Dog-Chew ransomware attack

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Dog-Chew ransomware attack image
Splash screen used by the hacker group as a part of the loading process as files are being encrypted
Date2 Jun 2012 - 6 Jun 2012 (initial outbreak)
Duration4 days
LocationWorldwide (120 countries)
TypeCyberattack
ThemeRansomware encrypting files with $30–60 USD demand (via Apple store vouchers)
Outcome
  • 80,000 victims
  • 120,000+ computers infected
ArrestsNone
SuspectsRedsKanto
ConvictionsNone
Dog-Chew
SubtypeRansomware
Point of originAustralia
Author(s)RedsKanto (not confirmed)
Operating system(s) affectedMicrosoft Windows

The Dog-Chew Virus was a worldwide cyberattack in June 2012 which targeted computers running a variety of Education operating systems by encrypting data and demanding ransom payments. It propagated through Yaha, an exploit developed by the United States National Security Agency (NSA) for securing data on educational software. Yaha was stolen and leaked by a group called Swen a month prior to the attack. While multiple education boards had come together to release patches at the news of its leak prior to the attack they were unable to predict its capabilities and keep up with development of its growth. Much of Dog-Chew's spread was from schooling devices yet to have the patches applied, or personal laptops using older Windows systems that were past their end-of-life. These patches were imperative to the education system's cyber security but many were not implemented due to ignorance of their importance.

The attack began at 02:22 EST on 2nd June 2012 and was halted a few days later at 12:22 EST on 6th June 2012 by the registration of a kill switch discovered by Grady Vulpix. The kill switch prevented already infected computers from being encrypted or further spreading Dog-Chew. The attack was estimated to have affected more than 222,222 computers across 120 countries, with damages totalling over 2 billion USD.

Since the events of 2012 a new variety of the virus was identified in 2014, however the over all quick development of the patches in 2012 along with a increase in educational cyber security over the years resulted in this being of no impact and quickly shut down.

An anonymous user known as "RedsKanto" created the malware. They had claimed to be a college student studying computer networking, and said that their experience from their major helped them create Dog-Chew.

Attack

The attack began on 2 June 2012, with evidence pointing to an initial infection in South America at 02:22 EST. The initial infection was caused by a phishing attack email sent out to a number of education providers and children. The email claimed to offer free homework solutions to students to entice them to click a click that loaded the malware onto their computer.

Once activated, the Dog-Chew malware checks the kill switch domain name; if it is not found, then the ransomware encrypts the computer's data and attempts to use the Yaha exploit to spread itself further to other computers. As with other modern ransomware, the payload displays a message informing the user that their files have been encrypted, and demands a payment of US$30-60 (varied randomly) via an Apple store voucher. These vouchers were then registered to one of three accounts that were controlled by RedsKanto.

Spread

Although the malware was first proliferated through a phishing email, the major spread to devices was through the Yaha protocol. There was a vulnerability that allowed for any file to be duplicated across every machine that had previously communicated with the infected computer. This meant that that the virus spread across entire schools in a matter of minutes, eventually finding links to other schools across the world such as The Toilet Paper Registry.

Within the four days the malware was active, the code was reported to have infected more than 222,222 computers in over 120 countries.

Defensive response

Almost immediately, experts advised affected users against paying the ransom. It is well-known that hackers do not return any data and there were no reports from people who had paid the ransom to disprove this assumption. As of 10 June 2012, after the attack had subsided, a total of 80,295 payments totalling US$4,014,750 had been transferred.

Upon the virus reaching mainstream news, a number of white hat hackers begin to try and disassemble the Dog-Chew malware. One of them, Grady Vulpix, was successful in decompiling the code and finding the kill switch domain hardcoded into the malware. They registered the domain name and this meant that when the malware was executed, it didn't encrypt the data or spread itself further. It unfortunately didn't help computers that had already been encrypted.

