A sophisticated worm is attacking Windows machines globally, possibly the largest in history and is locking up computers in Hospitals, Airports and Governments. The true scope of this attack is currently unknown, but the attacks are widespread and leaving experts scrambling to slow down and stop the spread.
What we know so far
- Worm infects unpatched Windows machines
- Windows XP, 7 & 10 are the main targets
- Ransomeware encrypts your files, payment required to unlock
- Paying ransom only way to unlock/decrypt
- No payment in 7 days will lead to file deletion
- The worm is spreading on local networks without user involvement
- Hospitals, AirPorts and other major institutions are affected
- Ransomware based on leaked NSA cyber-weapons (ETERNALBLUE and maybe DOUBLEPULSAR)
- Multiple varients of the worm exist, including Wcry / WannaCry / WannaCryptor
- At least 99 countries affected
Worm infects unpatched Windows machines
If you have the recent patch MS17-010, which was part of the March Windows Update package, your machine can’t get infected (unless you click on a link/attachment in an email).
Users who regularly update or have the Windows automatic updates turned on should already have the patch to protect their machines.
Summary of the MS17-01 patch
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the Affected Software and Vulnerability Severity Ratings section.
The security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests.
Read more about the patch information at Microsoft
Security updates and support for Windows XP ended April 8, 2014, meaning all XP machines are vulnerable.
Users of Windows 7 & 10 are recommended to update their machines ASAP to add this patch.
Check your machine has the latest updates
Select the Start button, then select Settings > Update & security > Windows Update . If you want to check for updates manually, select Check for updates.
Windows XP, 7 & 10 are the main targets
All unpatched Windows versions up through to Windows 10 are affected. The is an exploit targeted to the Windows operating system, so iOS and Linux users cannot be infected.
This seems to be a both a standard phishing/ransomware attack but it’s also spreading like a worm once it gets into a target network. Malware can spread in many ways, once this exploits ms17-010 it then moves throughout the network encrypting file.
The virus appears to have originally spread via email as a compressed file attachment, users who have opened this file and don’t have the ms17-010 patch are then infected, along with other users on the network. Users on the network that do have the ms17-010 patch appear to be unaffected. The worm then continues to spread from an infected machine via email.
As a reminder, never open an attachment or click a link from an unknown source.
The Shadow Brokers, a hacker group, had published leaked hacking tools from the National Security Agency (NSA), which had discovered exploits in Windows systems. The NSA used an exploit codenamed Eternalblue for years to remotely commandeer computers running Microsoft Windows. The Eternalblue exploit has been used in the development and targeting of the wannacry worm.
Ransomeware encrypts your files, payment required to unlock
You don’t have to click a link or open an attachment to be infected, you just have to be on a network with unpatched machines where another user has clicked a link or opened an infected attachment. This is why the spread is happening with such speed globally.
As reported by Kaspersky
The file extensions that the malware is targeting contain certain clusters of formats including:
- Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
- Less common and nation-specific office formats (.sxw, .odt, .hwp).
- Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
- Emails and email databases (.eml, .msg, .ost, .pst, .edb).
- Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
- Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
- Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
- Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
- Virtual machine files (.vmx, .vmdk, .vdi).
When your machine is infected, it will blue screen, then reboot. At this point, your files are encrypted. Users are reporting it only takes 5 minutes for the worm to reach the entire drive, and encrypt everything.
The wallpaper of infected computers is changed to the following
When you open the “@WanaDecryptor@.exe” program, the following message with information on how you can pay to get the unlock code will display
Paying ransom only way to unlock/decrypt
There are two options, pay or don’t pay.
If you don’t pay in 7 days your files will be unrecoverable. A judgement needs to be made on the importance of your files. There are no recovery options other than already having backups. With backups, you can run a clean install of your machine and restore to a previous day – although professional assistance should be sought to ensure your machine does not retain the ransomware.
There is no other way to unlock your files, so payment will be required.
The ransom request starts $300 worth of bitcoin. If payment has not been received in 3 days from infection, the price doubles.
It is unclear yet if all payments then receive the encryption key to unlock their devices.
