U.S. blames North Korea for ‘WannaCry’ cyber attack

U.S. blames North Korea for 'WannaCry' cyber attack

(In 13th paragraph of Dec. 18 item, corrects to indicate that a separate attack was launched in June that affected FedEx computers)

By Dustin Volz

WASHINGTON (Reuters) – The Trump administration has publicly blamed North Korea for unleashing the so-called WannaCry cyber attack that crippled hospitals, banks and other companies across the globe earlier this year.

“The attack was widespread and cost billions, and North Korea is directly responsible,” Tom Bossert, homeland security adviser to President Donald Trump, wrote in a piece published on Monday night in the Wall Street Journal.

“North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behavior is growing more egregious,” Bossert wrote. “WannaCry was indiscriminately reckless.”

The White House was expected to follow up on Tuesday with a more formal statement blaming Pyongyang, according to a senior administration official.

The U.S. government has assessed with a “very high level of confidence” that a hacking entity known as Lazarus Group, which works on behalf of the North Korean government, carried out the WannaCry attack, said the official, who spoke on condition of anonymity to discuss details of the government’s investigation.

Lazarus Group is widely believed by security researchers and U.S. officials to have been responsible for the 2014 hack of Sony Pictures Entertainment that destroyed files, leaked corporate communications online and led to the departure of several top studio executives.

North Korean government representatives could not be immediately reached for comment. The country has repeatedly denied responsibility for WannaCry and called other allegations about cyber attacks a smear campaign.

Washington’s public condemnation does not include any indictments or name specific individuals, the administration official said, adding the shaming was designed to hold Pyongyang accountable for its actions and “erode and undercut their ability to launch attacks.”

The accusation comes as worries mount about North Korea’s hacking capabilities and its nuclear weapons program.

‘PATTERN OF MISBEHAVING’

Many security researchers, including the cyber firm Symantec , as well as the British government, have already concluded that North Korea was likely behind the WannaCry attack, which quickly unfurled across the globe in May to infect more than 300,000 computers in 150 countries.

Considered unprecedented in scale at the time, WannaCry knocked British hospitals offline, forcing thousands of patients to reschedule appointments and disrupted infrastructure and businesses around the world.

The attack originally looked like a ransomware campaign, where hackers encrypt a targeted computer and demand payment to recover files. Some experts later concluded the ransom threat may have been a distraction intended to disguise a more destructive intent.

A separate but similar attack in June, known as NotPetya, hit Ukraine and other nations and caused an estimated $300 million in damages to international shipper FedEx.

Some researchers have said they believed WannaCry was deployed accidentally by North Korea as hackers were developing the code. The senior administration official declined to comment about whether U.S. intelligence was able to discern if the attack was deliberate.

“What we see is a continued pattern of North Korea misbehaving, whether destructive cyber attacks, hacking for financial gain, or targeting infrastructure around the globe,” the official said.

WannaCry was made possible by a flaw in Microsoft’s Windows software, which was discovered by the U.S. National Security Agency and then used by the NSA to build a hacking tool for its own use.

In a devastating NSA security breach, that hacking tool and others were published online by the Shadow Brokers, a mysterious group that regularly posts cryptic taunts toward the U.S. government.

The fact that WannaCry was made possible by the NSA led to sharp criticism from Microsoft President Brad Smith and others who believe the NSA should disclose vulnerabilities it finds so that they can be fixed, rather then hoarding that knowledge to carry out attacks.

Smith said WannaCry provided “yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”

U.S. officials have pushed back on those assertions, saying the administration discloses most computer flaws that government agencies detect.

Last month, the White House published its rules for deciding whether to disclose cyber security flaws or keep them secret as part of an effort to be more transparent about the inter-agency process involved in weighing disclosure.

(Reporting by Dustin Volz; Editing by Jonathan Weber and Peter Cooney)

Greater China cyber insurance demand set to soar after WannaCry attack: AIG

FILE PHOTO: A map of China is seen through a magnifying glass on a computer screen showing binary digits in Singapore in this January 2, 2014 photo illustration. REUTERS/Edgar Su/File Photo

By Julie Zhu

HONG KONG (Reuters) – Demand for cyber insurance from firms in Greater China and elsewhere in Asia is poised to soar, based on enquiries received after the “WannaCry ransomware” attack earlier this year, executives at American International Group Inc said.

