Global Voices: Why is China Home to Half of the Computers Infected With WannaCry Ransomware?

[Hamartia Antidote]

https://globalvoices.org/2017/05/16...-computers-infected-with-wannacry-ransomware/

China's public security network inflected by Wanna Cry ransomware.

China is one of the countries that has been hit hardest by the ransomware program known as “WannaCry” launched on 12 May, which infected over 230,000 computers in 99 countries in just one day.

China's National Computer Network Emergency Response Center has confirmed that by 14 May, half of the infected IPs were located in China. The attacks have affected about 30,000 institutions, including universities, immigration checkpoints and oil stations.

The ransomware, which is believed to exploit the “Eternal Blue” loophole developed by the US National Security Agency (NSA), attacks computers running Microsoft Windows operating systems and locks users out of their own computers by encrypting their files. It demands that they pay USD $300 in Bitcoin in exchange for de-encryption. Once connected to the Internet through port 445 (a port for document sharing protocols), all computers running a Windows operating system would be subjected to attack if they had not downloaded the security update patches issued in March 2017.

The ransomware was briefly contained with the discovery of a “kill switch” by a British researcher, but on May 14 a new version was released.

Chinese computer users may be more vulnerable to the attack as many commonly use unlicensed (i.e. pirated) or outdated versions of Windows OS and thus do not receive security updates.

To make matters worse, many computer users were unaware of the coming of the attack as very few local media outlets reported about the security threats.

Though a majority of Internet service providers in China have blocked port 445, which is mainly used for Windows operating system file-sharing, to avoid potential massive attack targeting Microsoft Windows, many public service institutions, including universities, public security offices and oil stations have not blocked the port.

University campuses have been among the worst affected. Universities all over the country, including Qinghua, Beida, Shanghai Jiaotong and Shandong university have been infected. A large number of student theses and research projects have been (and remain) encrypted by the ransomware. Domestic media outlets reported that:

By 20:00 on 13 of May, hundreds of thousands computers from 29,372 institutions have been attacked by the ransomware. 4341 education related institutions have infected cases…

State media outlet Xinhua report quoted the National Computer Network Emergency Response Center saying that:

By 10:30 on 14 of May, the National Computer Network Emergency Response Center had detected 2,423,000 IPs under the attack as a result of Eternal Blue Exploit; the number of IPs inflected by the ransomware is more than 35,000 [worldwide] and within China, about 18,000 IPs have been infected.

In addition to the education sector, a number of immigration checkpoints were paralyzed because the public security network was infected.

On social media, public security officials in Xiangshui City, Jiangsu Province reported that its immigration system was under attack and they had to close the immigration checkpoint service. Netizens reported that Shanghai city and Beijing’s Chaoyang immigration offices were also paralyzed because of the ransomware attack.

At midnight on 13 May, a large number of PetroChina’s auto oil-fill machines were paralyzed and the system not restored until 12pm on 14 of May.

In the face of the new version of the ransomware “WannaCry2.0”, which cannot be stopped by the so-called “kill switch”, Chinese authorities have issued a warning via major web portals, media outlets and university networks in an effort to contain the spread of the ransomware.

Thus far, there has been little evaluation of why China has been one of the most vulnerable countries in this ransomware attack. Official media outlets suggested that the spread of the ransomware was caused by university students using the school network to play online games. But this does not explain why public security and oil service networks have also been infected.

**********************

The real answer it was a complete setup by the Chinese Government to have everybody switch from Windows to a homegrown OS.

 

[powastick]

Good no more Microsoft monopoly.

 

[qwerrty]

pirated copies of windows are easily able to update. many institutions in europe are also infected too with their so-called genuine copy of windows. this article is full of sh1ts lol

 

[21stCentury]

any idea on where the origin of this malicious malware was from?

Gosh, looks like China will need to switch over to a more reliable OS on a national scale, possibly to home-grown one.

 

[Hamartia Antidote]

http://www.computerworld.com/articl...or-windows-xp-addiction-as-wannacry-hits.html

China pays for Windows XP addiction as 'WannaCry' hits
1 in 5 PCs still run the ancient, obsolete OS, so infections come as no surprise

Credit: Michael Kan

The WannaCry ransomware has wormed its way into tens of thousands of Windows PCs in China, where Windows XP runs one in five systems, local reports said Monday.

More than 23,000 IP addresses in the People's Republic of China (PRC) show signs of infection, the country's National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT) told Xinhua, the state-run news agency, on Monday.

"Intranets in many industries and enterprises involving banking, education, electricity, energy, healthcare and transportation have been affected in different extents," CNCERT said.

