A massive attack is spreading globally by way of a vulnerability in Microsoft 's Server Message Block that was patched Vulnerability-related.PatchVulnerability in March . Ransomware is no longer just a nuisance . Now it 's quite literally a matter of life and death . A massive ransomware attack Attack.Ransom being labeled as `` WannaCry Attack.Ransom `` has been reported around the world and is responsible for shutting down hospitals in the United Kingdom and encrypting files at Spanish telecom firm Telefonica . The WannaCry attack Attack.Ransom is not a zero-day flaw , but rather is based on an exploit that Microsoft patched Vulnerability-related.PatchVulnerability with its MS17-010 advisory on March 14 in the SMB Server . However , Microsoft did not highlight Vulnerability-related.DiscoverVulnerability the SMB flaw until April 14 , when a hacker group known as the Shadow Brokers released Vulnerability-related.DiscoverVulnerability a set of exploits , allegedly stolen Attack.Databreach from the U.S.National Security Agency . SMB , or Server Message Block , is a critical protocol used by Windows to enable file and folder sharing . It 's also the protocol that today 's WannaCry attack Attack.Ransom is exploiting to rapidly spread from one host to the next around the world , literally at the speed of light . The attack is what is known as a worm , `` slithering '' from one host to the next on connected networks . Among the first large organizations to be impacted by WannaCry is The National Health Service in the UK , which has publicly confirmed that it was attacked Attack.Ransom by the Wan na Decryptor. `` This attack Attack.Ransom was not specifically targeted at the NHS and is affecting organisations from across a range of sectors , '' the NHS stated . `` At this stage we do not have any evidence that patient data has been accessed Attack.Databreach . '' Security firm Kaspersky Lab reported that by 2:30 p.m . ET May 12 it had already seen more than 45,000 WannaCry attacks Attack.Ransom in 74 countries . While the ransomware attack Attack.Ransom is making use of the SMB vulnerability to spread , the encryption of files is done by the Wanna Decryptor attack Attack.Ransom that seeks out all files on a victim 's network . Once the ransomware has completed encrypting files , victims are presented with a screen demanding a ransom Attack.Ransom . Initially , the ransom requested Attack.Ransom was reported to be $ 300 worth of Bitcoin , according to Kaspersky Lab . `` Many of your documents , photos , videos , databases and other files are no longer accessible because they have been encrypted , '' the ransom note states . `` Maybe you are busy looking for a way to recover your files , but do not waste your time . Nobody can recover your files without our decryption service . '' It 's not clear who the original source of the global WannaCry attacks Attack.Ransom is at this point , or even if it 's a single threat actor or multiple actors . What is clear is that despite the fact that a software patch has been available Vulnerability-related.PatchVulnerability since March for the SMB flaws , WannaCry is using tens of thousands of organizations that did n't patch Vulnerability-related.PatchVulnerability .

In wake of an attack on computers at Colorado ’ s DOT , experts at Webroot shed light on ransomware Last month , employees at the Colorado Department of Transportation were greeted by a message on their computer screens similar to this : “ All your files are encrypted with RSA-2048 encryption . … It ’ s not possible to recover your files without private key . … You must send Attack.Ransom us 0.7 BitCoin for each affected PC or 3 BitCoins to receive ALL Private Keys for ALL affected PC ’ s. ” CDOT isn ’ t paying Attack.Ransom , but others have . In fact , so-called ransomware has become one of the most lucrative criminal enterprises in the U.S. and internationally , with the FBI estimating total payments Attack.Ransom are nearing $ 1 billion . Hackers use ransomware to encrypt computer files , making them unreadable without a secret key , and then demand digital currency Attack.Ransom like bitcoin if victims want the files back — and many victims are falling for that promise . To better understand how ransomware works and how it has spread so effectively , The Denver Post talked with Broomfield anti-malware company Webroot , which got