The American insurer saw an 87 percent jump in enquiries for cyber insurance policies in May compared to April for Greater China including Hong Kong as a direct result of the WannaCry attack, while the global increase was 38 percent, they said.

“The big increase means the organizations are aware they really need protection,” Cynthia Sze, head of an AIG business in Greater China that provides solutions to companies dealing with cyber breaches, told reporters. AIG executives declined to give details on numbers or say how many of the enquiries actually resulted in policy sales.

The self-replicating WannaCry malware in May infected over 200,000 computers in 150 countries.

A typical cyber insurance policy can protect companies against extortion like ransomware attacks. It could also cover the investigation costs and pay the ransom.

In Hong Kong, which is dominated by small and medium sized enterprises, the impact of a cyber attack could be severe as cyber threats are not a priority given the limited resources of SMEs, said Sze.

Citing Hong Kong police statistics, Sze said computer security incident reports have grown to about 6,000 last year from 1,500 in 2009. Financial losses resulting from such incidents jumped from HK$45 million ($5.76 million) to HK$2.3 billion over the same period, she said.

Hong Kong police did not immediately respond to a request for comment to confirm the numbers.

“WannaCry has really changed the dynamics. We used to tap large multinational companies that understood where the exposure was. Now we are really talking about mid-market and SMEs,” said Jason Kelly, AIG’s head of liabilities and financial lines for Greater China, Australasia and South Korea.

The global market for cyber insurance is worth $2 billion, with 30 percent of middle to large firms purchasing cyber insurance protection, according to AIG. The insurer has also seen an average annual growth rate of 20 to 25 percent in cyber insurance policies over the past three years worldwide, said Kelly.

Insurance companies have been cautiously entering the cyber insurance market as they look for growth amid stiff competition and potential exposure to cyber breaches.

According to Kelly, the annual damage from hackers to the global economy reached about $400 billion in 2015.

(Reporting by Julie Zhu; Editing by Muralikumar Anantharaman)

Family firm in Ukraine says it was not responsible for cyber attack

Sergei Linnik, general director of Ukrainian software development firm Intellect Service, and his daughter Olesya pose for a picture at the company’s offices in Kiev, Ukraine July 3, 2017. REUTERS/Pavel Polityuk

By Jack Stubbs and Pavel Polityuk

KIEV (Reuters) – Ukrainian company Intellect Service was not responsible for last week’s international cyber attack that brought down the computer systems of several major companies, the father and daughter team told Reuters on Monday.

Cyber security investigators are still trying to establish who was behind the attack.

But Ukrainian officials and security firms including Microsoft <MSFT.O>, Cisco’s <CSCO.O> Talos and Symantec <SYMC.O> say they have confirmed that some of the initial infections occurred when malware was transmitted to users of a Ukrainian tax software program called M.E.Doc.

They say the virus, dubbed NotPetya by some experts, was primarily spread via an update issued by M.E.Doc, the accounting software developed by Olesya Linnik and her father Sergei at his company, Intellect Service.

In their first interview with foreign media since the attack, the Linniks said there was no evidence M.E.Doc, which is Ukraine’s most-popular accounting software, was used to spread the virus and they did not understand the charges against them.

“What has been established in these days, when no one slept and only worked? We studied and analysed our product for signs of hacking – it is not infected with a virus and everything is fine, it is safe,” said Olesya, managing partner at Intellect Service.

“The update package, which was sent out long before the virus was spread, we checked it 100 times and everything is fine.”

Little known outside Ukrainian accounting circles, M.E.Doc is an everyday part of life at around 80 percent of companies in Ukraine. The software allows its 400,000 clients to send and discuss financial documents between internal departments, as well as file them with the Ukrainian state tax service.

POLICE INVESTIGATING

Investigators have said M.E.Doc’s expansive reach is what made it a prime target for the unknown hackers, who were looking for a way to infect as many victims as possible.

“These malware families were spread using Ukrainian accounting software called M.E.Doc,” researchers at Slovakian security software firm ESET said in a blog post on Friday.

“M.E.Doc has an internal messaging and document exchange system so attackers could send spearphishing messages to victims.”

Ukrainian police said on Monday the Linniks could now face criminal charges if it is confirmed they knew about the infection but took no action.

“We have issues with the company’s leadership, because they knew there was a virus in their software but didn’t do anything … if this is confirmed, we will bring charges,” Serhiy Demedyuk, the head of Ukraine’s cyber police, told Reuters in a text message.