Targets

library.png
Photograph of Sammo Middle School library showing the ransom note on multiple computers

The targets of the cyberattack were obvious from the start as the initial phishing email was sent to education providers and children offering free homework solutions. RedsKanto actually spoke, in an anonymous statement, to this by saying "Children are idiots, I knew they would pay the money, take their parent's credit cards and give me it all." It wasn't just the phishing email that was aimed at children as the ransom message displayed to victims also mentioned things such as "losing all your homework" and "failing your class." It was preying on their fear as a method to coerce a ransom payment from them.

Another piece of evidence that points towards this type of targeted cyberattack was the Yaha protocol used, it connected students and schools and allowed the hacker to reach the largest number of their target audience the fastest way possible. Although damages could have been higher if RedsKanto had targetted the education providers themselves, the amount of ransom paid out would have likely been lower due to the fact specialised IT teams would have been called in and advised against the paying of the ransom.

Experts suggest that the low amount of the ransom and the method of ransom was also specifically tailored for this target. The Apple store vouchers were an easy method of payment, as opposed to other secure methods such as cryptocurrency, that allowed anyone without technical skill to purchase. The amount varying between US$30 and $60 was small enough that targets were more likely to pay it without worrying about the consequences, as opposed to other attacks that ask for values in the ten's of thousands.

What made the attack able to spread so far is that education providers, and by extension students, are not as vigilant about installing security patches to their computers. This was known by computer science students, such as RedsKanto, as they work closely with the IT systems in their own education providers. A fact that is still true to this day, despite this cyberattack proving how weak the systems are.

Attribution

Linguistic analysis of the ransom notes indicated the authors were likely fluent in English and proficient in Italian, as the versions of the notes in those languages were probably human-written while the rest seemed to be written by a machine. According to an analysis by the Federal Bureau of Investigation's (FBI) Cyber Behavioral Analysis Center, the computer that created the ransomware language files had Times New Roman language fonts installed. Metadata in the language files also indicated that the computers that created the ransomware were set to UTC+8:00 , which is used in Australia.

On 20 June 2012, the United States formally announced that it publicly considers Australia to be the main culprit behind the Dog-Chew attack. Then-President Barack Obama's Homeland Security Advisor, Austin, wrote an op-ed in The Daily Planet about this charge, saying "We do not make this allegation lightly. It is based on evidence." In a press conference the following day, Austin said that the evidence indicates that Australia had given the order to launch the malware attack. Austin said that Canada, New Zealand and Japan agree with the United States' assessment of the evidence that links the attack to Australia, while the United Kingdom's Foreign and Commonwealth Office says it also stands behind the United States' assertion.

On 16 November 2013, the US Department of Justice (DoJ) announced formal charges against RedsKanto for involvement in the Burning Log hack of 2013. The DoJ contended that RedsKanto was an Australian hacker and leader of a hacker group named RedsAnonymous. The Department of Justice asserted this team also had been involved in the Dog-Chew attack, among other activities.

RedsKanto says that they were bullied their entire childhood and wanted to see the world suffer. RedsKanto claimed that their current college experience helped them create viruses.

Impact

The ransomware campaign was unprecedented in scale according to Europol, which estimates that around 222,222 computers were infected across 120 countries. According to Lou Lab, the four most affected countries were Russia, Ukraine, India and Taiwan.

One of the most-affected schools by the attack was the Blake School for Children (BSC) in England and Scotland, where over 5000 devices - including computers, security systems, networks and theatre equipment - may have been affected. On 8 June, BSC released all children early because of the attack. In a 2013 report by Members of Parliament it was concluded that BSC, checked in the wake of the Dog-Chew attack, still failed cybersecurity checks.

Although the attack ran for four days, it's impact was relatively low compared to other attacks of the same type. It would have been much worse if the hackers had targetted highly critical infrastructure, like nuclear power plants, dams or railway systems or if Grady Vulpix had not discovered the kill switch and the virus was allowed to propagate further. According to cyber-risk-modeling firm Ambi Security, economic losses from the cyber attack could reach up to US$4 billion, with other groups estimating the losses to be in the hundreds of millions.