No payment in 7 days will lead to file deletion
No backups? Don’t pay? Watch the timer countdown – once complete, the encryption key will be deleted. This means your files will remain on your machine, encrypted, with no way to unlock.
At this stage, a complete wiping of your system will be required.
It is advised you seek professional help to ensure the ransomware is removed from your system.
It’s also recommended a backup process is created and followed.
The worm is spreading on local networks without user involvement
Something like this is incredibly significant, we've not seen P2P spreading on PC via exploits at this scale in nearly a decade.
— MalwareTech (@MalwareTechBlog) May 12, 2017
Computers that are mapped to a common network drive, a system allowing connections to a central server or to other machines on the network, are vulnerable to the spread.
If a machine on the network becomes infected, the worm will spread through the mapped drive/s to all other computers on the network – so you don’t even need to click on a link or download a file to be infected. Once it’s in the system, it continues to spread through drives it can see.
The encryption key is unique to each machine, so a large network, without backups, will face a high cost to unlock.
This is causing widespread attack on large network, including airports, train stations, hospitals and many other institutions.
Hospitals, AirPorts and other major institutions are affected
This attack is locking important machines used in hospitals, which is endangering lives.
The UK NHS has identified 16 NHS organisations are affected by this issue.
banks, hospitals, telecommunications services, train stations, and other mission-critical organizations in multiple countries, including the UK, Spain, Germany, and Turkey. FedEx, the UK government’s National Health Service, and Spanish telecom Telefonica have all been hit.
— Marco Aguilar (@Avas_Marco) May 12, 2017
Germany's main train operator Deutsche Bahn was attacked by ransomware based on leaked NSA tools. pic.twitter.com/hP66QZT1cQ
— Pamela Moore (@Pamela_Moore13) May 12, 2017
Russia’s Interior Ministry has also been hit with this cyberattack.
Ransomware based on leaked NSA cyber-weapons (ETERNALBLUE and maybe DOUBLEPULSAR)
NSA may have cost the lives of hundreds of hospital patients through its incompetence and hiding bugs from industry https://t.co/13f7ZGghYo
— WikiLeaks (@wikileaks) May 12, 2017
The National Security Agency (NSA) developed a number of tools to gain access to computers to gather information.
In August of 2016, a hacking group known as Shadow Brokers began publishing tools used by the NSA, which included a number of zero-day exploits.
On April 14th 2017, Shadow Brokers published a tweet, which linked to a post providing access to exploits and tools created and used by the NSA.
— theshadowbrokers (@shadowbrokerss) April 14, 2017
Included in the dump were tools and exploits codenamed: DANDERSPIRITZ, ODDJOB, FUZZBUNCH, DARKPULSAR, ETERNALSYNERGY, ETERNALROMANCE, ETERNALBLUE, EXPLODINGCAN and EWOKFRENZY
Microsoft, a month earlier, had already provided a patch to prevent the ETERNALBLUE exploit, however systems that did not update were and still are vulnerable to the exploit.
The methods behind the ETERNALBLUE exploit were used in the development of the WannaCry ransomeware worm, which is quickly spreading to unpatched Windows machines.
Multiple varients of the worm exist, including Wcry / WannaCry / WannaCryptor
Kaspersky Lab has detected multiple versions, including;
At least 99 countries affected
Major internet security companies are closely monitoring the spread of #Wanacry Ransomware, according to Avast, at least 99 countries have been affected.
At this stage it appears Europe is most affected
image via Kaspersky Lab
image via Avast
WannaCry ransomware used in widespread attacks all over the world
What you need to know about the WannaCry Ransomware
An NSA-derived ransomware worm is shutting down computers worldwide
Ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far, today
Antivirus vendors malware detection – check your provider
Some advice on updated your machines before infection
It’s early days, as this continues to spread we’ll keep an eye on infections and will report more on an upcoming podcast.
Make sure your Windows devices are up-to-date and also follow Antivirus providers for useful tips and advice.
If you’re infected and without backups, your only option may be to pay – whilst it’s in the best interest of the hackers to then unlock your computer, it’s certainly not guaranteed.
The attackers are now undoubtedly on top of the most wanted list, though finding them will do little to slow down or stop the spread.