Organizations around the world have been hit with the Wana Decrypt0r (aka WannaCry) ransomware, in what seems to be the most massive ransomware delivery campaign to date.
— MalwareTech (@MalwareTechBlog) May 12, 2017
So far, we have recorded more than 45,000 attacks of the #WannaCry ransomware in 74 countries around the world. Number still growing fast.
— Costin Raiu (@craiu) May 12, 2017
By many accounts, the success of the campaign is due to the attackers leveraging EternalBlue, an exploit capable of penetrating machines running unpatched Windows XP through 2008 R2, by exploiting vulnerabilities in Microsoft Windows SMB Server.
WannaCry/WanaCrypt0r 2.0 is indeed triggering ET rule : 2024218 "ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response" pic.twitter.com/ynahjWxTIA
— Kafeine (@kafeine) May 12, 2017
Confirmed – wcry ransomware spreading across Europe uses EternalBlue/MS17-010/SMB. PATCH NOW EVERYWHERE.
— Kevin Beaumont (@GossiTheDog) May 12, 2017
The aforementioned vulnerabilities have been patched by Microsoft in March, but as we all know it takes a while for organizations to implement patches to all their systems.
The EternalBlue exploit has been leaked by the Shadow Brokers in April, along with other Windows exploits supposedly stolen from the Equation Group (i.e. the NSA), and it didn’t take long for criminals to start using it.
Among the victim organizations are:
- A number of hospitals in England run by the National Health Service (NHS), and the attack resulted in considerable disruptions to their services.
- Spanish telecom Telefonica, and companies like Gas Natural (natural gas provider) and Iberdrola (electric utility). Use of EternalBlue confirmed by the Spanish CERT. “A single infected computer can end up compromising the entire corporate network,” they warned.
- Computers in some regional offices of the Russian Ministry of Internal Affairs.
- A university in Italy.
The number keeps rising, showing just how many organizations are not keeping up with the patching.
Judging by some of the Bitcoin adresses associated with the attack, some victims are starting to pay up the requested ransom.
Comments from the security industry
“The ransomware infection that is spreading throughout the United Kingdom, and the world, is version 2.0 of WanaCypt0r (aka WCry, WannaCry, and WannaCryptor). Recorded Future saw the first appearance of this ransomware on March 31st, but the version that is rapidly spreading has made some significant changes,”noted Allan Liska, Senior Solutions Architect at Recorded Future.
“Specifically, the new version takes advantage of the SMB vulnerability outlined in Microsoft Security Bulletin (MS17-010), also known as the EternalBlue exploit. The worm-like capabilities are the new feature added to this ransomware.”
“The attacks that have taken place do not appear to be targeted attacks, instead they appear to be part of a phishing campaign, though that has not been fully confirmed. Infections of the new version of WanaCypt0r started in Spain earlier today, but have since spread to the United Kingdom, Russia, Japan, Taiwan, the United States and many more,” he noted.
“Given the relative ineffectiveness of the first version of WanaCypt0r, it is likely the author did not expect this type of success from the new campaign, which could cause problems for any organisation that attempts to pay the ransom. For now, the best advice is to ensure that all Windows systems are fully patched, to ensure that firewalls are blocking access to SMB and RDP ports, and to educate users to watch out for suspicious emails.”
“This is one of the largest global ransomware attacks the cyber community has ever seen,” Rich Barger, Director of Cyber Research, Splunk, has noted.
“Initial reports that this malware is propagating on its own – for those who remember the early 2000s, this is a worm – malware that infects a machine and then looks for other vulnerable hosts on the same network or randomly scans and looks for other vulnerable hosts to infect.”
“Ransomware is arguably the No. 1 method of cyber attack in 2017, and this attack demonstrates the paramount need for critical enterprises to have a ransomware playbook in place for when they are attacked. Protecting critical infrastructure from cyber attack is a responsibility that cannot be taken lightly. One thing is for sure – somebody is going to get very rich, or spend a very long amount of time in jail,” he added.