Cyber Attacks Spread Across Europe Using Stolen NSA Tool

Jun 27, 2017
Originally published on June 27, 2017 7:11 pm
Copyright 2018 NPR. To see more, visit http://www.npr.org/.

ROBERT SIEGEL, HOST:

A cyberattack has struck government agencies, airports, banks and other businesses in at least six countries. Victims include the drug company Merck, the Russian oil-giant Rosneft and the Ukrainian system that monitors radiation at Chernobyl. The malware locks computers, holding their contents hostage until, reportedly, the user pays $300 worth of bitcoins. Dmitri Alperovitch of the cybersecurity firm CrowdStrike is in the studio with us. Welcome to the program.

DMITRI ALPEROVITCH: Thanks for having me.

SIEGEL: You come here all too often it seems. This is the second time in just a couple of months that we've had news about ransomware. Is this attack similar to the WannaCry attack that hit computers mostly in Europe back in May?

ALPEROVITCH: It is similar, but in fact it's actually even more insidious in its ability to spread through the network once it gets inside the organization. The original WannaCry malware last - that was released last month used the NSA weapons - they are believed to have been stolen from the NSA and weaponized by someone to have spread WannaCry. This new technique not only uses that method. It also steals passwords from your machine in order to spread within the network as well.

SIEGEL: But this, too, you would attribute to malware that was stolen from the National Security Agency.

ALPEROVITCH: That's right. It's using some of those same tools. Now, it wasn't developed by the NSA. I want to make that very clear. It was stolen from them and publicized in March. So now anyone in the world, whether it's criminals or nation-states, can weaponize it and use it for their own benefit.

SIEGEL: Some reports suggested that North Korea was behind the WannaCry attack. Are there any clues pointing to who's behind this one?

ALPEROVITCH: Not yet, not yet. And the individuals in this case are asking for $300 in ransom, as you mentioned. The interesting thing is that the email address to which you would send the information that you are paying the ransom has now been taken offline. So in fact victims that had their machines and files encrypted would no longer be able to reach the perpetrators and actually pay the ransom.

SIEGEL: Do you know if many people are actually paying the ransom?

ALPEROVITCH: At the last time I checked, it was less than $10,000. So a few dozen individuals have actually submitted payments.

SIEGEL: Why does it seem that this virus is spreading like wildfire?

ALPEROVITCH: Well, one of the things that makes it more insidious is the fact that not only is it using those NSA exploits, but it's able to steal passwords from the machine and spread even if the machine is perfectly secure and patched against all the latest vulnerabilities that those previous ransomware were using. So this is a huge problem. We've seen these types of attacks in the past. This one in particular seems to be hitting organizations in the U.S. more than the WannaCry attack, which was stopped early on at the time when it was impacting organizations in Europe. So it's a big problem.

SIEGEL: And for an institution that has been hacked and that didn't pay a ransom, what sort of jeopardy are they in? What might happen to them?

ALPEROVITCH: Well, hopefully they have backups to restore their data because unfortunately the encryption in the ransomware is so good that restoring it in any other way is pretty much impossible.

SIEGEL: Pretty much impossible.

ALPEROVITCH: The security is very good.

SIEGEL: And if they don't have a good backup, like the National Health Service it seemed was inadequately backed up...

ALPEROVITCH: The data is gone.

SIEGEL: It's just gone. Dmitri Alperovitch, thanks for talking with us.

ALPEROVITCH: Thank you.

SIEGEL: Mr. Alperovitch is co-founder and chief technology officer of the cybersecurity firm CrowdStrike. Transcript provided by NPR, Copyright NPR.