Speaking before Demedyuk’s comments at the company’s modest offices on an industrial estate in Kiev, Sergei, Intellect Service’s general director, raised his voice in frustration.

“We built this business over 20 years. What is the point of us killing our own business?”

Olesya said the company was cooperating with investigators and the police were yet to reach any conclusions.

“The cyber police are currently bogged down in the investigation, we gave them the logs of all our servers and there are no traces that our servers spread this virus,” she said.

“M.E.Doc is a transportation product, it delivers documents. But is an email program guilty in the distribution of a virus? Hardly.”

(Writing by Jack Stubbs; Editing by Anna Willard)

Symantec says ‘highly likely’ North Korea group behind ransomware attacks

A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Joseph Menn

SAN FRANCISCO (Reuters) – Cyber security firm Symantec Corp <SYMC.O> said on Monday it was “highly likely” a hacking group affiliated with North Korea was behind the WannaCry cyber attack this month that infected more than 300,000 computers worldwide and disrupted hospitals, banks and schools across the globe.

Symantec researchers said they had found multiple instances of code that had been used both in the North Korea-linked group’s previous activity and in early versions of WannaCry.

In addition, the same Internet connection was used to install an early version of WannaCry on two computers and to communicate with a tool that destroyed files at Sony Pictures Entertainment. The U.S. government and private companies have accused North Korea in the 2014 Sony attack.

North Korea has routinely denied any such role. On Monday, it called earlier reports that it might have been behind the WannaCry attack “a dirty and despicable smear campaign.”

Lazarus is the name many security companies have given to the hacking group behind the Sony attack and others. By custom, Symantec does not attribute cyber campaigns directly to governments, but its researchers did not dispute the common belief that Lazarus works for North Korea.

In a blog post, Symantec listed numerous links between Lazarus and software the group had left behind after launching an earlier, less virulent, version of the malware in February. One was a variant of software used to wipe disks during the Sony Pictures attack, while another tool used the same internet addresses as two other pieces of malware linked to Lazarus.

At the same time, flaws in the WannaCry code, its wide spread, and its demands for payment in the electronic bitcoin before files are decrypted suggest that the hackers were not working for North Korean government objectives in this case, said Vikram Thakur, Symantec’s security response technical director.

“Our confidence is very high that this is the work of people associated with the Lazarus Group, because they had to have source code access,” Thakur said in an interview.

But he added: “We don’t think that this is an operation run by a nation-state.”

With WannaCry, Thakur said, Lazarus Group members could have been moonlighting to make extra money, or they could have left government service, or they could have been contractors without direct obligations to serve only the government.

The most effective version of WannaCry spread by using a flaw in Microsoft’s Windows and a program that took advantage of it that had been used by the U.S. National Security Agency, officials said privately.

That program was among a batch leaked or stolen and then dumped online by a group calling itself The Shadow Brokers, who some in U.S. intelligence believe to be affiliated with Russia.

Analysts have been weighing in with various theories on the identity of those behind WannaCry, and some early evidence had pointed to North Korea. The Shadow Brokers endorsed that theory, perhaps to take heat off their own government backers for the disaster.

Cybersecurity company Kaspersky has said it had found several similarities between the WannaCry malware from the earlier attack and those used by Lazarus. But in an interview last week, its Asia research director, Vitaly Kamluk, said it was not conclusive evidence. “It’s unusual,” he said.

Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, said that the Korean language used in some versions of the WannaCry ransom note was not that of a native speaker, making a Lazarus connection unlikely.

But Thakur said that some hackers deliberately obfuscate their language to make tracing them harder. It is also possible that the writer in question was a contractor in another country, he said.

Thakur said a less likely scenario is that Lazarus’ main aim was to create chaos by distributing WannaCry.

If the hackers’ main objective was to earn money on the side, that would suggest an undisciplined hacking operation run by North Korea, one that could be exploited and weakened by the country’s many foes.

“The intelligence community will probably take away from this that there is a possibility of splinters in the Lazarus Group, or members who are interested in filling their own pockets, and that could help,” Thakur said.

Lazarus has also been linked to attacks on banks using their SWIFT messaging network. Last year, hackers stole $81 million from Bangladesh’s central bank. Symantec said malware used in that attack was linked to Lazarus.

