May 17, 2017 Last Updated 1:05 pm

Second wave of ransomware attack targeting out-of-date Windows machines under way

‘I would say the real-world impact of this attack is going to be more substantial than WannaCry’ — senior vice president for cybersecurity at Proofpoint

The French news agency AFP is reporting that a new, second attack linked to last Friday’s WannaCry attack is in progress. Unfortunately, the only source for identifying the attack seems to be a single source — so, in other words, beware what you hear about it.

In any case, the attack has been identified by the cybersecurity firm Proofpoint.

Here is what they are saying to news agencies:

AFP: Another large-scale cyberattack underway: experts

Following the detection of the WannaCry attack on Friday, “researchers at Proofpoint discovered a new attack linked to WannaCry called Adylkuzz,” said Nicolas Godier, a researcher at the computer security firm.

“It uses the hacking tools recently disclosed by the NSA and which have since been fixed by Microsoft in a more stealthy manner and for a different purpose,” he said.

ABC News: Researchers discover another ongoing cyberattack using NSA hacking tool

According to Ryan Kalember, the senior vice president for cybersecurity at Proofpoint, the attack employed the same hacking tools developed by the U.S. National Security Agency (NSA) and leaked to the public by the hacker group Shadow Brokers in April to exploit vulnerabilities in the Microsoft Windows operating system.

“I would say the real-world impact of this attack is going to be more substantial than WannaCry,” Kalember told ABC News. “Ransomware is painful, but you can restore operations relatively quickly. Here, you have a huge amount of money landing in some bad people’s hands. That has geopolitical consequences.”

The firm is still working to establish attribution for the attacks, but Kalember pointed out that North Korean-backed Lazarus Group – the same hacker group linked to the WannaCry attacks – launched a similar cryptocurrency mining attack in late 2016.

The one consistent thing here is that it is Microsoft Windows that is vulnerable — or, at least, out of date versions of the operating system. Unfortunately, there are many systems that simply are rarely updated, such (believe it or not) many military systems. Then there are those built on top of a platform of pirated software.

Microsoft has already issued a warning to users that they need to update their software, and are also pointing to a page with instructions for how to disable Server Message Block as a temporary solution.

“In March, we released a security update which addresses the vulnerability that these attacks are exploiting,” Microsoft said last week. “Those who have Windows Update enabled are protected against attacks on this vulnerability.”

“We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download”

If I were on Windows, I’d take all this very seriously. Here is a video from Hacker News demonstrating how fast this ransomware gets distributed:

Comments are closed.