Thailand on alert after cyberattacks
EXTORTION ATTEMPTS HIT COUNTRIES
>> The Thai government has alerted the public to the dangers of ransomware attacks that have hit dozens of countries around the world.
Government spokesman Sansern Kaewkamnerd yesterday said that the Ministry of Digital Economy and Society has informed Prime Minister Prayut Chan-ocha about the attacks of WannaCrypt ransomware that have hit computers using Microsoft operating systems.
Britain’s health service was hit on Friday by a huge international cyberattack that froze computers at hospitals, shutting down wards, closing emergency rooms and bringing treatment to a screeching halt.
As similar attacks were reported in dozens of countries, experts warned that online extortion attempts by hackers are a growing menace. Hospitals, with their often outdated IT systems and trove of confidential patient data, are a particularly tempting target.
Lt Gen Sansern said computer users have been warned not to open suspiciouslooking attachments from untrusted or unknown sources, which may cause the malware to infect and lock computers while attackers demand a ransom.
The spokesman said the prime minister has instructed the ministry to closely monitor and prevent the spread of the malware in Thailand and issue public alerts and provide guidelines on how to prevent and deal with the attacks.
Gp Capt Somsak Khaosuwan, deputy permanent secretary for the Ministry of Digital Economy and Society, yesterday said that there had been no reports of ransomware attacks in Thailand so far.
However, the ministry has worked with the Thailand Computer Emergency Response Team (ThaiCert) under the Electronic Transactions Development Agency to monitor and stop the spread of ransomware.
Computer users are advised to be careful not to open suspicious-looking documents in email, apply the latest Microsoft security patch and update their Microsoft operating systems to the latest version.
If ransomware infects computers, users are advised to shut down computers and inform officials at ThaiCert on 02-123-1212.
Microsoft Security Response Centre said many of its customers around the world and the critical systems they depend on were victims of malicious WannaCrypt software.
“Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers,” its statement said.
“This blog spells out the steps every individual and business should take to stay protected.
“Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8 and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.
“We are working with customers to provide additional assistance as this situation evolves.”
The global cyberattack used hacking tools believed to have been developed by the US National Security Agency (NSA).
Extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.
The ransomware encrypted data on the computers, demanding payments of US$300 to $600 to restore access. Security researchers said they observed some victims paying via the digital currency Bitcoin.
At least two of Indonesia’s major hospitals — Dharmais Hospital and Harapan Kita Hospital in Jakarta — were struck, a government official said.
“Efforts to localise the infected server are under way to prevent [the ransomware] from spreading,” a spokesman said.
China’s official Xinhua news agency said some secondary schools and universities had been affected.
The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers.
The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a “worm”, or self-spreading malware, by exploiting a piece of NSA code known as Eternal Blue that was released last month by a group known as the Shadow Brokers.
“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCrypt to the NSA.
>> WASHINGTON: Cyber security experts rushed to restore systems yesterday after an unprecedented global wave of cyberattacks that struck targets ranging from Russia’s banks to British hospitals and a French carmaker’s factories.
The hunt was on for the culprits behind the assault, which was being described as the biggest cyber ransom attack ever.
State agencies and major companies around the world were left reeling by the attacks which blocked access to files and demanded ransom money, forcing them to shut down their computer systems.
“The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” said Europol, Europe’s policing agency.
The attacks, which experts said affected dozens of countries, used a technique known as ransomware that locks users’ files unless they pay the attackers a designated sum in the virtual Bitcoin currency.
Mikko Hypponen, chief research officer at the Helsinki-based cyber security company F-Secure, said the attack was “the biggest ransomware outbreak in history”, saying that 130,000 systems in more than 100 countries had been affected.
He said Russia and India were hit particularly hard, in large part because the older Windows XP operating software is still widely used in the countries.
The attacks apparently exploited a flaw exposed in documents leaked from the US National Security Agency (NSA).
The attacks hit a whole range of organisations and businesses worldwide.
French carmaker Renault was forced to stop production at sites in France and Slovenia, saying the measure was aimed at stopping the virus from spreading.
In the US, package delivery group FedEx acknowledged it had been hit by malware and said it was “implementing remediation steps as quickly as possible”.
Russia’s interior ministry said that some of its computers had been hit by a “virus attack” and that efforts were underway to destroy it. The country’s central bank said the banking system was hit, and the railway system also reported attempted breaches.
The central bank’s IT attack monitoring centre “detected mass distribution of harmful software” but no “instances of compromise”, it said. Russia’s largest bank Sberbank said its systems “detected in time attempts to penetrate bank infrastructure”.
Germany’s Deutsche Bahn computers were also impacted, with the rail operator reporting that station display panels were affected.
In a statement, computer security group Kaspersky Labs said it was “trying to determine whether it is possible to decrypt data locked in the attack — with the aim of developing a decryption tool as soon as possible”.
Yesterday, a cyber security researcher said he had accidentally discovered a “kill switch” that could prevent the spread of the ransomware.
The researcher, tweeting as @MalwareTechBlog, said that the discovery was accidental, but that registering a domain name used by the malware stops it from spreading. Computers already affected will not be helped by the solution.
But @MalwareTechBlog warned that the “crisis isn’t over” as those behind it “can always change the code and try again”. The malware’s name is WCry, but analysts were also using variants such as WannaCry.
“It’s unequivocally scary,” said John Dickson of the Denim Group, a US security consultancy. Mr Dickson said the malware itself, which exploits a flaw in Windows, was not new but that adding the ransomware “payload” made it especially dangerous.
Britain’s National Cyber Security Centre and its National Crime Agency were looking into the UK incidents, which disrupted care at National Health Service facilities, forcing ambulances to divert and hospitals to postpone operations.
Pictures on social media showed screens of NHS computers with images demanding payment of $300 (10,400 baht) in Bitcoin, saying: “Ooops, your files have been encrypted!” It demands payment in three days or the price is doubled, and if none is received in seven days the files will be deleted, according to the screen message.
A spokesman for Barts Health NHS Trust in London said it was experiencing “major IT disruption” and delays at all four of its hospitals. “Ambulances are being diverted to neighbouring hospitals,” the spokesman said.
At least two of Indonesia’s major hospitals — Dharmais Hospital and Harapan Kita Hospital in Jakarta — were also struck, said Semuel Pangerapan, a director general at Indonesia’s communication and information ministry.
“Ransomware becomes particularly nasty when it infects institutions like hospitals, where it can put people’s lives in danger,” said Jakub Kroustek, an analyst at Avast.
A hacking group called Shadow Brokers released the malware in April claiming to have discovered the flaw from the NSA, Kaspersky said. Although Microsoft released a security patch for the flaw earlier this year, many systems have yet to be updated, researchers said.
“Unlike most other attacks, this malware is spreading primarily by direct infection from machine to machine on local networks, rather than purely by email,” said Lance Cottrell, chief scientist at the US technology group Ntrepid.
Some said the attacks highlighted the need for agencies like the NSA to disclose security flaws so they can be patched.
G7 finance ministers meeting in Italy discussed the attacks and were expected to commit to stepping up international cooperation against a growing threat to their economies.