Security Platforms/Tools

Global Ransomware Attack Strikes 70K Systems (& Counting)

A massive global ransomware attack is underway and, according to researchers at Kaspersky, more than 45,000 systems worldwide have been hit with the malware. The malware, dubbed "WannaCry," hits systems running Microsoft Windows on which a patch released on March 14, 2017 has not been applied.

The researchers note that, while immediately applying the March 14 patch release is considered critical, the ransomware itself doesn't depend on the vulnerability to work. It's the ransomware transmission and remote installation, rather, that appears to rest on the EternalBlue exploit patched by Microsoft.

According to the National Health Service, by mid-afternoon UK time,16 NHS organizations had been hit with the attack, in some cases requiring emergency patients to be directed to other hospitals after infected computers were shut down.

Spain's Telefonica was also hit, with several sources indicating that the telecom firm had instructed employees facing a ransomware screen to simply shut down their computers and await further instructions.

An article on Forbes.com pointed out that the EternalBlue exploit was first described publicly in the Shadow Brokers release of NSA hacking tools. In general, the initial infection vector is a .ZIP attachment to a spam email, which, when opened, immediately infects the target computer. According to CN-CERT, the Spanish cyber emergency response team, vulnerable versions of Windows include:

  • Microsoft Windows Vista SP2
  • Windows Server 2008 SP2 y R2 SP1
  • Windows 7
  • Windows 8.1
  • Windows RT 8.1
  • Windows Server 2012 y R2
  • Windows 10
  • Windows Server 2016

Initial ransom demands were for US $300 in BitCoins, payable through a link on the announcement screen, though more recent infections seem to have increased the ransom demand to US $600 with the promise that the amount will continue to increase. Several security research teams report that they are working on decryption tools, but none are currently available.

As of this writing, most of the infected systems have been in Russia, with systems in Europe, Asia and Africa also infected. While North America is not free from infection, the numbers have so far been low. For all system administrators, it's highly recommended that the advice of Microsoft Security Bulletin MS17-010-Critical be followed immediately.

For up-to-the minute information on systems that are infected and the response by researchers and government officials, Twitter's WannaCry Ransomware filter feed is hard to beat.

— Curtis Franklin, Security Editor, Light Reading. Follow him on Twitter @kg4gwa.

kq4ym 5/23/2017 | 2:13:18 PM
Re: Not Good I had heard that the only vulnerable systems were the older Windows versions, specifically 7, even though news reports were making like everyone was in trouble.  And the network and local news didn't mention that there was an update patch months earlier that would have prevented a problem. I was surprised to see though that in this story it was noted that even Windows 10 there could be problems if not patched.  I tried breifly to google Microsoft to get to their "direct" page for info but for whatever reason a search would not easily lead me to Microsoft explanation and remedy. Pretty confusing for a lot of folks I would guess.
Phil_Britt 5/18/2017 | 7:16:05 PM
Re: Not Good Backups are common sense, but still so many don't take the time or effort. And companies should not engineer their internal systems to the point that security patches "break" parts of networks.
Curtis Franklin 5/15/2017 | 12:20:11 PM
Re: Not Good @Carol, over the weekend I had a Twitter exchange with someone who argued that many enterprise customers can't automatically apply every patch because of the chance the new code could break critical enterprise applications. That's quite true, but those organizations should still immediately sandbox every critical patch and update with an eye toward applying them as soon as possible.

And in every case, if a company doesn't have strong backup/recovery protocols in place, then it can't really complain when an event comes along (either accidental or malicious) that eats its data.
Curtis Franklin 5/15/2017 | 12:17:36 PM
Re: Not Good @danielcawrey, If you haven't followed solid backup protocol and haven't kept your systems patched and updated then you're right; paying the ransom is really the only option available. The sad part of this is that, for most companies, it would have been so easy to protect systems from the attack before it started!
Carol Wilson 5/15/2017 | 7:52:50 AM
Re: Not Good By setting the initial ransom so low, the attackers certainly make that option more attractive -and if they are raising the stakes over time, it seems even more appealing to pay and get it done. 

This just underscores what every security executive - from either a service provider or a vendor - says in virtually every interview. If the majority of people did the basics, i.e., implemented a security plan, tested it regularly, kept software patches up-to-date and followed their own best practices, most of these kinds of massive attacks that are getting easier to launch could be warded off. 

For some reason, hman nature, I guess, that seems an impossiblle goal to achieve. 
danielcawrey 5/13/2017 | 9:44:12 AM
Not Good This is bad. It shows how far behind most systems are. So many are obviously vulnerable to attack. Many of these sysadmins are pretty set on paying ransoms. They often don't have a choice. 
Sign In