Saturday, May 13, 2017

Worldwide Disruptions from WannaCry Ransomware

On Friday 12-May-2017 major organizations worldwide fell victim to a rapidly spreading ransomware attack known as WannaCry, WCry, WanaCrypt and WanaCrypt0r.  The ransomeware ecrypts files on the victim's Windows PC and displays a note demanding $300 or $600 in Bitcoin to unlock the machine. Here's a roundup:

The ransomware exploits a vulnerability (MS17-010) in the Windows Operating that was once part of the NSA's toolkit and was leaked earlier this year by a group calling itself Shadow Brokers. The exploit provides the attacker with system priviledges on the target Windows machine.

  • Avast reported that the ransomware is mainly being targeted to Russia, Ukraine and Taiwan, but has impacted an estimated 130,000 unpatched Windows systems worldwide. 
  • McAfee identified this MS17-010) exploit as the Equation Group’s ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. 
  • The infection vector appears to be phishing emails.
  • Microsoft released a security update for the MS17-010 (link is external) vulnerability on March 14, 2017. Windows users are urged to update their systems ASAP.
  • A British blogger under the handle @MalwareTechBlog appears to have come across a method that has slowed or stopped the spread of the infection. The ransomeware relied on an unregistered domain. By registering the domain, a kill switch for the virus was created.
  • The remediation step recommended by the United States Computer Emergency Readiness Team (US-CERT) is to restore infected systems from a known clean back-up.
  • The UK's National Health Service (NHS) reported widespread ransomware incidents leading to an inability to access patient records, postponement of non-emergency treatement and cancellation of many other services on Friday. Technical teams worked overnight to restore systems.
  • Deutsche Bahn suffered delays and cancellations when terminals in many stations were infected.
  • Telef√≥nica Spain confirmed that some PCs on its internal network were affected.
  • The Russian Interior Ministry reported that its operations were disrupted.
  • McAfee reported on a new kind of RaaS (ransomware-as-a-service) portal named Fatboy Ransomware that is capable of adjusting the ransom based on the victim's location. McAfee says that while Fatboy is not as technically sophisticated, it is an example of the evolving business model for cybercriminals.

See also