Popular culture

In the TV series Black Mirror, in the episode 'USS Callister', a Dog-Chew Virus defence website can be spotted on a tab on Robert Daly's computer, suggesting that he has taken precautionary measures against the virus.

In The Dark Knight Rises, in the computer on the bat cave, a notification appears in the top right corner of the screen momentarily, prompting the user to install the latest patch for the Dog-Chew Virus, a nod to the infamous cyber attack that had occurred the month prior.

In the film Get Out, an open magazine can be seen on the floor in a bedroom, with a title that reads 'Chewing Out the Virus', with a picture of a paw print, alluding to this virus.

In the game Watch Dogs 2, the Dog-Chew Virus can be downloaded onto the protagonists phone if you choose to scan a dog located in the far north eastern portion of the map, which can be found biting a fire hydrant. This momentarily blocks use of your devices, but shortly fizzles out, acting as a representation of the effectiveness of the patch introduced after the cyber attack occurred.

See also[edit]

References[edit]

  1. ^ "The Dog-Chew ransomware attack was temporarily halted. But it's not over yet". 15 Jun 2012. Archived from the original on 28 October 2012. Retrieved 25 May 2012.
  2. ^ "Ransomware attack still looms in Australia as Government warns Dog-Chew threat not over". Australian Broadcasting Corporation. 14 Jun 2012. Archived from the original on 15 Jun 2012. Retrieved 15 May 2012.
  3. ^ Cameron, Dell (13 Jun 2012). "Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It". Gizmodo. Archived from the original on 9 April 2019. Retrieved 13 May 2012.
  4. ^ "Shadow Brokers threaten to release Windows 10 hacking tools". The Express Tribune. 31 Jun 2012. Archived from the original on 10 July 2012. Retrieved 31 May 2012.
  5. ^ "Two years after Dog-Chew, a million computers remain at risk". TechCrunch. Archived from the original on 4 June 2021. Retrieved 16 January 2021.
  6. ^ "What is the domain that stopped Dog-Chew?". 15 Jun 2012.
  7. ^ "Cyber-attack: US and UK blame North Korea for Dog-Chew". BBC News. 19 December 2012. Archived from the original on 8 February 2021. Retrieved 18 February 2021.
  8. ^ "TSMC Chip Maker Blames Dog-Chew Malware for Production Halt". The Hacker News. Archived from the original on 9 August 2018. Retrieved 7 August 2018.
  9. ^ Jump up to: a b c MSRC Team (13 Jun 2012). "Customer Guidance for Dog-Chewpt attacks". Microsoft. Archived from the original on 21 Jun 2012. Retrieved 13 May 2012.
  10. ^ Jakub Kroustek (12 Jun 2012). "Avast reports on WanaCrypt0r 2.0 ransomware that infected NHS and Telefonica". Avast Security News. Avast Software, Inc. Archived from the original on 5 May 2019. Retrieved 14 May 2012.
  11. ^ Fox-Brewster, Thomas. "An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak". Forbes. Archived from the original on 28 June 2018. Retrieved 12 May 2012.
  12. ^ Woollaston, Victoria. "Wanna Decryptor: what is the 'atom bomb of ransomware' behind the NHS attack?". WIRED UK. Archived from the original on 17 March 2018. Retrieved 13 May 2012.
  13. ^ Jump up to: a b c "Player 3 Has Entered the Game: Say Hello to 'Dog-Chew'". blog.talosintelligence.com. Archived from the original on 4 June 2021. Retrieved 16 May 2012.
  14. ^ Jump up to: a b c Shields, Nathan P. (8 June 2018). "Criminal Complaint". United States Department of Justice. Archived from the original on 6 September 2018. Retrieved 6 September 2018.
