CyberPeace Alert: Global Disruptions as CrowdStrike Update Triggers Windows BSOD
Overview:
It is worth stating that millions of Windows users around the world are facing the Blue Screen of Death (BSOD) problem that makes systems shutdown or restart. This has been attributed to a CrowdStrike update that was released recently and has impacted many organizations, financial institutions, and government agencies across the globe. Indian airlines have also reported disruptions on X (formerly Twitter), informing passengers about the issue.
Understanding Blue Screen of Death:
Blue Screen errors, also known as black screen errors or STOP code errors, can occur due to critical issues forcing Windows to shut down or restart. You may encounter messages like "Windows has been shut down to prevent damage to your computer." These errors can be caused by hardware or software problems.
Impact on Industries
Some of the large U. S. airlines such as American Airlines, Delta Airlines, and United Airlines had to issue ground stops because of communication problems. Also, several airports on Friday suffered a massive technical issue in check-in kiosks for IndiGo, Akasa Air, SpiceJet, and Air India Express.
The Widespread Issue
The issue seems widespread and is causing disruption across the board as Windows PCs are deployed at workplaces and other public entities like airlines, banks, and even media companies. It has been pointed out that Windows PCs use a special cybersecurity solution from a company called CrowdStrike that seems to be the culprit for this outage, affecting most Windows PC users out there.
Microsoft's Response
The issue was acknowledged by Microsoft and the mitigations are underway. The company in its verified X handle Microsoft 365 status has shared a series information on the latest outage and they are looking into the matter. The issue is under investigation.
In one of the posts from Microsoft Azure, it is mentioned that they have become aware of an issue affecting Virtual Machines (VMs) running Windows Client and Windows Server with the CrowdStrike Falcon agent installed. These VMs may encounter a bug check (BSOD) and become stuck in a restarting state. Their analysis indicates that this issue started approximately at 19:00 UTC on July 18th. They have provided recommendations as follows:
Restore from Backup: In case customers have available backups prior to 19:00 UTC on July 18th, they should recover VM data from the backups. If the customer is using Azure Backup, they can get exact steps on how to restore VM data in the Azure portal. here.
Offline OS Disk Repair: Alternatively, customers can attempt offline repair of the OS disk by attaching an unmanaged disk to the affected VM. Encrypted disks may require additional steps to unlock before repair. Once attached, delete the following file:
Windows/System/System32/Drivers/CrowdStrike/C00000291*.sys
After deletion, reattach the disk to the original VM.
Microsoft Azure is actively investigating additional mitigation options for affected customers. We will provide updates as we gather more information.
Resolving Blue Screen Errors in Windows
Windows 11 & Windows 10:
Blue Screen errors can stem from both hardware and software issues. If new hardware was added before the error, try removing it and restarting your PC. If restarting is difficult, start your PC in Safe Mode.
To Start in Safe Mode:
From Settings:
Open Settings > Update & Security > Recovery.
Under "Advanced startup," select Restart now.
After your PC restarts to the Choose an option screen, select Troubleshoot > Advanced options > Startup Settings > Restart.
After your PC restarts, you'll see a list of options. Select 4 or press F4 to start in Safe Mode. If you need to use the internet, select 5 or press F5 for Safe Mode with Networking.
From the Sign-in Screen:
Restart your PC. When you get to the sign-in screen, hold the Shift key down while you select Power > Restart.
After your PC restarts, follow the steps above.
From a Black or Blank Screen:
Press the power button to turn off your device, then turn it back on. Repeat this two more times.
After the third time, your device will start in the Windows Recovery Environment (WinRE).
From the Choose an option screen, follow the steps to enter Safe Mode.
Additional Help:
Windows Update: Ensure your system has the latest patches.
Blue Screen Troubleshooter: In Windows, open Get Help, type Troubleshoot BSOD error, and follow the guided walkthrough.
Online Troubleshooting: Visit Microsoft's support page and follow the recommendations under "Recommended Help."
If none of those steps help to resolve your Blue Screen error, please try the Blue Screen Troubleshooter in the Get Help app:
- In Windows, open Get Help.
- In the Get Help app, type Troubleshoot BSOD error.
- Follow the guided walkthrough in the Get Help app.
[Note: If you're not on a Windows device, you can run the Blue Screen Troubleshooter on your browser by going to Contact Microsoft Support and typing Troubleshoot BSOD error. Then follow the guided walkthrough under "Recommended Help."]
For detailed steps and further assistance, please refer to the Microsoft support portal or contact their support team.
CrowdStrike’s Response:
In the statement given by CrowdStrike, they have clearly mentioned it is not any cyberattack and their resources are working to fix the issue on Windows. Further, they have identified the deployment issue and fixed the same. Crowdstrike mentions about their problematic versions as follows:
- “Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version.
- Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version.
Note: It is normal for multiple "C-00000291*.sys files to be present in the CrowdStrike directory - as long as one of the files in the folder has a timestamp of 0527 UTC or later, that will be the active content.”
The CrowdStrike will be providing latest updates on the same and advises their customers and organizations to contact their officials officially to get latest updates and accurate information. It is encouraged to refer to customer’s support portal for further help.
Stay safe and ensure regular backups to mitigate the impact of such issues.
References:
https://status.cloud.microsoft/
https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/