A ransomware derived in part from NSA tools publicly leaked last month has shut down computers around the world recently.
The ransomware is known as WannaCry, WCry, or simply Wanna. According to an analysis by Kaspersky Lab’s Global Research & Analysis Team, it’s based on an exploit called “EternalBlue” that was released by an organization called the Shadow Brokers in April of 2017. Microsoft patched the exploit a month prior; any computers which have been affected by this ransomware have likely failed to correctly install and/or configure critical security patches for nearly two months. Tracking services such as this one run by Intel show the current spread of infected computers.
After infecting a computer, WannaCry encrypts the contents of a computer’s hard drive. A lock screen subsequently demands payment of $300-$600 by May 15 to a Bitcoin address in order to receive a decryption key to retrieve your files. If an infected computer misses the deadline, the ransom demand increases with a newer deadline of May 19. WannaCry propagates through the Internet on multiple attack vectors, primarily as a worm.
A security researcher going by the Twitter handle @MalwareTech managed to reduce the spread of the virus by securing a domain that was embedded in WannaCry’s code as a kill switch. The UK’s National Cyber Security Centre estimates that this has prevented as many as 100,000 infections, but MalwareTech cautions that this is just a stopgap measure and vulnerable computers ought to deploy the necessary security patches if they haven’t already. The registered domain stops the progress of the worm, but it doesn’t affect other attack vectors such as e-mail.
Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You're only safe if you patch ASAP.
— MalwareTech (@MalwareTechBlog) May 14, 2017
Amongst the victims of WannaCry is the United Kingdom’s National Health Service who found themselves having to perform triage of a different sort by isolating infected computers and trying to contain the spread of the ransomware. Although 48 NHS trusts were hit in the initial wave, only six are not yet back to normal. Hospital staff canceled elective procedures and found themselves without access to critical patient data such as charts and medical histories; hospitals around the world have been gradually switching to computer-based systems for patient care.
Aside from the NHS, a portion of Spain’s public sector utilities and big businesses were compromised as well. 85% of Spanish Telecom Telefonica were crippled by the ransomware. Banks BBVA and Santander, the KPMG consultancy firm, and power company Iberdrola were also affected to some degree.
The exploit only affects unpatched versions of Windows 7 or older. Newer versions such as Windows 8 and Windows 10 are safe from this particular vulnerability, although it’s important to stress that individual users as well as network administrators must take care to ensure that the systems under their care have all of their security patches up to date. For older computers, Microsoft has taken the incredibly rare step of issuing a patch for unsupported versions of Windows in a bid to help stop the program from spreading further.
What do you think of government-created malware finding its way into the wild? Do you think it’s the responsibility of government agencies to securely store any malware payloads just as they would any other weapon? How well do businesses do in terms of keeping their computer systems up to date with the latest security patches? Let us know in the comments below!