‘Accidental hero’ halts ransomware attack and warns: this is not over

Expert who stopped spread of attack by activating softwares kill switch says criminals will change the code and start again

The accidental hero who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted.

The ransomware used in Fridays attack wreaked havoc on organisations including FedEx and Telefnica, as well as the UKs National Health Service (NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.

But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a kill switch in the malicious software.

The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who works for Kryptos logic, an LA-based threat intelligence company.

I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit, he told the Guardian. I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.

The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to just as if it was looking up any website and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.

MalwareTech explained that he bought the domain because his company tracks botnets, and by registering these domains they can get an insight into how the botnet is spreading. The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain, he said. But the following hours were an emotional rollercoaster.

Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realised it was actually the other way around and we had stopped it, he said.

MalwareTech said he preferred to stay anonymous because it just doesnt make sense to give out my personal information, obviously were working against bad guys and theyre not going to be happy about this.

He also said he planned to hold onto the URL, and he and colleagues were collecting the IPs and sending them off to law enforcement agencies so they can notify the infected victims, not all of whom are aware that they have been affected.

He warned people to patch their systems, adding: This is not over. The attackers will realise how we stopped it, theyll change the code and then theyll start again. Enable windows update, update and then reboot.

He said he got his first job out of school without any real qualifications, having skipped university to start up a tech blog and write software.

Its always been a hobby to me, Im self-taught. I ended up getting a job out of my first botnet tracker, which the company I now work for saw and contacted me about, asking if I wanted a job. Ive been working there a year and two months now.

But the dark knight of the dark web still lives at home with his parents, which he joked was so stereotypical. His mum, he said, was aware of what had happened and was excited, but his dad hadnt been home yet. Im sure my mother will inform him, he said.

Its not going to be a lifestyle change, its just a five-minutes of fame sort of thing. It is quite crazy, Ive not been able to check into my Twitter feed all day because its just been going too fast to read. Every time I refresh it its another 99 notifications.

Proofpoints Ryan Kalember said the British researcher gets the accidental hero award of the day. They didnt realise how much it probably slowed down the spread of this ransomware.

The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organisations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.

Play Video
0:32

Theresa May: ‘This is not targeted at the NHS, its an international attack’ video

The kill switch wont help anyone whose computer is already infected with the ransomware, and its possible that there are other variants of the malware with different kill switches that will continue to spread.

The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of cyber weapons from the National Security Agency (NSA).

Ransomware is a type of malware that encrypts a users data, then demands payment in exchange for unlocking the data. This attack used a piece of malicious software called WanaCrypt0r 2.0 or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.

MalwareTech (@MalwareTechBlog)

I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.

May 13, 2017

The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the payment will be raised after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.

This was eminently predictable in lots of ways, said Kalember. As soon as the Shadow Brokers dump came out everyone [in the security industry] realised that a lot of people wouldnt be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.

Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 74 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefnica were infected.

By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.

Read more: www.theguardian.com

WannaCry ransomware has links to North Korea, cybersecurity experts say

Similarities spotted between details of last weeks massive cyber-attack and code used by a prolific cybergang with links to North Korean government

Two top security firms have found evidence linking the WannaCry ransomware to the prolific North Korean cybergang known as Lazarus Group.

Kaspersky and Symantec both said on Monday that technical details within an early version of the WannaCry code are similar to code used in a 2015 backdoor created by the government-linked North Korean hackers, who were implicated in the 2014 attack on Sony Pictures and an $81m heist on a Bangladeshi bank in 2016. Lazarus Group has also been known to use and target Bitcoin in its hacking operations. The similarities were first spotted by Google security researcher Neal Mehta and echoed by other researchers including Matthieu Suiche from UAE-based Comae Technologies.

Matthieu Suiche (@msuiche)

Similitude between #WannaCry and Contopee from Lazarus Group ! thx @neelmehta – Is DPRK behind #WannaCry ? pic.twitter.com/uJ7TVeATC5

May 15, 2017

Shared code doesnt always mean the same hacking group is responsible an entirely different group may have simply re-used Lazarus groups backdoor code from 2015 as a false flag to confuse anyone trying to identify the perpetrator. However the re-used code appears to have been removed from later versions of WannaCry, which according to Kaspersky gives less weight to the false flag theory.

We believe its important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry, said Kaspersky Lab in a blogpost, pointing out that in the early days of the Bangladesh bank attack, there were scant clues linking it to the Lazarus group. However, over time researchers found more clues to build the case against the North Korea-linked cybergang.

Kaspersky is among the research teams to have been studying Lazarus Group for years, and in April it published a detailed under the hood report exposing the groups modus operandi.