its start in the late 1990s cleansing computer viruses from personal computers . “ The end goal is just to put ransomware on the computer because right now the most successful way for cybercriminals to make money is with ransoming Attack.Ransom your files , ” said Tyler Moffitt , a senior threat research analyst at Webroot . Ransomware infects more than 100,000 computers around the world every day and payments Attack.Ransom are approaching $ 1 billion , said U.S. Deputy Attorney General Rod J. Rosenstein during the October 2017 Cambridge Cyber Summit , citing FBI statistics . A study by researchers at Google , Chainalysis , University of California San Diego and NYU Tandon School of Engineering estimated that from 2016 to mid 2017 , victims paid Attack.Ransom $ 25 million in ransom Attack.Ransom to get files back . And one out of five businesses that do pay the ransom Attack.Ransom don ’ t get their data back , according to 2016 report by Kaspersky Labs . It ’ s a growing business for cybercriminals . And whether to pay or not is something each user or company must decide . Last spring , the Erie County Medical Center in New York was attacked Attack.Ransom by SamSam due to a misconfigured web server , according to The Buffalo News . Because it had backed up its files , the hospital decided not to pay Attack.Ransom the estimated $ 44,000 ransom Attack.Ransom . It took six weeks to get back to normal at a recovery cost of nearly $ 10 million . More recently in January , the new SamSam variant sneaked Attack.Ransom into Indiana hospital Hancock Health , which decided to pay Attack.Ransom 4 bitcoin , or about $ 55,000 , in ransom Attack.Ransom . Attackers gained entry by using a vendor ’ s username and password on a Thursday night . The hospital was back online by Monday morning . Other times , malware isn ’ t so obvious . Some propagate when user visits infected websites . A trojan named Poweliks injected bad code into vulnerable programs , like an unpatched Internet Explorer . Poweliks crept into the Windows registry to force the computer to do all sorts of nasty things , from demanding a ransom Attack.Ransom to joining a click-fraud bot network to click ads without the user even realizing it . There also are booby-trapped ads , known as malvertising . They get into computers by , again , targeting flawed software and injecting malicious code . This has targeted programs like unpatched Adobe Flash Player , Java or other runtime software , or software that runs online all the time .

An attack called Mongo Lock is targeting remotely accessible and unprotected MongoDB databases , wiping them , and then demanding a ransom Attack.Ransom in order to get the contents back . While this new campaign is using a name to identify itself , these types of attacks are not new and MongoDB databases have been targeted for a while now . These hijacks work by attackers scanning the Internet or using services such as Shodan.io to search for unprotected MongoDB servers . Once connected , the attackers may export the databases , delete them , and then create a ransom note explaining how to get the databases back . According to security researcher Bob Diachenko who discovered the new Mongo Lock campaign Attack.Ransom , the attackers will connect to an unprotected database and delete it . In its place , the attackers will leave a new database called `` Warning '' with a collection inside it named `` Readme '' . The Readme collection will contain a ransom note that explains that the database has been encrypted and that the victims need to pay Attack.Ransom them a ransom Attack.Ransom to get it back . In the Mongo Lock campaign Attack.Ransom , as shown below , the attackers do not leave a bitcoin address , but rather direct the victim 's to contact them via email . While the ransom note claims that the attackers are exporting Attack.Databreach the database first before deleting it , it is not known if they are doing that in ever case . Victims are paying ransoms Attack.Ransom When looking up some of the bitcoin addresses used in recent MongoDB attacks , victims have been paying the ransoms Attack.Ransom . For example , the bitcoin address 3FAVraz3ovC1pz4frGRH6XXCuqPSWeh3UH , which has been used often , has had 3 ransom payments Attack.Ransom for a total of 1.8 bitcoins . This is equivalent to a little over $ 11,000 USD at the current value of bitcoins .

