Romania is among the 10 most affected countries after the “WannaCry” cyber-attack, produced on Friday, which caused problems for several institutions and international organizations in 74 countries, Kaspersky Lab specialists said in a press release sent to AGERPRES.
“On May 12, a massive ransomware attack hit organizations around the world. Kaspersky Lab researchers have analyzed the data and are able to confirm that the company’s protection subsystems have detected at least 45,000 infection attempts in 74 countries, most of them in Russia. Romania is among the 10 most affected countries. The ransomware program infects victims by taking advantage of a Microsoft Windows vulnerability described and resolved in Microsoft Security Bulletin MS17-010. The exploited exploitation, “Eternal Blue,” was revealed in Shadowbrokers case on April 14. Once they get into the system, attackers install a rootkit, which allows them to download the program to encrypt the data. The malware encrypts files. Subsequently, there is a message asking for 600 USD in Bitcoin, and the wallet, and the ransom increases over time,” the quoted release said.
According to Kaspersky Lab experts, they are currently trying to determine if it is possible to decrypt encrypted data during the attack to develop a decryption tool as soon as possible.
In this context, the cyber security solution developer recommends a series of steps to reduce the risk of device malware such as: installing the official patch from Microsoft that solves the vulnerability used in this attack, activating security solutions at each network node, terminal scanning, system reboot procedure, if MEM is detected: Trojan.Win64.EquationDrug.gen and, last but not least, the use of threat reporting services available to clients.
The Romanian National Computer Security Incident Response Team (CERT-RO) announced on Saturday that a total of 10 Windows operating systems and servers are vulnerable to the new version of the “WannaCry” ransomware threat, which has led to numerous technical problems over the last 24 hours in several organizations and institutions around the world.
AFP: Cyber-attack hit 130,000 victims in over 100 countries. “It’s the most significant attack of this type in history”
An unprecedented wave of cyber-attacks targeted 100 countries on Saturday, affecting numerous companies and organisations, including the UK’s National Healthcare System, France’s Renault auto manufacturer and the Russian banking system – 130,000 users in over 100 countries, according to an expert, AFP informs.
From Russia to Spain and from Mexico to Vietnam, tens of thousands of computers – particularly in Europe – were infected on Friday with a ransomware virus that exploits a breach in Windows systems, breach divulged in leaked NSA documents.
A cyber-security researcher, owner of the @Malwaretechblog account, told the AFP that he found a way to slow down the spread of the virus. However, on Saturday experts were cautious in what concerns the spread of the virus.
“We don’t know yet whether we are on a downward or upward trend. We continue to be in the analysis stage,” McAfee security expert Laurent Marechal told AFP.
UK’s National Health Service (1.7 million employees) seems to have been one of the main victims and potentially the most worrisome, putting patients at risk. However, it was far from being the only one.
France’s auto manufacturer Renault told AFP on Saturday that it was hit and manufacturing units were shut down in France but also at its Revoz branch in Slovenia.
Romania’s Dacia Renault plant was also hit, as was the Sunderland plant in the UK, owned by Japan’s Nissan, Renault’s partner.
The Russian Central Bank announced that the country’s banking system was targeted by the cyber-attack, as were several ministries, and the hackers tried to breach the IT systems of its rail network.
America’s delivery giant FedEx and Spain’s telecommunications company Telefonica – whose employees were told via bullhorns to shut down their computers – were also affected.
The attack is “of an unprecedented level” and “will require a complex international probe to identify the culprits,” Europol announced in a communique.
“It’s the most significant attack of this type in history,” Mikko Hypponen, a representative of the Finland-based F-Secure IT security company told AFP, evoking the “130,000 systems affected in over 100 countries.”
Former Spanish hacker Chema Alonso, who became responsible for cyber-security at Telefonica, concluded on Saturday on his blog that “despite the media chatter it has caused, this ransomware did not have much of a real impact” because “we can see in the bitcoin wallet used that the number of transactions is low.”
He announced that, according to the latest tally on Saturday, only “6,000 dollars were paid” to those asking for ransom.
This modest sum prompted Amar Zendik, leader of Mind Technologies security company, to lean toward an attack committed by “hackers” who rather wanted to “deliver a blow” instead of making money.
