Multiple ransomware attacks with the speed of light are hitting computers all over the world since Friday. The attacks are exploiting a critical SMB vulnerability exposed in documents that leaked from the NSA by the Shadow Broker group.
The dangerous ransomware is called WannaCry and it was patched by Microsoft (MS17-010) for supported versions of Windows about a month ago.
The reports show that the virus, which is also known as WanaCrypt0r, WCry, Wana Decrypt0r, and WannaCrypt, has hit more than 100 countries in less than 24 hours so far. According to security experts, this is the biggest ransomware attack ever, which attacked hospitals in Britain, the Spanish telecom giant Telefonica, Russian European car makers, banks, and FedEx.
The security experts say that if Windows installations are up to date and fully-patched, they are not in danger. The Microsoft company has already taken the unusual step to provide a security update for users of Windows platforms being in custom support only, including Windows Server 2003, Windows 8, and Windows XP.
“We also know that some of our customers are running versions of Windows that no longer receive mainstream support,” Microsoft said. “That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download.”
According to a spokesman for Barts Health NHS Trust in London, they were experiencing a “major IT disruption” and delays at all four of its hospitals, and the ambulances were being diverted to nearby hospitals.
“Unlike most other attacks, this malware is spreading primarily by direct infection from machine to machine on local networks, rather than purely by email,” the chief scientist at Ntrepid Lance Cottrell, said.
Yestreday, a security researcher found a “kill switch” which could prevent the spread of the WannaCry ransomware.
“The ‘kill switch’ was hardcoded into the malware in case the creator wanted to stop it spreading,” MalwareTech said. “This involved a very long nonsensical domain name that the malware makes a request to just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.”
“This event should serve as a global wakeup call – the means of delivery and the delivered effect is unprecedented,” Rich Barger, Director of Cyber Research at Splunk, said. “While Spain and Russia look to be hit the hardest, other countries including Italy, Portugal, Ukraine and Pakistan look to be affected as well. This is one of the largest global ransomware attacks the cyber community has ever seen.”
Rich Barger also suggested disabling or blocking the SMB v1 service to protect against the attacks, and said firms should consider monitoring for and or mitigating scan behavior on TCP/445, externally and internally.
“With the WannaCry/WanaCrypt ransomware in the wild, crossing into industrial control systems would be particularly devastating,” the VP of Services at IOActive said Owen Connolly, said.
“Systems requiring real-time interfacing and control influence over physical assets could face safety/critical shutdown, or worse. When thinking about critical services to modern society (power, water, wastewater, etc.), there is a real potential, potentially for the first time ever, where critical services could be suspended due to ransomware. It may be time to rethink critical infrastructure cybersecurity engineering, because if MS17-010 exploiting malware variants are successful, we are clearly doing something wrong,” Connolly concluded.