Businesses that failed to update Windows-based computer systems that were hit by a massive cyber attack over the weekend could be sued over their lax cyber security , but Microsoft itself enjoys strong protection from lawsuits , legal experts said . The WannaCry worm has affected more than 200,000 Windows computers around the world since Friday , disrupting Attack.Ransom car factories , global shipper FedEx Corp and Britain 's National Health Service , among others . The hacking tool spreads silently between computers , shutting them down by encrypting data and then demanding a ransom Attack.Ransom of US $ 300 to unlock them . According to Microsoft , computers affected by the ransomware did not have security patches for various Windows versions installed or were running Windows XP , which the company no longer supports . `` Using outdated versions of Windows that are no longer supported raises a lot of questions , '' said Christopher Dore , a lawyer specializing in digital privacy law at Edelson PC . `` It would arguably be knowingly negligent to let those systems stay in place. ” Businesses could face legal claims if they failed to deliver services because of the attack , said Edward McAndrew , a data privacy lawyer at Ballard Spahr . `` There is this stream of liability that flows from the ransomware attack Attack.Ransom , '' he said `` That 's liability to individuals , consumers and patients , '' WannaCry exploits Vulnerability-related.DiscoverVulnerability a vulnerability in older versions of Windows , including Windows 7 and Windows XP . Microsoft issued Vulnerability-related.PatchVulnerability a security update in March that stops WannaCry and other malware in Windows 7 . Over the weekend the company took the unusual step of releasing Vulnerability-related.PatchVulnerability a similar patch for Windows XP , which the company announced in 2014 it would no longer support . Dore said companies that faced disruptions because they did not run the Microsoft update or because they were using older versions of Windows could face lawsuits if they publicly touted their cyber security . His law firm sued LinkedIn after a 2012 data breach Attack.Databreach , alleging individuals paid for premium accounts because the company falsely stated it had top-quality cyber security measures . LinkedIn settled for US $ 1.25 million in 2014 . But Scott Vernick , a data security lawyer at Fox Rothschild that represents companies , said he was sceptical that WannaCry would produce a flood of consumer lawsuits . He noted there was no indication the cyber attack had resulted in widespread disclosure of personal data . `` It isn ’ t clear that there has been a harm to consumers , '' he said . Vernick said businesses that failed to update their software could face scrutiny from the US Federal Trade Commission , which has previously sued companies for misrepresenting their data privacy measures . Microsoft itself is unlikely to face legal trouble over the flaw in Windows being exploited Vulnerability-related.DiscoverVulnerability by WannaCry , according to legal experts . When Microsoft sells software it does so through a licensing agreement that states the company is not liable for any security breaches , said Michael Scott , a professor at Southwestern Law School . Courts have consistently upheld those agreements , he said . Alex Abdo , a staff attorney at the Knight First Amendment Institute at Columbia University , said Microsoft and other software companies have strategically settled lawsuits that could lead to court rulings weakening their licensing agreements . `` This area of law has been stunted in its growth , '' he said . `` It is very difficult to hold software manufacturers accountable for flaws in their products . '' Also enjoying strong protection from liability over the cyber attack is the US National Security Agency , whose stolen hacking tool is believed to be the basis for WannaCry . The NSA did not immediately return a request for comment . Jonathan Zittrain , a professor specializing in internet law at Harvard Law School , said courts have frequently dismissed lawsuits against the agency on the grounds they might result in the disclosure of top secret information . On top of that , the NSA would likely be able to claim that it is shielded from liability under the doctrine of sovereign immunity , which says that the government can not be sued over carrying out its official duties . `` I doubt there can be any liability that stems back to the NSA , '' Dore said .

The hackers could then lock these computers up and demand a ransom Attack.Ransom or else cause a blackout or poison the city 's water . While that 's a scary scenario , it fortunately has n't happened—yet . But a group of researchers from the Georgia Institute of Technology warn that could change very soon , and to prove it they have developed and tested in their lab a working proof of concept ransomware that specifically targets three types of PLCs . In their scenario , a group of cybercriminals targets PLCs that are exposed online and infects them with custom malware designed to reprogram the tiny computer with a new password , locking out the legitimate owners . The hackers then alert the owner , asking for a ransom Attack.Ransom . `` Ransomware '' is a specific type of malicious software that infects computers and locks or encrypts their content , demanding a ransom Attack.Ransom to return the machines to their original state . It 's been extremely popular in the last couple of years , and is often successful because it 's usually easier for victims to pay the ransom Attack.Ransom than try to decrypt the files on their own . Initially , ransomware targeted regular internet users indiscriminately , but there have already been cases of attacks against hospitals , hotels and other businesses . ( And there will soon be attacks on Internet of Things too ) Thus , the researchers argue , it 's inevitable that criminals will soon target critical infrastructure directly . Beyah and his colleagues David Formby and Srikar Durbha searched the internet for the two models of PLCs that they attacked in the lab and found more 1,500 that were exposed online . With their research , Beyah said , the three hope that industrial control systems administrators will start adopting common security practices such as changing the PLCs default passwords , putting them behind a firewall , and scanning the networks for potential intruders . If they do n't , they might find their systems locked , and the consequence could spill into the physical world .