(Reporting by Joseph Menn, Dustin Volz, Jeremy Wagstaff and Ju-Min Park; Editing by Chris Reese, Mary Milliken and Raju Gopalakrishnan)

Newly discovered vulnerability raises fears of another WannaCry

FILE PHOTO: A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

SINGAPORE (Reuters) – A newly found flaw in widely used networking software leaves tens of thousands of computers potentially vulnerable to an attack similar to that caused by WannaCry, which infected more than 300,000 computers worldwide, cybersecurity researchers said on Thursday.

The U.S. Department of Homeland Security on Wednesday announced the vulnerability, which could be exploited to take control of an affected computer, and urged users and administrators to apply a patch.

Rebekah Brown of Rapid7, a cybersecurity company, told Reuters that there were no signs yet of attackers exploiting the vulnerability in the 12 hours since its discovery was announced.

But she said it had taken researchers only 15 minutes to develop malware that made use of the hole. “This one seems to be very, very easy to exploit,” she said.

Rapid7 said it had found more than 100,000 computers running vulnerable versions of the software, Samba, free networking software developed for Linux and Unix computers. There are likely to be many more, it said in response to emailed questions.

Most of the computers found are running older versions of the software and cannot be patched, said Brown.

Some of the computers appear to belong to organizations and companies, she said, but most were home users.

The vulnerability could potentially be used to create a worm like the one which allowed WannaCry to spread so quickly, Brown said, but that would require an extra step for the attacker.

Cybersecurity researchers have said they believe North Korean hackers were behind the WannaCry malware, which encrypted data on victims’ computers and demanded bitcoin in return for a decryption key.

(Reporting and writing By Jeremy Wagstaff; Editing by Michael Perry)

Security experts find clues to ransomware worm’s lingering risks

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

(Corrects spelling of first name in paragraph 22 of this May 18 story to Salim from Samil)

By Eric Auchard

FRANKFURT (Reuters) – Two-thirds of those caught up in the past week’s global ransomware attack were running Microsoft’s Windows 7 operating system without the latest security updates, a survey for Reuters by security ratings firm BitSight found.

Researchers are struggling to try to find early traces of WannaCry, which remains an active threat in hardest-hit China and Russia, believing that identifying “patient zero” could help catch its criminal authors.

They are having more luck dissecting flaws that limited its spread.

Security experts warn that while computers at more than 300,000 internet addresses were hit by the ransomware strain, further attacks that fix weaknesses in WannaCry will follow that hit larger numbers of users, with more devastating consequences.

“Some organizations just aren’t aware of the risks; some don’t want to risk interrupting important business processes; sometimes they are short-staffed,” said Ziv Mador, vice president of security research at Trustwave’s Israeli SpiderLabs unit.

“There are plenty of reasons people wait to patch and none of them are good,” said Mador, a former long-time security researcher for Microsoft.

WannaCry’s worm-like capacity to infect other computers on the same network with no human intervention appear tailored to Windows 7, said Paul Pratley, head of investigations & incident response at UK consulting firm MWR InfoSecurity.

Data from BitSight covering 160,000 internet-connected computers hit by WannaCry, shows that Windows 7 accounts for 67 percent of infections, although it represents less than half of the global distribution of Windows PC users.

Computers running older versions, such as Windows XP used in Britain’s NHS health system, while individually vulnerable to attack, appear incapable of spreading infections and played a far smaller role in the global attack than initially reported.

In laboratory testing, researchers at MWR and Kyptos say they have found Windows XP crashes before the virus can spread.

Windows 10, the latest version of Microsoft’s flagship operating system franchise, accounts for another 15 percent, while older versions of Windows including 8.1, 8, XP and Vista, account for the remainder, BitSight estimated.

COMPUTER BASICS

Any organization which heeded strongly worded warnings from Microsoft to urgently install a security patch it labeled “critical” when it was released on March 14 on all computers on their networks are immune, experts agree.

Those hit by WannaCry also failed to heed warnings last year from Microsoft to disable a file sharing feature in Windows known as SMB, which a covert hacker group calling itself Shadow Brokers had claimed was used by NSA intelligence operatives to sneak into Windows PCs.

“Clearly people who run supported versions of Windows and patched quickly were not affected”, Trustwave’s Mador said.

Microsoft has faced criticism since 2014 for withdrawing support for older versions of Windows software such as 16-year-old Windows XP and requiring users to pay hefty annual fees instead. The British government canceled a nationwide NHS support contract with Microsoft after a year, leaving upgrades to local trusts.