A malware blocks the users’ files and forces them to pay a sum of money in bitcoin virtual currency in order to regain access. This type of programme is called ransomware.
Screenshots of infected computers belonging to the NHS show that the hackers were demanding 300 dollars in bitcoins. The payment must be made in three days otherwise the price doubles and if the money is not paid in seven days the pirated files will be deleted.
“Do not pay”
American, British and French authorities have advised the individuals, companies and organisations affected not to pay. The Finance Ministers of the G7 states, meeting on Saturday in Bari, south-east Italy, raised the fight against cyber-attacks to the rank of priority. The latest attack “doesn’t seem to have created problems for the financial system for the moment,” Italian Bank Governor Ignazio Visco argued. The NHS was trying to reassure its patients on Saturday, against the backdrop in which, subjected to austerity, the system is at breaking point. “Approximately 45 institutions” were affected, UK Home Affairs Minister Amber Rudd told the BBC on Saturday. Several of them were forced to postpone medical interventions.
Before chairing an inter-ministerial crisis meeting, Rudd added that the authorities were continuing to try to identify the perpetrators of the attack.
According to Kaspersky, the malware was published in April by the ‘Shadow Brokers’ group of hackers who claim they discovered the IT breach via the NSA.
“If NSA had privately disclosed the flaw used to attack hospitals when they <<found>> it, not when they lost it, this may not have happened,” Edward Snowden, the former consultant of the US National Security Agency who revealed the extent of NSA surveillance in 2013, tweeted.
Communication Minister Augustin Jianu’s recommendation for companies and individuals: Operating system must be updated now, urgently
Communication Minister Augustin Jianu stated on Saturday, for Mediafax, that there is no data on the impact that the cyber-attacks had in Romania, because companies and institutions have no obligation to report them. He recommended the updating of the operating systems.
“We don’t have data on the cyber-attacks’ impact on Romania. Users have no obligation to report and we only have partial figures. The same goes for state institutions too. There are cases in which they are not even aware of such attacks. In the case of certain attacks, you are aware because the files are encrypted and you are asked for a sum of money to have them decrypted. But very many attacks are not visible and people are not aware of them. They can sit for hundreds of days in the systems and the owner of the system wouldn’t have the slightest idea that an attack is ongoing,” Communications and Informational Society Minister Augustin Jianu stated exclusively for Mediafax.
Nevertheless, he had a recommendation for the general population, for companies and state institutions: “The operating systems must be updated now, urgently! The software applications that the operating system is using must be updated, an antivirus programme used and a data backup performed, whether we are talking about companies or individual persons. If there is important or sensitive information, they should place it on an external storage device – memory stick, hard disk, CD etc. These things must be done now!” Jianu emphasised.
SRI informs: We lack sufficient visibility to estimate national-level impact
Romanian Intelligence Service (SRI) Spokesperson Ovidiu Marincea pointed out, for Mediafax, that SRI lacks the necessary visibility to be able to estimate the national-level impact of the ransomware attack and added that it can affect any Windows system that does not have the MS17-010 security update, such a threat or attack with this type of ransomware not targeting certain entities alone.
At the same time, organisations should make sure their Windows operating systems are up to date, Ovidiu Marincea added.
Dacia plant’s IT system affected, Renault Romania convenes crisis cell
According to a communique remitted by Group Renault Romania’s Public Relations Directorate, a part of the activity of the Dacia plant in Mioveni was affected by dysfunctionalities of the IT systems and several employees were sent back home.
“”Part of the production activity of Dacia plants of Mioveni has been affected by malfunctions of the information systems and several employees have been sent home, on Saturday morning, May 13.The measure was taken to prevent the spreading of the dysfunctionalities that, at first glance, are a consequence of the cyber-attack that took place at global level. A crisis cell has been convened at the Mioveni platform, monitoring the developments. We will have more details as we obtain new information,” the communique points out.
The plant’s IT system crashed on the night of Friday to Saturday, completely shutting down the activity of several sections manned by robots. Thus, thousands of employees who were set to start the morning shift were sent back home.
According to the same source, a task force group was setup at the Mioveni platform to monitor the development of the situation.