This level of sophistication is something that is not generally found in the cybercriminal world. Its something that requires strict organization and control at all stages of operation. Thats why we think that Lazarus is not just another advanced persistent threat actor, said Kaspersky, which also found attacks originating from IP addresses in North Korea.

The WannaCry ransomware attack has now now hit more than 200,000 computers in 150 countries, crippling hospitals, governments and businesses.

The links to North Korea come at a time when security researchers and technology companies are criticizing the US government for stockpiling cyberweapons including the malicious software used in WannaCry.

The WannaCry exploits used in the attack were drawn from a cache of exploits stolen from the NSA by the Shadow Brokers in August 2016. The NSA and other government agencies around the world create and collect vulnerabilities in popular pieces of software (such as Windows) and cyberweapons to use for intelligence gathering and cyberwarfare.

Once these vulnerabilities were leaked by the Shadow Brokers, they became available for cybercriminals to adapt for financial gain by creating ransomware. This ransomware spread rapidly on Friday by exploiting a vulnerability contained in the NSA leak, targeting computers running Microsofts Windows operating system, taking over users files and demanding $300 to restore them.

Employees
Employees monitor possible ransomware cyber-attacks at the Korea Internet and Security Agency (Kisa) in Seoul, South Korea, on 15 May. Photograph: YONHAP/EPA

This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem, said Brad Smith, president and chief legal officer of Microsoft, in a blogpost.

Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.

The blogposts mentions that vulnerabilities stockpiled by the CIA also ended up in the public domain via Wikileaks.

This is an emerging pattern in 2017, Smith said, adding that the latest attack represents a completely unintended but disconcerting link between nation-state action (the NSA) and organized criminal action (the ransomware creator).

The governments of the world should treat this attack as a wake-up call, said Smith, urging nations to treat cyber weapons in the same way that physical weapons are treated.

We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.

Jeremy Wittkop, chief technology officer of security company Intelisecure, argues that if governments are to stockpile weapons they need to secure them better.

The government has a responsibility like with nuclear weapons to make sure they dont fall into the hands of the wrong people, he said. If you are going to create something that can cause this much damage you have to protect it.

Microsoft has called for a Digital Geneva Convention requiring governments to report vulnerabilities to the creators of the software instead of stockpiling, selling or exploiting them.

Read more: www.theguardian.com

Massive ransomware cyber-attack hits nearly 100 countries around the world

More than 45,000 attacks recorded in countries including the UK, Russia, India and China may have originated with theft of cyber weapons from the NSA

A ransomware cyber-attack that may have originated from the theft of cyber weapons linked to the US government has hobbled hospitals in England and spread to countries across the world.

Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 99 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefnica were infected.

By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.

Markus Jakobsson, chief scientist with security firm Agari, said that the attack was scattershot rather than targeted.

Its a very broad spread, Jakobsson said, noting that the ransom demand is relatively small.

This is not an attack that was meant for large institutions. It was meant for anyone who got it.

MalwareHunterTeam (@malwrhunterteam)

Fresh IDR based heatmap for WanaCrypt0r 2.0 ransomware (WCry/WannaCry).
Also follow @MalwareTechBlog‘s tracker: https://t.co/mjFwsT3JzH pic.twitter.com/SPeZfBpckm

May 12, 2017

The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of cyber weapons from the National Security Agency (NSA). At the time, there was skepticism about whether the group was exaggerating the scale of its hack.

On Twitter, whistleblower Edward Snowden blamed the NSA.

If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened, he said.

Its very easy for someone to say that, but the reality is the US government isnt the only one that has a stockpile of exploits they are leveraging to protect the nation, said Jay Kaplan, CEO of Synack, who formerly worked at the NSA.

Its this constant tug of war. Do you let intelligence agencies continue to take advantage of vulnerabilities to fight terrorists or do you give it to the vendors and fix them?

The NSA is among many government agencies around the world to collect cyber weapons and vulnerabilities in popular operating systems and software so they can use them to carry out intelligence gathering or engage in cyberwarfare. The agency did not immediately respond to a request for comment.

Ransomware is a type of malware that encrypts a users data, then demands payment in exchange for unlocking the data. This attack used malicious software called WanaCrypt0r 2.0 or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.

This was eminently predictable in lots of ways, said Ryan Kalember from cybersecurity firm Proofpoint. As soon as the Shadow Brokers dump came out everyone [in the security industry] realized that a lot of people wouldnt be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.

The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the payment will be raised after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.

Attacks with language support show a progressive increase of the threat level, Jakobsson said.