Seeking to head off further criticism in the wake of the WannaCry outbreak, the U.S. software giant last weekend released a free patch for Windows XP and other older Windows versions that it previously only offered to paying customers.(http://reut.rs/2qvSPUR)

Microsoft declined to comment for this story.

On Sunday, the U.S. software giant called on intelligence services to strike a better balance between their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – and sharing those flaws with technology companies to better secure the internet (http://reut.rs/2qAOdLm).

Half of all internet addresses corrupted globally by WannaCry are located in China and Russia, with 30 and 20 percent respectively. Infection levels spiked again in both countries this week and remained high through Thursday, according to data supplied to Reuters by threat intelligence firm Kryptos Logic.

By contrast, the United States accounts for 7 percent of WannaCry infections while Britain, France and Germany each represent just 2 percent of worldwide attacks, Kryptos said.(http://tmsnrt.rs/2qIUckv)

DUMB AND SOPHISTICATED

The ransomware mixes copycat software loaded with amateur coding mistakes and recently leaked spy tools widely believed to have been stolen from the U.S. National Security Agency, creating a vastly potent class of crimeware.

“What really makes the magnitude of this attack so much greater than any other is that the intent has changed from information stealing to business disruption”, said Samil Neino, 32, chief executive of Los Angeles-based Kryptos Logic.

Last Friday, the company’s British-based 22-year-old data breach research chief, Marcus Hutchins, created a “kill-switch”, which security experts have widely hailed as the decisive step in halting the ransomware’s rapid spread around the globe.

WannaCry appears to target mainly enterprises rather than consumers: Once it infects one machine, it silently proliferates across internal networks which can connect hundreds or thousands of machines in large firms, unlike individual consumers at home.

An unknown number of computers sit behind the 300,000 infected internet connections identified by Kryptos.

Because of the way WannaCry spreads sneakily inside organization networks, a far larger total of ransomed computers sitting behind company firewalls may be hit, possibly numbering upward of a million machines. The company is crunching data to arrive at a firmer estimate it aims to release later Thursday.

Liran Eshel, chief executive of cloud storage provider CTERA Networks, said: “The attack shows how sophisticated ransomware has become, forcing even unaffected organizations to rethink strategies.”

ESCAPE ROUTE

Researchers from a variety of security firms say they have so far failed to find a way to decrypt files locked up by WannaCry and say chances are low anyone will succeed.

However, a bug in WannaCry code means the attackers cannot use unique bitcoin addresses to track payments, security researchers at Symantec found this week. The result: “Users unlikely to get files restored”, the company’s Security Response team tweeted.

The rapid recovery by many organizations with unpatched computers caught out by the attack may largely be attributed to back-up and retrieval procedures they had in place, enabling technicians to re-image infected machines, experts said.

While encrypting individual computers it infects, WannaCry code does not attack network data-backup systems, as more sophisticated ransomware packages typically do, security experts who have studied WannaCry code agree.

These factors help explain the mystery of why such a tiny number of victims appear to have paid ransoms into the three bitcoin accounts to which WannaCry directs victims.

Less than 300 payments worth around $83,000 had been paid into WannaCry blackmail accounts by Thursday (1800 GMT), six days after the attack began and one day before the ransomware threatens to start locking up victim computers forever. (Reuters graphic: [http://tmsnrt.rs/2rqaLyz)

The Verizon 2017 Data Breach Investigations Report, the most comprehensive annual survey of security breakdowns, found that it takes three months before at least half of organizations install major new software security patches.

WannaCry landed nine weeks after Microsoft’s patch arrived.

“The same things are causing the same problems. That’s what the data shows,” MWR research head Pratley said.

“We haven’t seen many organizations fall over and that’s because they did some of the security basics,” he said.

For a graphic on WannaCry worm, click http://fingfx.thomsonreuters.com/gfx/rngs/CYBER-ATTACK/010041552FY/index.html

(Editing by Philippa Fletcher)

Symantec says ‘highly likely’ North Korea group behind ransomware attacks

A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Joseph Menn

SAN FRANCISCO (Reuters) – Cyber security firm Symantec Corp <SYMC.O> said on Monday it was “highly likely” a hacking group affiliated with North Korea was behind the WannaCry cyber attack this month that infected more than 300,000 computers worldwide and disrupted hospitals, banks and schools across the globe.

Symantec researchers said they had found multiple instances of code that had been used both in the North Korea-linked group’s previous activity and in early versions of WannaCry.