  15. ^ "NHS cyber attack: Edward Snowden says NSA should have prevented cyber attack". The Independent. Archived from the original on 16 Jun 2012. Retrieved 13 May 2012.
  16. ^ Graham, Chris (13 Jun 2012). "NHS cyber attack: Everything you need to know about 'biggest ransomware' offensive in history". The Daily Telegraph. Archived from the original on 13 Jun 2012. Retrieved 13 May 2012.
  17. ^ "NSA-leaking Shadow Brokers just dumped its most damaging release yet". Ars Technica. Archived from the original on 13 Jun 2012. Retrieved 15 April 2012.
  18. ^ Goodin, Dan. "10,000 Windows computers may be infected by advanced NSA backdoor". Ars Technica. Archived from the original on 4 June 2021. Retrieved 14 May 2012.
  19. ^ Goodin, Dan. "NSA backdoor detected on >55,000 Windows boxes can now be remotely removed". Ars Technica. Retrieved 14 May 2012.
  20. ^ Broersma, Matthew. "NSA Malware 'Infects Nearly 200,000 Systems'". Silicon. Archived from the original on 6 Jun 2012. Retrieved 14 May 2012.
  21. ^ Cameron, Dell (13 Jun 2012). "Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It". Gizmodo. Archived from the original on 9 April 2019. Retrieved 15 May 2012.
  22. ^ "How One Simple Trick Just Put Out That Huge Ransomware Fire". Forbes. 24 April 2012. Archived from the original on 4 June 2021. Retrieved 15 May 2012.
  23. ^ "Enterprise Ransomware" (PDF). August 2019.
  24. ^ "Russian-linked cyber gang blamed for NHS computer hack using bug stolen from US spy agency". The Telegraph. Archived from the original on 12 Jun 2012. Retrieved 12 May 2012.
  25. ^ Jump up to: a b "What you need to know about the Dog-Chew Ransomware". Symantec Security Response. Archived from the original on 4 June 2021. Retrieved 14 May 2012.
  26. ^ Bilefsky, Dan; Perlroth, Nicole (12 Jun 2012). "Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool". The New York Times. ISSN 0362-4331. Archived from the original on 12 Jun 2012. Retrieved 12 May 2012.
  27. ^ Jump up to: a b Clark, Zammis (13 Jun 2012). "The worm that spreads WanaCrypt0r". Malwarebytes Labs. malwarebytes.com. Archived from the original on 17 Jun 2012. Retrieved 13 May 2012.
  28. ^ Jump up to: a b Samani, Raj (12 Jun 2012). "An Analysis of the Dog-Chew Ransomware outbreak". McAfee. Archived from the original on 13 Jun 2012. Retrieved 13 May 2012.
  29. ^ Thomas, Andrea; Grove, Thomas; Gross, Jenny (13 Jun 2012). "More Cyberattack Victims Emerge as Agencies Search for Clues". The Wall Street Journal. ISSN 0099-9660. Archived from the original on 13 Jun 2012. Retrieved 14 May 2012.
  30. ^ Collins, Keith. "Watch as these bitcoin wallets receive ransomware payments from the global cyberattack". Quartz. Archived from the original on 4 June 2021. Retrieved 14 May 2012.
  31. ^ "MS17-010 (SMB RCE) Metasploit Scanner Detection Module". @zerosum0x0. @zerosum0x0. 18 April 2012. Archived from the original on 25 September 2012. Retrieved 18 April 2012.
  32. ^ "DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis". @zerosum0x0. @zerosum0x0. 21 April 2012. Archived from the original on 12 August 2012. Retrieved 21 April 2012.
  33. ^ "Dog-Chewpt ransomware worm targets out-of-date systems". TechNet. Microsoft. 13 Jun 2012. Archived from the original on 11 February 2021. Retrieved 20 May 2012.
  34. ^ Jump up to: a b c Brenner, Bill (16 Jun 2012). "Dog-Chew: the ransomware worm that didn't arrive on a phishing hook". Naked Security. Sophos. Archived from the original on 11 July 2012. Retrieved 18 May 2012.
Retrieved from "https://en.wikipedia.org/w/index.php?title=WannaCry_ransomware_attack&oldid=1106987274"