The attack hit Englands National Health Service (NHS) on Friday, locking staff out of their computers and forcing some hospitals to divert patients.

The attack against the NHS demonstrates that cyber-attacks can quite literally have life and death consequences, said Mike Viscuso, chief techology officer of security firm Carbon Black. When patients lives are at stake, there is no time for finger pointing but this attack serves as an additional clarion call that healthcare organizations must make cybersecurity a priority, lest they encounter a scenario where lives are risked.

Ransomware attacks are on the rise. Security company SonicWall, which studies cyberthreats, saw ransomware attacks rise 167 times in 2016 compared to 2015.

Ransomware attacks everyone, but industry verticals that rely on legacy systems are especially vulnerable, said Dmitriy Ayrapetov, executive director at SonicWall.

A Los Angeles hospital paid $17,000 in bitcoin to ransomware hackers last year, after a cyber-attack locked doctors and nurses out of their computer system for days.

Jakub Kroustek (@JakubKroustek)

36,000 detections of #WannaCry (aka #WanaCypt0r aka #WCry) #ransomware so far. Russia, Ukraine, and Taiwan leading. This is huge. pic.twitter.com/EaZcaxPta4

May 12, 2017

Jakobsson said that the concentration of the attack in Russia suggested that the attack originated in Russia. Since the malware spreads by email, the level of penetration in Russia could be a sign that the criminals had access to a large database of Russian email addresses.

However, Jakobsson warned that the origin of the attack remains unconfirmed.

Read more: www.theguardian.com

NHS seeks to recover from global cyber-attack as security concerns resurface

Cybersecurity centre says teams working round the clock to fix systems rendered inaccessible by international ransomware attack

The NHS is working to bring its systems back online after it became the highest-profile victim of a global ransomware attack and faced renewed concern about the strength of its infrastructure.

The National Cyber Security Centre (NCSC) said teams were working round the clock in response to the attack, which resulted in operations being cancelled, ambulances being diverted and documents such as patient records made unavailable in England and Scotland.

Computers at hospitals and GPs surgeries in the UK were among tens of thousands hit in almost 100 countries by malware that appeared to be using technology stolen from the National Security Agency in the US. It blocks access to any files on a PC until a ransom is paid.

The British prime minister, Theresa May, and NHS Digital said they were not aware of any evidence patient records had been compromised in Fridays attack, which is thought to have affected computers in nearly 100 countries.

May said: This is not targeted at the NHS, its an international attack and a number of countries and organisations have been affected.

Amber Rudd, the home secretary, refused to confirm on Saturday morning whether patient data had been backed up, and said the NHS would upgrade its software in the wake of the attack. She said data should be backed up, but would not say whether it actually had been.

The shadow health secretary, Jonathan Ashworth, urged the government to be clear about whats happened, describing the attack as terrible news and a real worry for patients.

The unprecedented attacks, using software called WanaCrypt0r 2.0 or WannaCry, exploits a vulnerability in Windows. Microsoft released a patch a software update that fixes the problem for the flaw in March, but computers that had not installed the security update were vulnerable.

In December it was reported that nearly all NHS trusts were using an obsolete version of Windows for which Microsoft had stopped providing security updates in April 2014. Data acquired by software firm Citrix under freedom of information laws suggested 90% of trusts were using Windows XP, then a 15-year-old system.

It is not known how many computers across the NHS today are still using Windows XP or recent variants Windows 8 and Windows 10.

About 40 NHS organisations are though to have been affected by Fridays bug, which was released the day after a doctor warned that NHS hospitals needed to be prepared for an incident precisely of the kind seen.

In an article published in the British Medical Journal, Dr Krishna Chinthapalli, a neurology registrar at the National Hospital for Neurology and Neurosurgery in London, said hospitals will almost certainly be shut down by ransomware this year.

Ross Anderson, of Cambridge University, said the critical software patch released earlier this year may not have been installed across NHS computers. If large numbers of NHS organisations failed to act on a critical notice from Microsoft two months ago, then whose fault is that? Anderson said.

Alan Woodward, a visiting professor of computing at the University of Surrey, said the attacks success was likely to be because some organisations have either not applied the patch released by Microsoft, or they are using outdated operating systems.

NHS Digital said on Friday night it was unable to comment on the suggestion.

Marco Cover, a systems security researcher, said critics should take into account the complexity of keeping systems up to date. Its easy to blame people who dont upgrade, he said. But in practice things are often more complicated: operations teams may not touch legacy systems for a number of reasons. In some cases they may even be unaware that such legacy systems are running in their infrastructure.