In addition, the same Internet connection was used to install an early version of WannaCry on two computers and to communicate with a tool that destroyed files at Sony Pictures Entertainment. The U.S. government and private companies have accused North Korea in the 2014 Sony attack.

North Korea has routinely denied any such role. On Monday, it called earlier reports that it might have been behind the WannaCry attack “a dirty and despicable smear campaign.”

Lazarus is the name many security companies have given to the hacking group behind the Sony attack and others. By custom, Symantec does not attribute cyber campaigns directly to governments, but its researchers did not dispute the common belief that Lazarus works for North Korea.

In a blog post, Symantec listed numerous links between Lazarus and software the group had left behind after launching an earlier, less virulent, version of the malware in February. One was a variant of software used to wipe disks during the Sony Pictures attack, while another tool used the same internet addresses as two other pieces of malware linked to Lazarus.

At the same time, flaws in the WannaCry code, its wide spread, and its demands for payment in the electronic bitcoin before files are decrypted suggest that the hackers were not working for North Korean government objectives in this case, said Vikram Thakur, Symantec’s security response technical director.

“Our confidence is very high that this is the work of people associated with the Lazarus Group, because they had to have source code access,” Thakur said in an interview.

But he added: “We don’t think that this is an operation run by a nation-state.”

With WannaCry, Thakur said, Lazarus Group members could have been moonlighting to make extra money, or they could have left government service, or they could have been contractors without direct obligations to serve only the government.

The most effective version of WannaCry spread by using a flaw in Microsoft’s Windows and a program that took advantage of it that had been used by the U.S. National Security Agency, officials said privately.

That program was among a batch leaked or stolen and then dumped online by a group calling itself The Shadow Brokers, who some in U.S. intelligence believe to be affiliated with Russia.

Analysts have been weighing in with various theories on the identity of those behind WannaCry, and some early evidence had pointed to North Korea. The Shadow Brokers endorsed that theory, perhaps to take heat off their own government backers for the disaster.

Cybersecurity company Kaspersky has said it had found several similarities between the WannaCry malware from the earlier attack and those used by Lazarus. But in an interview last week, its Asia research director, Vitaly Kamluk, said it was not conclusive evidence. “It’s unusual,” he said.

Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, said that the Korean language used in some versions of the WannaCry ransom note was not that of a native speaker, making a Lazarus connection unlikely.

But Thakur said that some hackers deliberately obfuscate their language to make tracing them harder. It is also possible that the writer in question was a contractor in another country, he said.

Thakur said a less likely scenario is that Lazarus’ main aim was to create chaos by distributing WannaCry.

If the hackers’ main objective was to earn money on the side, that would suggest an undisciplined hacking operation run by North Korea, one that could be exploited and weakened by the country’s many foes.

“The intelligence community will probably take away from this that there is a possibility of splinters in the Lazarus Group, or members who are interested in filling their own pockets, and that could help,” Thakur said.

Lazarus has also been linked to attacks on banks using their SWIFT messaging network. Last year, hackers stole $81 million from Bangladesh’s central bank. Symantec said malware used in that attack was linked to Lazarus.

(Reporting by Joseph Menn, Dustin Volz, Jeremy Wagstaff and Ju-Min Park; Editing by Chris Reese, Mary Milliken and Raju Gopalakrishnan)

North Korea says linking cyber attacks to Pyongyang is ‘ridiculous’

A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Michelle Nichols

UNITED NATIONS (Reuters) – North Korea’s deputy United Nations envoy said on Friday “it is ridiculous” to link Pyongyang with the WannaCry “ransomware” cyber attack that started to sweep around the globe a week ago or the hacking of a U.N. expert monitoring sanctions violations.

WannaCry has infected more than 300,000 computers in 150 nations. It threatens to lock out victims who have not paid a ransom within one week of infection. French researchers said on Friday they had found a last-chance way to save encrypted files.

“Relating to the cyber attack, linking to the DPRK, it is ridiculous,” North Korea’s Deputy U.N. Ambassador Kim In Ryong told a news conference when asked if Pyongyang was involved in the global WannaCry attack or the U.N. hack.

North Korea is also known as the Democratic People’s Republic of Korea (DPRK).

“Whenever something strange happens, it is the stereotype way of the United States and the hostile forces that kick off noisy anti-DPRK campaign deliberately linking with DPRK,” Kim said.

Symantec <SYMC.O> and Kaspersky Lab said on Monday that some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, which researchers from many companies have identified as a North Korea-run hacking operation.

