Major RansomWare WorldWide Attack #WannaCry

A sophisticated worm is attacking Windows machines globally, possibly the largest in history and is locking up computers in Hospitals, Airports and Governments. The true scope of this attack is currently unknown, but the attacks are widespread and leaving experts scrambling to slow down and stop the spread.

What we know so far

Worm infects unpatched Windows machines

If you have the recent patch MS17-010, which was part of the March Windows Update package, your machine can’t get infected (unless you click on a link/attachment in an email).
Users who regularly update or have the Windows automatic updates turned on should already have the patch to protect their machines.

Summary of the MS17-01 patch

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the Affected Software and Vulnerability Severity Ratings section.
The security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests.
Read more about the patch information at Microsoft

Security updates and support for Windows XP ended April 8, 2014, meaning all XP machines are vulnerable.

Users of Windows 7 & 10 are recommended to update their machines ASAP to add this patch.

Check your machine has the latest updates

Select the Start button, then select Settings > Update & security > Windows Update . If you want to check for updates manually, select Check for updates.

Windows XP, 7 & 10 are the main targets

All unpatched Windows versions up through to Windows 10 are affected. The is an exploit targeted to the Windows operating system, so iOS and Linux users cannot be infected.

This seems to be a both a standard phishing/ransomware attack but it’s also spreading like a worm once it gets into a target network. Malware can spread in many ways, once this exploits ms17-010 it then moves throughout the network encrypting file.

The virus appears to have originally spread via email as a compressed file attachment, users who have opened this file and don’t have the ms17-010 patch are then infected, along with other users on the network. Users on the network that do have the ms17-010 patch appear to be unaffected. The worm then continues to spread from an infected machine via email.

As a reminder, never open an attachment or click a link from an unknown source.

The Shadow Brokers, a hacker group, had published leaked hacking tools from the National Security Agency (NSA), which had discovered exploits in Windows systems. The NSA used an exploit codenamed Eternalblue for years to remotely commandeer computers running Microsoft Windows. The Eternalblue exploit has been used in the development and targeting of the wannacry worm.

Ransomeware encrypts your files, payment required to unlock

You don’t have to click a link or open an attachment to be infected, you just have to be on a network with unpatched machines where another user has clicked a link or opened an infected attachment. This is why the spread is happening with such speed globally.

As reported by Kaspersky
The file extensions that the malware is targeting contain certain clusters of formats including:

  1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
  3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  6. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  9. Virtual machine files (.vmx, .vmdk, .vdi).

When your machine is infected, it will blue screen, then reboot. At this point, your files are encrypted. Users are reporting it only takes 5 minutes for the worm to reach the entire drive, and encrypt everything.

The wallpaper of infected computers is changed to the following

When you open the “@WanaDecryptor@.exe” program, the following message with information on how you can pay to get the unlock code will display

Paying ransom only way to unlock/decrypt

There are two options, pay or don’t pay.

If you don’t pay in 7 days your files will be unrecoverable. A judgement needs to be made on the importance of your files. There are no recovery options other than already having backups. With backups, you can run a clean install of your machine and restore to a previous day – although professional assistance should be sought to ensure your machine does not retain the ransomware.

There is no other way to unlock your files, so payment will be required.

The ransom request starts $300 worth of bitcoin. If payment has not been received in 3 days from infection, the price doubles.

Known Bitcoin wallets accepting money for the ransomware include this, this and this.

It is unclear yet if all payments then receive the encryption key to unlock their devices.

No payment in 7 days will lead to file deletion

No backups? Don’t pay? Watch the timer countdown – once complete, the encryption key will be deleted. This means your files will remain on your machine, encrypted, with no way to unlock.

At this stage, a complete wiping of your system will be required.

It is advised you seek professional help to ensure the ransomware is removed from your system.
It’s also recommended a backup process is created and followed.

The worm is spreading on local networks without user involvement

Computers that are mapped to a common network drive, a system allowing connections to a central server or to other machines on the network, are vulnerable to the spread.
If a machine on the network becomes infected, the worm will spread through the mapped drive/s to all other computers on the network – so you don’t even need to click on a link or download a file to be infected. Once it’s in the system, it continues to spread through drives it can see.

The encryption key is unique to each machine, so a large network, without backups, will face a high cost to unlock.

This is causing widespread attack on large network, including airports, train stations, hospitals and many other institutions.

Hospitals, AirPorts and other major institutions are affected

This attack is locking important machines used in hospitals, which is endangering lives.

The UK NHS has identified 16 NHS organisations are affected by this issue.

Comment from discussion Hospitals across England hit by large-scale cyber-attack.

Comment from discussion Hospitals across England hit by large-scale cyber-attack.

banks, hospitals, telecommunications services, train stations, and other mission-critical organizations in multiple countries, including the UK, Spain, Germany, and Turkey. FedEx, the UK government’s National Health Service, and Spanish telecom Telefonica have all been hit.

Russia’s Interior Ministry has also been hit with this cyberattack.

Animated Map of How Tens of Thousands of Computers Were Infected With Ransomware

Ransomware based on leaked NSA cyber-weapons (ETERNALBLUE and maybe DOUBLEPULSAR)

The National Security Agency (NSA) developed a number of tools to gain access to computers to gather information.
In August of 2016, a hacking group known as Shadow Brokers began publishing tools used by the NSA, which included a number of zero-day exploits.

On April 14th 2017, Shadow Brokers published a tweet, which linked to a post providing access to exploits and tools created and used by the NSA.

Included in the dump were tools and exploits codenamed: DANDERSPIRITZ, ODDJOB, FUZZBUNCH, DARKPULSAR, ETERNALSYNERGY, ETERNALROMANCE, ETERNALBLUE, EXPLODINGCAN and EWOKFRENZY

Microsoft, a month earlier, had already provided a patch to prevent the ETERNALBLUE exploit, however systems that did not update were and still are vulnerable to the exploit.

The methods behind the ETERNALBLUE exploit were used in the development of the WannaCry ransomeware worm, which is quickly spreading to unpatched Windows machines.

Multiple varients of the worm exist, including Wcry / WannaCry / WannaCryptor

Kaspersky Lab has detected multiple versions, including;

Trojan-Ransom.Win32.Gen.djd
Trojan-Ransom.Win32.Scatter.tr
Trojan-Ransom.Win32.Wanna.b
Trojan-Ransom.Win32.Wanna.c
Trojan-Ransom.Win32.Wanna.d
Trojan-Ransom.Win32.Wanna.f
Trojan-Ransom.Win32.Zapchast.i
PDM:Trojan.Win32.Generic

At least 99 countries affected

Major internet security companies are closely monitoring the spread of #Wanacry Ransomware, according to Avast, at least 99 countries have been affected.

At this stage it appears Europe is most affected

image via Kaspersky Lab

image via Avast

Keep Updated

WannaCry ransomware used in widespread attacks all over the world
What you need to know about the WannaCry Ransomware
Infection Tracker
An NSA-derived ransomware worm is shutting down computers worldwide
Ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far, today
Antivirus vendors malware detection – check your provider

What Next?

Some advice on updated your machines before infection

Comment from discussion Hospitals across England hit by large-scale cyber-attack.

It’s early days, as this continues to spread we’ll keep an eye on infections and will report more on an upcoming podcast.

Make sure your Windows devices are up-to-date and also follow Antivirus providers for useful tips and advice.

If you’re infected and without backups, your only option may be to pay – whilst it’s in the best interest of the hackers to then unlock your computer, it’s certainly not guaranteed.

The attackers are now undoubtedly on top of the most wanted list, though finding them will do little to slow down or stop the spread.