Global Ransomware Attack Strikes 70K Systems (& Counting)

A massive global ransomware attack is underway and, according to researchers at Kaspersky, more than 45,000 systems worldwide have been hit with the malware. The malware, dubbed "WannaCry," hits systems running Microsoft Windows on which a patch released on March 14, 2017 has not been applied.

Figure 1:

The researchers note that, while immediately applying the March 14 patch release is considered critical, the ransomware itself doesn't depend on the vulnerability to work. It's the ransomware transmission and remote installation, rather, that appears to rest on the EternalBlue exploit patched by Microsoft.

According to the National Health Service, by mid-afternoon UK time,16 NHS organizations had been hit with the attack, in some cases requiring emergency patients to be directed to other hospitals after infected computers were shut down.

Spain's Telefonica was also hit, with several sources indicating that the telecom firm had instructed employees facing a ransomware screen to simply shut down their computers and await further instructions.

An article on Forbes.com pointed out that the EternalBlue exploit was first described publicly in the Shadow Brokers release of NSA hacking tools. In general, the initial infection vector is a .ZIP attachment to a spam email, which, when opened, immediately infects the target computer. According to CN-CERT, the Spanish cyber emergency response team, vulnerable versions of Windows include:

Initial ransom demands were for US $300 in BitCoins, payable through a link on the announcement screen, though more recent infections seem to have increased the ransom demand to US $600 with the promise that the amount will continue to increase. Several security research teams report that they are working on decryption tools, but none are currently available.

As of this writing, most of the infected systems have been in Russia, with systems in Europe, Asia and Africa also infected. While North America is not free from infection, the numbers have so far been low. For all system administrators, it's highly recommended that the advice of Microsoft Security Bulletin MS17-010-Critical be followed immediately.

Figure 2:

For up-to-the minute information on systems that are infected and the response by researchers and government officials, Twitter's WannaCry Ransomware filter feed is hard to beat.

— Curtis Franklin, Security Editor, Light Reading. Follow him on Twitter @kg4gwa.