A spokesman for the Italian mission to the United Nations, which chairs the U.N. Security Council North Korea sanctions committee, said on Friday that a member of the U.N. panel of experts who monitor sanctions violations had been hacked.

No further details on the extent of the hack or who might be responsible were immediately available.

The U.N. Security Council first imposed sanctions on North Korea in 2006 and has strengthened the measures in response to the country’s five nuclear tests and two long-range rocket launches. Pyongyang is threatening a sixth nuclear test.

(Reporting by Michelle Nichols; Editing by Jonathan Oatis and Grant McCool)

WannaCry attack is good business for cyber security firms

FILE PHOTO: A hooded man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

By Joseph Menn

SAN FRANCISCO (Reuters) – For Kris Hagerman, chief executive of UK-based cyber security firm Sophos Group Plc <SOPH.L>, the past week could have been bad. The WannaCry “ransomware” attack hobbled some of its hospital customers in Britain’s National Health Service, forcing them to turn away ambulances and cancel surgeries.

The company quickly removed a boast on its website that “The NHS is totally protected with Sophos.” In many industries, that sort of stumble would likely hit a company’s reputation hard.

Yet on Monday, three days after the global malware attack was first detected, Sophos stock jumped more than 7 percent to set a record high and climbed further on Wednesday after the company raised its financial forecasts.

As for most other cyber security firms, highly publicized cyber attacks are good for business, even though experts say such attacks underscore the industry’s failings.

“We are making good progress and are doing a good job,” Hagerman said in an interview this week. “People ask ‘How come you haven’t solved the cyber crime problem?’ and it’s a little like saying ‘You human beings have been around for hundreds of thousands of years, how come you haven’t solved the crime problem?'”

Hagerman pointed out that his company only claimed to protect 60 percent of NHS affiliates and that other factors contributed to the disaster at the hospitals.

“They have their own budgets. They have their own approach to IT generally and IT security,” Hagerman said of individual hospitals, which pick their own operating systems, patching cycles and network setups. Microsoft Corp <MSFT.O> had issued a patch in March for the flaw WannaCry exploited in Windows operating systems.

Yet Hagerman acknowledged that Sophos did not update its basic antivirus software to block WannaCry until hours after it hit customers.

HIGH STAKES

Security experts say hospitals, where the stakes are especially high, represent a case study in how legacy industries need to up their cyber security game.

“We’ve tolerated a pretty poor level of effectiveness, because so far the consequences of failure have been acceptable,” said Josh Corman, a cyber security industry veteran now working on related issues at the Atlantic Council and a member of a healthcare security task force established by the U.S. Congress.

“We are going to see failure measured in loss of life and a hit to GDP, and people will be very surprised.”

Some long-lived medical devices have more than a thousand vulnerabilities, Corman said, and perhaps 85 percent of U.S. medical institutions have no staff qualified for basic cyber security tasks such as patching software, monitoring threat advisories and separating networks from one another.

Increasingly serious cyber security problems are partly an inevitable consequence of the growing complexity of digital technology.

But there are other causes too, including a lack of accountability that stems from the wide range of technology handlers: computer software vendors, antivirus suppliers, in-house professionals, consultants and various regulators.

Ultimately, Corman said, hospitals need to hire solid cyber security people instead of another nurse or two.

GOOD FOR BUSINESS

“What’s needed is punishment of the negligent,” said Ross Anderson, a University of Cambridge pioneer in studying the economics of information security, referring to the hospitals that did not stop WannaCry.

“This is not about technology. This is about people fouling up in ways people would get a pink slip for” in less-insulated environments, he said, meaning they would lose their jobs.

For now, though, there are few signs of any revamp in large institutions’ approach to cyber security – and little incentive for contractors in the cyber security industry to change.

Sophos was not the only company whose stock rose on Monday, as the global scale of WannaCry became apparent. Shares of U.S.-based FireEye Inc <FEYE.O> and Qualys Inc <QLYS.O> both rose more than 5 percent.

But Sophos stood out, aided by higher expectations for a product the company introduced last year to fend off ransomware – so called because the authors of the malware demand a ‘ransom’ to restore a user’s infected computer – which worked at the hospitals that had installed it.

“It’s good news for our business,” one Sophos employee, who asked not to be named, told Reuters this week. “We were so inundated with people calling us.”