The Hong Kong-based Southern China Morning Post upped the ante in its report Monday, claiming that tens of thousands of businesses and organizations had been hit by the ransomware, which has been dubbed "WannaCry" by most security experts, "WannaCrypt" by a few outliers.

The China National Petroleum Corporation (CNPC), for example, took some 20,000 gas stations offline early Saturday, forcing customers to pay in cash as credit card purchases could not be processed. By mid-day Sunday, some 20% of the stations were still disconnected from the Internet, but efforts were continuing to restore payment options, the company said in a statement.

It shouldn't have been a surprise that PCs in the PRC were hit hard by WannaCry: Although security experts have yet to identify the original infection vector, the ransomware spreads rapidly by exploiting Windows vulnerabilities in a baked-in file sharing protocol.

Microsoft patched the flaws in March when it issued MS17-010, one of its last-ever security bulletins. But because Microsoft only supports -- patches, in other words -- newer editions of its operating system, the 16-year-old Windows XP and the 5-year-old Windows 8 were not bolstered with the same fix.

China is at greater risk of attacks against unpatched Windows XP PCs than most countries because a larger percentage of the nation's systems run the obsolete OS than the global average.

Microsoft issued security updates for Windows 8, Windows Server 2003 and Windows XP, which had had been banished from the patch list one, two and three years ago, respectively. "This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind," Phillip Misner, a principal security group manager at the Microsoft Security Response Center (MSRM), said in a post to a company blog.

Misner's post included links customers can click to download the appropriate patch for their older PC or server. Newer versions of Windows can be inoculated against WannaCry by running Windows Update and applying all outstanding patches.

 

[grey boy 2]

any idea on where the origin of this malicious malware was from?

Gosh, looks like China will need to switch over to a more reliable OS on a national scale, possibly to home-grown one.

Finger pointed at U.S. National Security Agency after massive ransomware attack
By Curtis Stone, Chengliang Wu (People's Daily Online) 14:05, May 16, 2017

Brad Smith, Microsoft’s President and Chief Legal Officer, blasted the U.S. National Security Agency (NSA) in a recent blog post, which is said to have lost control of its hacking tools, for the WannaCrypt exploits used in the massive cyberattack that crippled hospitals, businesses, governments, and personal computers around the world. He called on governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.

In his blog post, Smith wrote that governments “should treat this attack as a wake-up call.” “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”


The NSA-powered WannaCry exploit is a type of computer malware known as “ransomware,” which is software that demands a “ransom” after gaining control of the affected computer. The malware exploits a previously unknown vulnerability in the Windows operating system.

The unprecedented attack, which began infecting computers on Friday, May 12, has hit more than 200,000 computers in at least 150 countries, and the threat is escalating. Check Point Software said on Monday that a new variant is now infecting computers at rate of about one per second, or about 3,600 per hour, according to a report by Reuters.

There are a lot of theories about who is behind the attack, but no definitive evidence. Researchers at Kaspersky and Symantec both said on Monday that they found similarities between WannaCry and previous code used by a North Korean hacking group known as Lazarus. But shared code doesn’t necessarily mean that the same group is responsible. Hackers often use “false flags” to confuse security experts. In March, for example, Wikileaks revealed documents that it says show the U.S. Central Intelligence Agency (CIA) runs secret false-flag hacking operations to falsely attribute attacks to other actors, such as Russia and China.

Security experts have yet to identify who was behind the attack, but China was hit particularly hard. There has been some speculation on Chinese social media that the attack was meant to target the Belt and Road Forum for International Cooperation, which was held in Beijing on May 14 and 15, though there has not been any solid evidence to back up this claim and no Chinese officials have made such comments. But if true, that might suggest that the NSA-powered cyberattack was carried out to derail China’s efforts at creating a new type of international relations with its Belt and Road Initiative.

Regardless of who was behind the attack, the latest global incident has created urgency for enhancing cybersecurity and global cooperation. On the day of the attack, U.S. Representative Ted Lieu said it was “deeply distributing” that the NSA “likely wrote the original malware” in a written statement, adding that the attack “shows what can happen when the NSA or CIA write malware instead of disclosing the vulnerability to the software manufacturer.”

Xiakedao, a WeChat news account run by the People’s Daily, urged the NSA to draw lessons from the attack, and called the “black box” decision-making process within the U.S. government about whether to disclose a software vulnerability “worthy of criticism” and “problematic,” because the whole world is put at risk by an internal decision within the U.S. government.

China has long called for enhanced cybersecurity and the establishment of a rules-based order in cyberspace. Like the real world, China wants governments to work together to formulate universally accepted international rules and norms of state behavior.
http://en.people.cn/n3/2017/0516/c90000-9216300.html