Friday, when most of the organizations were inactive; a fast-moving wave of WannaCry Ransomware attack swept the globe on 12th May. Apparently, this cyber attack is exploiting a flaw exposed in documents leaked from the US National Security Agency.
What is this Massive Cyber Attack?
The attacks, which have now affected 150 countries, used a technique known as ransomware that locks users’ files unless they pay the attackers $300 in the virtual currency, Bitcoin.
Microsoft released a patch for the vulnerability but many systems may not have been updated.
The Massive Attack: The Intensity of WannaCry Ransomware
In a matter of 2 days, the hackers had reportedly spread the infections in 99 countries including US, UK, Russia, China, Italy, India, Spain, and Taiwan.
According to a cyber security firm, Avast, it had seen 75,000 cases of the ransomware called as WannaCry and variants of this name – across the globe.
Digital cryptocurrency, Bitcoin, that were seemingly associated with this malware have started to fill up with cash.
The Victims of Global Cyber-Attack
First Hit: The first hit was on the UK’s National Health Service (NHS) where the hospital had to cancel the appointments and turn away patients. The patients would “almost certainly suffer” as a result.
The screenshots of the attack were shared by hospital staff.
Here's the malware attack which appears to have hit NHS hospitals right across England today pic.twitter.com/zIAJ6wbAG5
— Lawrence Dunhill (@LawrenceDunhill) May 12, 2017
Suffered the Most: Russia had seen the most infections than any other country.
The interior ministry of Russia said it had “localised the virus” following an “attack on PC using Windows operating system”.
According to Kaspersky, an anti-virus provider indicated that over 70 percent of the computers infected due to WannaCry were located in Russia.
Also, India was among the three countries worst affected by the attack.
Other than these, people tweeted photos of affected computers in university computer lab in Italy and a local railway ticket machine in Germany. Large organizations like Portugal Telecom, FedEx, Megafon, Telefonica, and more.
Who is the Attacker?
Apparently, the attack has been built to exploit a weakness in Microsoft systems, identified by the NSA and named as EternalBlue.
The Shadow Brokers, a group of hackers stole the NSA tools and later, they tried to auction the encrypted cache online. However, they subsequently made the tools freely available, releasing a password for the encryption on 8th April.
How WannaCry Works?
Some experts say that the infections seem to be deployed via a worm (a program that spreads by itself between computers).
So how it is different?
Well, this malware doesn’t have to rely on humans, unlike many other malicious programs where they have to be clicked to further spread. Probably this is the reason for the “Global Chaos” and having a huge public impact.
Was This Attack Predicted?
Since this attack was caused by a bug named WanaCryptor 2.0 or WannaCry that exploits a vulnerability in Windows.
“This was eminently predictable in lots of ways,” said Ryan Kalember, Proofpoint, a cybersecurity firm
He further added “As soon as the Shadow Brokers dump came out everyone [in the security industry] realized that a lot of people wouldn’t be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.”
How to Protect Yourself from WannaCry Ransomware
Microsoft released a patch for the vulnerability but many systems may not have been updated. You can install this security patch by yourself.
Direct link to security patch: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Ransomware: The Current Status
Other than the patch provided by Microsoft, Darien Huss from security firm Proofpoint found and activated a “kill switch” in this malware attack.
— Darien Huss (@darienhuss) May 12, 2017
It involves a very long nonsensical domain name that the malware makes a request to and if the request comes back to show that the domain is live, the kill switch takes effect and the malware stops spreading.
However, the kill switch won’t help anyone whose computer is already infected.
Who is Protected?
Norton and Symantec customers are protected against WannaCry with the help of several technologies. The following detections are in place:
Intrusion Prevention System
- 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3)
- 23737 (Attack: Shellcode Download Activity)
- 30018 (OS Attack: MSRPC Remote Management Interface Bind)
- 23624 (OS Attack: Microsoft Windows SMB Remote Code Execution 2)
- 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution)
- 30010 (OS Attack: Microsoft Windows SMB RCE CVE-2017-0144)
- 22534 (System Infected: Malicious Payload Activity 9)
- 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)
- 29064 (System Infected: Ransom.Ransom32 Activity)
Track the Malware Spread
With the live map, you can track the incidents of wcrypt and find how many of the botnets are online, and offline, in real-time. This map tracks the malware across the world and a unique IP chart below the map reveals the number of new botnets coming online.
Not sure if your server is vulnerable? Or don’t know how to install security patch? Don’t worry… Get in touch with us today itself before it’s too late!