups of people like this only serves to make it easier to apply different rules to them than you would like to see applied to yourself. I strive for a society where the rules are the same for everyone.
I do this for selfish reasons: I would not like someone to be able to lock me up if I were accused of something without proof.
Upvote
16
(16
/
0)
The copies are allright as far as I know, problems arise though because the Update service is set to Disabled, so sooner or later there will be a threat that was not covered in the installation.
And nobody is 'forced' to use stolen copies of Windows OS, it's just a bad habit that comes with a culture of never paying for software if it's possible.
But this might explain just a part of the propagation of the WCry.
Upvote
10
(10
/
0)
It might also be lack of funds to pay for it. 100€ might be reasonably cheap for those in the west but is less so in the rest of the world.
They could use linux but that has its own issues and limitations.
Upvote
3
(3
/
0)
still didn't update, I am interested to see if this is something to do with mass hysteria. I would rather be proven wrong than rushing in on a gambit.
Upvote
-6
(0
/
-6)
The USA in accusing the DPRK didn't go far down it's list of enemies and blame Iran, Syria or ISIS. Who knows. maybe it's Trump's best friends . . . the Russians.
The fact is they don't know . . . and assigning blame to innocents really serves little purpose and just weakens any claim to when the find the REAL culprits.
The fact is they don't know . . . and assigning blame to innocents really serves little purpose and just weakens any claim to when the find the REAL culprits.
Upvote
-9
(1
/
-10)
Real culprits are known. It's NSA. They did the only decent part of the code. Fortunately the rest was so terrible that damage was minor and with some luck a lot of people have learned something about computer security now.
Would be a very cheap price (imagine the damage an actually competent worm/virus could have done) for improved practices and, if we are being overly optimistic, discussion about hoarding of exploits by national "security" agencies.
Upvote
8
(9
/
-1)
Researchers say Lazarus Group carries out hacks on behalf of North Korea.
Flings that NK mud and hope it sticks, uh?
Flings that NK mud and hope it sticks, uh?
Upvote
-9
(1
/
-10)
Don't remember exactly where I heard it but in politics you don't have friends, just advantageous relationships. Pretty sure NK doesn't care who they attack since they have a buttload of plausible deniability (publically that is).
Upvote
2
(2
/
0)
[url=https://arstechnica.co.uk/civis/viewtopic.php?p=33374309#p33374309:20dqn2xx said:
Machiavelli : The Prince ?
Upvote
3
(3
/
0)
- Status