Search the Community

More than two years on from the global outbreak, WannaCry ransomware is still spreading - and sometimes still successful at infecting users. In May 2017, WannaCry ransomware spread quickly around the world, encrypting networks and taking down services. High-profile targets included the UK's National Health Service (NHS). The initial campaign was disrupted when security researchers managed to activate WannaCry's killswitch, meaning that while it still attempted to spread via the use of EternalBlue – a worm-like NSA cyber weapon that cyber criminals took advantage of after it was leaked by hackers – the ransomware itself stopped doing damage for the most part. But over two years on from the attack – which has been attributed to North Korea – there are still some people out there who are seemingly becoming infected with WannaCry and paying the ransom demand. Even when WannaCry first hit, paying the ransom didn't solve anything, but researchers at Sophos have detailed how, despite this, the ransomware still appears active, is still occasionally infecting victims – and sometimes, they're paying the ransom demand. It's possible to see that ransoms are still being paid because the bitcoin accounts associated with the attack are still active and while the payments are anonymous, the transactions are open to the public, so every payment can be seen. While there's only a handful of people paying up, the payments show that WannaCry is still able to cause problems for users – and that these users are seemingly unaware that the global ransomware attack showed that even those who do pay don't get their files back. It also demonstrates that despite the WannaCry attack, there are many users out there who still haven't patched their systems against the EternalBlue vulnerability. Not only does this put them at risk of falling victim to WannaCry, but they're at risk of other attacks including cryptojacking or trojan malware campaigns, which have since adopted EternalBlue to help spread. "When you consider that most home users automatically apply windows updates by default, it is a good guess that it is businesses with slow patching policies who are driving this," Peter Mackenzie, security specialist at Sophos and lead author of the research told ZDNet. "And if you haven't installed updates that were released more than two years ago – how many other patches have you missed?," he continued, adding standard practice should be a policy of installing patches whenever they are issued, and a robust security solution should be in place that covers all endpoints, networks and systems. Researchers explicitly state that if anyone finds themselves falling victim to WannaCry that they shouldn't pay the ransom because the attackers don't monitor the wallet and won't provide a key in return. Law enforcement and cybersecurity companies also recommend that users don't pay ransoms in general, because it funds cyber-criminal activity. The United States Department of Justice has charged a North Korean national of being behind the Wannacry attack – but Pyongyang claims the accused doesn't exist. Source: ZDNet

Elasticsearch server leaks personal data on Ecuador's citizens, their family trees, and children, but also some users' financial records and car registration information. The personal records of most of Ecuador's popu.lation, including children, has been left exposed online due to a misconfigured database. The database, an Elasticsearch server, was discovered two weeks ago by vpnMentor security researchers Noam Rotem and Ran Locar, who shared their findings exclusively with ZDNet. Together, they worked to analyze the leaking data, verify its authenticity, and contact the server owner. The leaky server is one of the, if not the biggest, data breaches in Ecuador's history, a small South American country with a popu.lation of 16.6 million citizens. 20.8 million user records The Elasticsearch server contained a total of approximately 20.8 million user records, a number larger than the country's total popu.lation count. The bigger number comes from duplicate records or older entries, containing the data of deceased persons. The data was spread across different Elasticsearch indexes. These indexes contained different information, supposedly obtained from different sources. They stored details such as names, information on family members/trees, civil registration data, financial and work information, but also data on car ownership. Image: ZDNet Based on the names of these indexes, the entire database could be split in two main categories, based on the data's supposed origin. There's data that appears to have been gathered from a government sources, and data that appears to have been gathered from private databases. The data from government sources The most extensive data was the one that appears to have been gathered from the Ecuadorian government's civil registry. This data contained entries holding citizens' full names, dates of birth, places of birth, home addresses, marital status, cedulas (national ID numbers), work/job information, phone numbers, and education levels. ZDNet verified the authenticity of this data by contacting some users listed in the database. The database was up to date, containing information as recent as 2019. They were able to find records for the country's president, and even Julian Assange, who once received political asylum from the small South Americam country, and was issued a national ID number (cedula). Image: ZDNet Image: ZDNet Family and kids data But they only truly understood the extent of this data when they looked at an index named "familia" (family in Spanish), which contained information about every citizen's family members, such as children and parents, allowing anyone to reconstruct family trees for the entire country's popu.lation. Image: ZDNet However, things didn't stop here. When looking at this index they also realized that there were entries for children, some of whom were born as recent as this spring. For example, we found 6.77 million entries for children under the age of 18. These entries contained names, cedulas, places of birth, home addresses, and gender. Image: ZDNet The leak of childrens' data is without a doubt the biggest privacy concern about this incident. This leak not only exposes children to potential identity theft, but also puts them in physical danger because their home addresses have been left exposed online for anyone to find. The data from private sources But this wasn't all what the database contained. While initially they thought vpnMentor security researchers stumbled upon a database belonging to the Ecuadorian government, this didn't turn out to be true. At a closer look, the database also contained indexes labeled with the acronyms of private entities, suggesting they were either imported or scraped from those particular sources. Of note, two indexes were named BIESS and AEADE. The first, BIESS, stands for Banco del Instituto Ecuatoriano de Seguridad Social, and contained financial information for some Ecuadorian citizens, such as account status, account balance, credit type, and information about the account owner, including job details. The second, AEADE, stands for Asociación de Empresas Automotrices del Ecuador, and contained information on car owners, and their resective cars, including car models and car license plates. Image: ZDNet In total, they found 7 million financial records, and 2.5 million records containing car and car owner details. Just like the Elasticsearch index holding the data of children, these two indexes are also extremely sensitive. The information in both indexes would be as valuable as gold in the hands of criminal gangs. Crooks would be able to target the country's most wealthy citizens (based on ther financial records) and steal expensive cars (having access to car owners' home addresses and license plate numbers). Connect the about children and the data about financial records, and criminals would have a list of the most wealthy Ecuadorians, their home addresses, and if they had any children -- making it trivially easy to target and kidnap children from rich families. The source of the data When it came time to tracking down the source of this leak, both ZDNet and vpnMentor independently reached the same source, namely a local company named Novaestrat. According to its website, the company provides analytics services for the Ecuadorian market. Its website boldy displays the statement "Make financial decisions with updated information of the entire Ecuadorian Financial System" [translated]. However, getting in contact with the company was not as easy as it sounded. The company did not display an email address or phone number where it could be reached. ZDNet reached out to the company via Facebook, and tried contacting employees via LinkedIn, to no success. The company's support forum yielded a PHP error when we tried registering an account. The database was eventually secured later last week, but only after vpnMentor reached out to the Ecuador CERT (Computer Emergency Response Team) team, which served as an intermediary. This is the second major leak of user data originating from a South American country in as many months. In August, ZDNet reported about a similar Elasticsearch server that exposed the voter records of 14.3 million Chileans, around 80% of the country's entire popu.lation. Additional coverage of this leak can be found on vpnMentor's blog.