The day started out as normally as any Friday in May around the world could.
But, then, all technological Hell broke loose.
First, at around 8:00 AM CET, there were reports of ransomware hitting endpoints in Spain, at Telefonica, a telco and ISP giant. Then, Gas Natural, a natural gas utility. Then, Iberdrola, an electric utility.
Then the reports of ransomware infections started rolling in from the UK. At first, a couple of National Health Service (NHS) facilities were hit with ransomware, forcing them to cancel appointments and some elective surgeries. Then, a few more NHS facilities reported being infected, their computers locked and unable to access patient data. Finally, up to 39 NHS hospitals and several GPs were reportedly affected, according to the BBC. Some had to divert ambulances to other facilities because they were unable to access their ransomed computer systems. And, while there was no evidence patient data has been compromised, it has affected the UK NHS severely enough that the British PM, Theresa May made a statement on the effects of the ransomware attack, and the UK’s National Cyber Security Centre (NCSC) has been working with NHS to ensure patient data safety and to try to rectify the issue.
But, the ransomware continued its spread worldwide. The Russian Interior Ministry and Russian telecom provider Megafon were attacked. Portugal Telecom was also hit, as were a number of universities in China. But, the ransomware didn’t – and hasn’t – stopped there.
At last count, according to CNNMoney, over 75,000 ransomware attacks had been reported, with the majority of the attacks occurring in Russia, Ukraine, and Taiwan, according to anti-virus vendor, Avast, in a blog post. But, Turkey, Kazakhstan, Indonesia, Vietnam, Japan, Spain, Germany, the Philippines, Hungary and 87 other countries had been attacked by ransomware, 99 countries in total and counting.
Is this ransomware’s equivalent of the great California earthquake known as “The Big One”? We don’t know yet and likely won’t know for a while.
What is known, though, is that the ransomware is the second edition of a ransomware named WCry; it’s also known as WannaCry, WannaCryptor, WannaCrypt or Wana Decryptor. Not very active up until Friday morning, Wana Decryptor – as most articles are now referring to the ransomware – was first discovered by French security researcher Kaffieine, according to BleepingComputer. And then, it started its virulent rampage throughout networks worldwide.
No one knows yet how the ransomware attack started. It could’ve been a phishing email, or a targeted spear-phishing attack, or even a drive-by download. Forensics experts and analysts will investigate its roots and determine how the WCry/Wana Decryptor ransomware attack was initiated, what the catalyst was, and who was Patient Zero. (But, it’s likely if the enterprise that was first attacked by WCry/Wana Decryptor had Menlo Security’s Isolation Platform, the ransomware delivery could have been stopped before it even started.)
But, what is known is that the WCry/Wana Decryptor ransomware tripped alerts for a Microsoft Windows exploit known as ETERNALBLUE, which was identified as an alleged US National Security Agency (NSA) exploit that was made public last month (April 2017) by the infamous hacker group, The Shadow Brokers (TSB). A patch for the ETERNALBLUE exploit was released in March 2017 by Microsoft; however, as is now apparent, many enterprise, government and educational institution systems did not download and launch that security update/patch. This enabled the ETERNALBLUE exploit – which can infect any Microsoft Windows device running Windows XP through Windows Server 2012 – to make the system vulnerable to the follow-up ransomware, WCry/Wana Decryptor.
If a user or enterprise has not deployed the critical Windows security update, MS17-010, they should do so immediately. If a user or enterprise system has already been infected with the WCry/Wana Decryptor ransomware, they are out of luck; the security update won’t help now, unfortunately. (Also, if you’re still on Windows XP, the April security update will not work, either; sorry.)
The initial ransom request is for US$300 in Bitcoin; some victims have seen a US$600 ransom. The ransomware also has a timer set for 6 hours and counting. In some cases, the longer the ransom is unpaid, the higher the price for the decryption key gets.
The experts expect the WCry/Wana Decryptor ransomware attack to last for days, and to get worse before it gets better. That’s why it’s 75,000 attacks in 99 countries and counting. Plus, the WCry/Wana Decryptor ransomware has been translated into 28 different languages. This shows that this is not a targeted or one-and-done type of attack, unfortunately.
Also, the ransomware has worm-like tendencies, and is scanning networks for additional Windows computers unpatched and vulnerable to the ETERNALBLUE exploit, so it can attack with the WCry/Wana Decryptor ransomware. The ransomware can even spread from an infected computer to other computers using the same Wi-Fi network; so, be careful using free wireless connections for the next several days.
Rumors of additional attacks and affected countries are spreading like wildfire across social media and the web.
Menlo Security will keep you posted on any additional details concerning the worldwide WCry/Wana Decryptor ransomware attack, and will be providing additional technical details as they become available. For more information on phishing attacks, read our "Anatomy of a Spear Phishing Attack."