What is “WannaCry” ransomware?
The WannaCry ransomware attack is an ongoing cyber attack of the WannaCry ransomware computer worm targeting the Microsoft Windows operating system. The attack started on Friday, 12 May 2017, infecting more than 230,000 computers in 150 countries, with the software demanding ransom payments in the cryptocurrency bitcoin in 28 languages. The attack has been described by Europol as unprecedented in scale.
The attack affected Telefónica and several other large companies in Spain, as well as parts of Britain’s National Health Service (NHS), FedEx, Deutsche Bahn, and LATAM Airlines. Other targets in at least 99 countries were also reported to have been attacked around the same time.
Most previous ransomware arrives by phishing emails, and this is alleged to be the case with WannaCry, although there still aren’t any confirmations. However, once installed it uses the EternalBlue exploit and DoublePulsar backdoor developed by the U.S. National Security Agency (NSA) to spread through local networks and remote hosts which have not installed recent security updates to directly infect any exposed systems. A “critical” patch had been issued by Microsoft on 14 March 2017 to remove the underlying vulnerability for supported systems, nearly two months before the attack, but many organizations had not yet applied it.
Those still running exposed older, unsupported operating systems were initially at particular risks, such as Windows XP and Windows Server 2003, but Microsoft has now taken the unusual step of releasing updates for these operating systems for all customers.
Shortly after the attack began a web security researcher who blogs as “MalwareTech” inadvertently established an effective kill switch by registering a website mentioned in the code of the ransomware. This slowed the spread of infection, but new versions have now been detected that lack the kill switch.
The ransomware campaign was unprecedented in scale according to Europol. The attack affected many National Health Service hospitals in England and Scotland, and up to 70,000 devices – including computers, MRI scanners, blood storage refrigerators and theater equipment – may have been affected. On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted. In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP. NHS hospitals in Wales and Northern Ireland were unaffected by the attack.
Nissan Motor Manufacturing UK in Tyne and Wear, England halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.
The attack’s impact could have been much worse had an anonymous security expert, who was independently researching the malware, not discovered that a kill-switch had been built in by its creators.
Cybersecurity expert Ori Eisen said that the attack appears to be “low-level” stuff, given the ransom demands of $300, but states that the same thing could be done to crucial infrastructures, like nuclear power plants, dams or railway systems.
Date 12 May 2017–present
Also known as WannaCrypt, WanaCrypt0r. WCRY
Theme Ransomware encrypting files with $300 – $1200 demand
Cause EternalBlue exploit, DoublePulsar backdoor
Your next step?
Let Denver Tech Solution take care of you and your business TODAY!
Give as a call for a free consultation 720.744.2412