The same malicious software that hit NHS networks attacked some of the largest companies in Spain and Portugal, including phone company Telefnica, and has also been detected on computers in Russia, Ukraine and Taiwan among other countries. The international shipping company FedEx was also affected.

Kaspersky Lab, a cybersecurity company based in Moscow, estimated that 45,000 attacks had been carried out in 99 countries, mostly in Russia. In a blogpost, it added that the totals could be much, much higher.

In the UK, computers in hospitals and GP surgeries simultaneously received a pop-up message demanding a ransom in exchange for access to the PCs.

A warning was circulated on Friday within at least one NHS trust of a serious ransomware threat currently in circulation throughout the NHS, but the attack proved impossible to stop. Patient records, appointment schedules, internal phone lines and emails were rendered inaccessible and connections between computers and medical equipment were brought down. Staff were forced to turn to pen and paper and to use their own mobile phones.

Last year the government established the NCSC to spearhead the countrys defences. In the three months after the centre was launched, there were 188 high-level attacks as well as countless lower-level incidents. The chancellor, Philip Hammond, disclosed in February that the NCSC had blocked 34,550 potential attacks targeting UK government departments and members of the public in six months.

Play Video
0:32

Theresa May: ‘This is not targeted at the NHS, its an international attack’ video

The Patients Association condemned the criminals behind Fridays attack, and said lessons from earlier incidents had not been learned. It has long been known that the NHS struggles with IT in multiple respects and that this includes serious security problems, it said.

Infected computers show a message demanding a $300 (233) ransom per machine to be paid to a Bitcoin wallet address. It says: Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.

You only have three days to submit the payment. After that the price will be doubled. Also if you dont pay in seven days, you wont be able to recover your files forever.

NHS Digital confirmed that a number of NHS organisations had been affected and refused to confirm or deny reports that put the total as high as 40. The investigation is at an early stage but we believe the malware variant is Wanna Decryptor, it said. At this stage, we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.

NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations.

British law enforcement agencies said they believed the attack was criminal in nature, as opposed to a cyber-attack by a foreign power, and was being treated as serious but without national security implications.

One NHS worker, who asked to remain anonymous, said the attack began at about 12.30pm and appeared to have been the result of phishing. The computers were affected after someone opened an email attachment. We get a lot of spam and it looks like something was sent to all the trusts in the country. Other hospitals have now been warned not to open these emails all trusts communicate with each other.

Another NHS worker, who works at an Essex hospital and also asked to remain anonymous, said her teams computers went down at about 2pm. We were told to shut down, take out network cables and unplug the phones, she said. A message came up for just one of our team about the fact that all the files would be wiped in two hours unless we gave $300 in bitcoins.

Dr Chris Mimnagh, a GP in Liverpool, said his surgery had severed links to the wider NHS network as a precaution. He said: Unable to access our clinical system as a precaution our area has severed links to the wider NHS, which means no access to our national systems, no computers means no records, no prescriptions, no results. We are dealing with urgent problems only. Our patients are being very understanding so far.

Lorina Nash, 46, from Hertfordshire, was bringing her mother for an appointment at Lister hospital in Stevenage when systems went down. We have been here since 12.30pm and the computers were affected at about 12pm patients are still waiting around but most of the A&E patients have been sent to other hospitals. I have never seen accident and emergency so empty.

They gave my mum a blood test but have had to send her blood to Cambridge by courier for testing. They said it could take two or three hours before it comes back with a result.

Dr Asif Munaf, a gastroenterologist at Chesterfield hospital, said there was a backlog of patients in its A&E, which he said had been badly affected because it was unable to book new patients on the system.

From my wards point of view, were not able to make referrals to, for example, psychiatry because they use a different system to us, he said. Everythings getting delayed. Patients who were supposed to go home this afternoon wont go home until Monday because they now wont be seen and get a follow-up plan. Its quite unfortunate for the patients.

Dr Christopher Richardson, the head of the cybersecurity unit at Bournemouth University, said the process of recovering the NHSs IT systems would involve a painful and longwinded deep strip of affected computers.

You go down to the basic machine, you take everything off it, you reconfigure it and then you build it back up again, he said. If youre talking national health, youre talking a lot of machines on a single site and youve got to get them all because these nasty pieces of malware, they float around, so they only have to remain on one machine and when you reboot it will deliver the same thing again.

Additional reporting by Sam Jones in Madrid

Read more: www.theguardian.com

‘$300m in cryptocurrency’ accidentally lost forever due to bug

User mistakenly takes control of hundreds of wallets containing cryptocurrency Ether, destroying them in a panic while trying to give them back

More than $300m of cryptocurrency has been lost after a series of bugs in a popular digital wallet service led one curious developer to accidentally take control of and then lock up the funds, according to reports.