(Reporting by Joseph Menn; Editing by Jonathan Weber and Bill Rigby)

Companies use kidnap insurance to guard against ransomware attacks

FILE PHOTO: A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS/File Photo

By Suzanne Barlyn and Carolyn Cohn

NEW YORK/LONDON (Reuters) – Companies without cyber insurance are dusting off policies covering kidnap, ransom and extortion in the world’s political hotspots to recoup losses caused by ransomware viruses such as “WannaCry”, insurers say.

Cyber insurance can be expensive to buy and is not widely used outside the United States, with one insurer previously describing the cost as $100,000 for $10 million in data breach insurance.

Some companies do not even consider it because they do not think they are targets.

The kidnap policies, known as K&R coverage, are typically used by multinational companies looking to protect their staff in areas where violence related to oil and mining operations is common, such as parts of Africa and Latin America. Companies could also tap them to cover losses following the WannaCry attack, which used malicious software, known as ransomware, to lock up more than 200,000 computers in more than 150 countries, and demand payments to free them up. Pay-outs on K&R for ransomware attacks may be lower and the policies less suitable than those offered by traditional cyber insurance, insurers say.

“There will be some creative forensic lawyers who will be looking at policies,” said Patrick Gage, chief underwriting officer at CNA Hardy, a specialist commercial insurer, in London.

He added, however, that given that K&R policies are geared towards a threat to lives, “our absolute preference is that people buy specific cover, rather than relying on insurance coverage that is not specific”.

American International Group Inc, Hiscox Ltd and the Travelers Companies Inc have been receiving ransomware claims from some customers with K&R policies as ransomware attacks become more common, the companies said.

The insurers declined to comment on total claims, citing confidentiality and client security concerns.

“We are seeing claims (over the past 18 months) but not a huge uptick,” a Hiscox spokeswoman said. “These are within expectations and entirely manageable.”

She declined to say whether the firm had seen any such claims from the WannaCry attacks though Tom Harvey, an expert in cyber risk management at catastrophe modeling firm RMS, said “insurers with kidnap and ransom books will want to look closely at their policy wordings to see whether they are exposed.”

A sharp rise in ransomware attacks in the past 18 months has driven companies to use K&R policies to cover some of their damages if they do not have direct cyber coverage or cannot meet initial cyber policy deductible costs, insurers said.

Symantec Corp,, a cyber security firm based in Mountain View in California, observed over 460,000 ransomware attempts in 2016, up 36 percent from 2015, the company said. The average payment demand ballooned from $294 to $1,077, a 266 percent increase. But as the threat mounts, K&R insurers are at risk from steeper claims than they had anticipated. They are responding by making changes to their policies, which were not designed around ransomware, insurance brokers said. MORE DAMAGING THEN KIDNAPPING Most of the computers affected by WannaCry were outside the United States, where companies have been slow to buy cyber insurance. Nearly 90 percent of the world’s annual cyber insurance premium of $2.5-3 billion comes from the U.S. market, according to insurance broker Aon Plc.

Global companies typically buy K&R policies without ransomware in mind. But instances of high-tech hacks and online ransom demands can hit a company’s business more than an executive being held hostage.

“If your CFO (chief financial officer) gets kidnapped, the company is going to continue to function,” said Bob Parisi, cyber product leader for insurance broker Marsh & McLennan Companies Inc.

“If you get a get a piece of malware in the system, you might have two factories that stop working. The actual damage is probably greater.”

The K&R policies, which typically do not have deductibles, cover the ransom payments as well as crisis response services, including getting in touch with criminal and regulatory authorities, said Kevin Kalinich, global head of Aon’s cyber risk practice.

Still, K&R policies may provide only a quick fix since they were not designed for ransomware. Companies can add coverage for business interruption, but the upper limits for pay-outs are usually lower than for a cyber policy, insurers say.

K&R insurers have been adapting to ransomware-related claims – some are modernizing coverage by setting up Bitcoin accounts for clients to speed up ransom payments, brokers said.

But insurers are mindful of their own risks.

Some have added deductibles, said Anthony Dagostino, head of global cyber risk at Willis Towers Watson PLC advisory and brokerage.

AIG has reduced business interruption coverage available for K&R policies to a $1 million maximum, from much higher and more flexible limits, said Tracie Grella, global head of cyber risk insurance at AIG.

“Insurers didn’t anticipate there would be this much ransomware activity,” Grella said.

(Reporting by Suzanne Barlyn and Carolyn Cohn; Editing by Carmel Crimmins adn Timothy Heritage)