The world experienced the wrath of yet another well-coordinated ransomware attack, known as WannaCry. The attack began to hit PCs on May 12th, affecting 150 countries and 200,000 systems.
WannaCry ransomware exposed a vulnerability on many Microsoft Windows systems that were not updated with the latest security patches, or running older operating systems, such as Windows XP and even Windows 7.
UK hospitals, Spanish telecom companies, FedEx, Nissan car manufacturing plants, U.S. universities, Russian governments, and Chinese ATMs were among the victims, as well as many organizations around the globe.
While ransomware has been a growing trend in recent years and Trojan viruses and worms are certainly nothing new, pairing the two together is something we haven’t seen much of until now.
Malware and ransomware often enter networks through phishing emails or via websites containing a malicious program. Once a computer gets infected, it encrypts, or basically scrambles, all the data. Then the unwanted program locks your machine and flashes a screen demanding you pay money to get access back. Typically the price increases over time until the end of a countdown, when the files are destroyed.
But WannaCry doesn’t have to rely solely on user error. The analysis from Symantec and Kaspersky found evidence that confirmed the WannaCry infection was also spread through Microsoft's SMB file sharing systems.
This exploit (codenamed “EternalBlue”) has been made available on the Internet through the Shadowbrokers dump on April 14th, and a patch was released by Microsoft on March 14th. This means that the outbreak could largely have been prevented, but unfortunately many organizations failed to install the patch on their systems between its release and now, opening the backdoor for the hackers.
The fact that WannaCry ransom demands were created in 28 languages suggests that the hackers had very high expectations of the success of their attack and knew it would spread fast.
Cybersecurity company MalwareTech analyzed the attack in a testing environment and noticed the code queried an improbable Internet domain name that did not exist. Domain names often function as malware command and control centers, so MalwareTech simply bought the domain name which triggered the kill switch for WannaCrypt.
However, this kill switch doesn’t stop the spread, it merely slows it down. Copycats are still modifying the code to come up with variants to keep the infection spreading, and releasing fake decryption tools posing to restore the encrypted files.
WannaCry is certainly not the final cyberattack we’ll see. But it should be a serious wakeup call and reminder about the dangers of ransomware and the importance of following security best practices.
For more information about WannaCry and ways to keep your business protected from such ransomware, click here. If you’d like to learn more about how IT Solutions keeps your data and systems safe, talk to your VCIO or contact us today.