Unlike most cryptocurrency hacks, however, the money wasnt deliberately taken: it was effectively destroyed by accident. The lost money was in the form of Ether, the tradable currency that fuels the Ethereum distributed app platform, and was kept in digital multi-signature wallets built by a developer called Parity. These wallets require more than one user to enter their key before funds can be transferred.

On Tuesday Parity revealed that, while fixing a bug that let hackers steal $32m out of few multi-signature wallets, it had inadvertently left a second flaw in its systems that allowed one user to become the sole owner of every single multi-signature wallet.

Q&A

What is cryptocurrency?

A cryptocurrency is a form of digital asset, created through a canny combination of encryption and peer-to-peer networking.

Bitcoin, the first and biggest cryptocurrency, is part of a decentralised payment network. If you own a bitcoin, you control a secret digital key which you can use to prove to anyone on the network that a certain amount of bitcoin is yours.

If you spend that bitcoin, you tell the entire network that you’ve transferred ownership of it, and use the same key to prove that you’re telling the truth. Over time, the history of all those transactions becomes a lasting record of who owns what: that record is called the blockchain.

After bitcoin’s creation in 2009, a number of other cryptocurrencies sought to replicate its success but taking its free, public code and tweaking it for different purposes.

Some, such as Filecoin, have a very defined goal. It aims to produce a sort of decentralised file storage system: as well as simply telling the network that you have some Filecoins, you can tell the network to store some encrypted data and pay Filecoins to whoever stores it on their computer.

Others are more nebulous. Ethereum, using the Ether token, is now the second biggest cryptocurrency after bitcoin and essentially a cryptocurrency for making cryptocurrencies. Users can write “smart contracts”, which are effectively programs that can be run on the computer of any user of the network if they’re paid enough Ether.

Of course, to many, the purpose is secondary. The only really important thing is that the value of an Ether token increased 2,500% over 2017, meaning some are hoping to jump on the bandwagon and get rich. Bubble or boom? That’s the $28bn question.

The user, devops199, triggered the flaw apparently by accident. When they realised what they had done, they attempted to undo the damage by deleting the code which had transferred ownership of the funds. Rather than returning the money, however, that simply locked all the funds in those multisignature wallets permanently, with no way to access them.

This means that currently no funds can be moved out of the multi-sig wallets, Parity says in a security advisory.

Effectively, a user accidentally stole hundreds of wallets simultaneously, and then set them on fire in a panic while trying to give them back.

We are analysing the situation and will release an update with further details shortly, Parity told users.

Hard fork

Some are pushing for a hard fork of Ethereum, which would undo the damage by effectively asking 51% of the currencys users to agree to pretend that it had never happened in the first place. That would require a change to the code that controls ethereum, and then that change to be adopted by the majority of the user base. The risk is that some of the community refuses to accept the change, resulting in a split into two parallel groups.

Such an act isnt unheard of: another hack, two years ago, of an Ethereum app called the DAO resulted in $150m being stolen. The hard fork was successful then, but the money stolen represented a much larger portion of the entire Ethereum market than the $300m lost to Parity.

The lost $300m follows the discovery of bug in July that led to the theft of $32m in ether from just three multisignature wallets. A marathon coding and hacking effort was required to secure another $208m against theft. Patching that bug led to the flaw in Paritys system that devops199 triggered by accident.

Parity says that it is unable to confirm the actual amount lost, but that the $300m figure is purely speculative. The company also disputes that the currency is lost, arguing that frozen is more accurate. But if it is frozen, it appears that no-one has the ability to unfreeze the funds.

The Parity vulnerability was the result of an incorrectly coded smart contract used by the Parity wallet to store tokens on the Ethereum network, said Dominic Williams, founder of blockchain firm DFINITY. The vulnerability made it possible for anyone to freeze the tokens held by that smart contract, making them immovable. At this time, the only method we are aware of to unfreeze tokens held by the vulnerable smart contract would be to create a new hard fork Ethereum client that deploys a fix. This would require every full node on the Ethereum network to upgrade by the date of the hard fork to stay in sync, including all miners, wallets, exchanges, etc.

Ethereum has rapidly become the second most important cryptocurrency, after Bitcoin, with its price increasing more than 2,500% over the past year. One token of Ether is now worth a little over $285, up from $8 in January.

Read more: https://www.theguardian.com/technology/2017/nov/08/cryptocurrency-300m-dollars-stolen-bug-ether