Recent attacks against insecure MongoDB , Hadoop and CouchDB installations represent a new phase in online extortion Attack.Ransom , born from ransomware ’ s roots with the promise of becoming a nemesis for years to come . First spotted on Dec. 27 by Victor Gevers , an ethical hacker and founder of GDI Foundation , attacks in the past two months shot up from 200 to near 50,000 . The first of these ransom attacks Attack.Ransom against insecure databases traces back to a hacker identified as Harak1r1 , who Gevers said was responsible for compromising open MongoDB installations , deleting their contents , and leaving behind a ransom note demanding Attack.Ransom 0.2 BTC ( about $ 220 at the time ) . After that , escalation of attacks against open MongoDB installations happened fast , jumping from hundreds one week , to 2,000 the next , and 10,000 the following week . At last count more than 56,000 open MongoDB databases alone are ripe for attack , according to the most recent numbers available from GDI Foundation . But that doesn ’ t include a slew of new databases now being targeted by cybercriminals . Security researchers at Rapid7 estimate that 50 percent of the 56,000 vulnerable MongoDB servers have been ransomed Attack.Ransom . In a typical ransomware attack Attack.Ransom , an attacker compromises a computer via malware or Trojan and encrypts local data that can only be unlocked with an encryption key obtained for a price . That spurred a maturing of ransomware used against more sophisticated healthcare , government and educational targets with similar phishing Attack.Phishing , malware and Trojan techniques . However , experts say , both have acted as the stepping stones to this type of data hijacking . With data hijacking , attackers compromise insecure database installations , copy data , then delete the contents and leaving behind a ransom note in the form of a directory name demanding a ransom Attack.Ransom be paid Attack.Ransom via Bitcoin . Rapid7 has already seen additional databases such as Redis , Kibana and other SQL databases targeted in its honeypots . Josh Gomez , senior security researcher with security firm Anomali , said moving forward attacks will be less random , more targeted and seek high-value repositories with weak protection .

It 's been quiet since 2015 , but TorrentLocker has suddenly returned . And this time it wants to steal Attack.Databreach your passwords too . Cybercriminals are always adding new malicious tricks to ransomware . A ransomware variant which has been relatively inactive for almost two years is back , and this time it 's stealing Attack.Databreach user credentials from victims in addition to demanding a ransom Attack.Ransom to unencrypt locked files . TorrentLocker -- also known as Cryptolocker -- started targeting Windows users in 2014 before dropping off by the summer of 2015 . Like the majority of ransomware schemes , TorrentLocker spreads via spam email messages containing malicious attachments . Rising Bitcoin prices force Cryptolocker ransomware scammers to drop asking price Attack.Ransom Bitcoin 's wild fluctuations have forced a price update to the Cryptolocker ransomware . If the victim enables the macros by choosing to 'Enable Editing ' , a PowerShell code is executed and the ransomware is downloaded , encrypting the victims ' files until they pay a ransom Attack.Ransom . But that is n't where the malicious activity ends , because as noted by cybersecurity researchers at Heimdal Security , this incarnation of TorrentLocker has new features , including the ability to spread itself to other computers via shared files ; something which could see the ransomware taking over a whole network in a very short space of time . In addition to holding networks to ransom Attack.Ransom , the new version of TorrentLocker also harvests Attack.Databreach usernames and passwords from infected computers , putting businesses at risk of cyberespionage and data breaches Attack.Databreach , while users could see their personal or financial information leaked Attack.Databreach and sold to cybercriminals on the dark web . The researchers warn that the revived TorrentLocker campaign is `` very aggressive '' and that many well known antivirus software products have n't been updated to protect against it , even days after the campaign began . Heimdal Security warns users in its native Denmark that they 're being highly targeted by TorrentLocker . Indeed , it appears that European internet users are the main target for those behind the campaign , as Microsoft told BleepingComputer that Italy is by far the most targeted by the perpetrators .