Sophos has released guidance on WannaCry ransomware, explaining how the attacks occurred, why these attacks were different from other ransomware incidents and how the company has helped to protect customers from attack with its next-generation anti-ransomware solutions.
The attacks started last Friday and rapidly spread around the globe. The ransomware encrypted files, preventing victims from accessing their data. Victims were presented with a ransom note advising them that they had been attacked. They were required to pay a ransom to receive the keys to unlock the encryption and were threatened with permanent file loss if they did not pay up.
While there were many victims around the globe, in the UK the NHS was hit particularly hard with computers and its phone system affected.
Sophos reports that the attacks involved an exploit called EternalBlue, which had been stolen from the NSA and published online by the hacking group Shadow Brokers.
Sophos reports that the attacks were atypical for ransomware, which is usually installed via an infected email attachment or malicious link. These attacks took advantage of a remote code execution vulnerability with infection requiring no user interaction. Any unpatched machine was vulnerable.
Sophos points out that the attacks included a worm component that allowed infections to spread rapidly throughout a network, resulting in file encryption on any vulnerable device.
The attacks could have been prevented. Microsoft had issued a patch for the vulnerability in March. Companies that had applied the MS17-010 patch would have had the flaw in Windows Server Message Block (SMB) corrected which would have stopped the exploit from working.
Sophos reports that users of its Intercept X and Sophos EXP products are protected from WannaCry ransomware; however all organizations have been advised to apply the MS17-010 patch.