There has been a massive spike in worldwide WannaCry ransomware attacks, with a new campaign launched on Friday. In contrast to past WannaCry ransomware attacks, this campaign leverages a vulnerability in Server Message Block 1.0 (SMBv1).
Zero day exploits are commonly used by cybercriminals, although this one was allegedly developed by the National Security Agency (NSA) and was stolen and given to the hacking group Shadow Brokers. Shadow Brokers published the exploit last month, with the gang behind this attack having combined it with a worm capable of spreading rapidly to affect all vulnerable networked machines.
ETERNALBLUE exploit attacks were blocked when Microsoft released a patch on March 13 (MS17-010); however, judging by the number of WannaCry ransomware attacks already reported, many organizations have yet to apply the patch.
Those organizations include the Spanish telecommunications firm Telefoinica, the German rail operator Deutsche Bahn, logistics firm FedEx and the UK’s National Health Service. Dozens of NHS Trusts in the UK succumbed to the WannaCry ransomware attacks on Friday. While patient data is not believed to have been obtained by the attackers, the NHS has been forced to shut down systems and cancel operations while the attack is mitigated.
This morning, there have been WannaCry ransomware attacks reported by organizations in around 100 countries. While it is unclear at this stage how many computers have been encrypted by the ransomware, the number is certainly in excess of 57,000 – The number of attacks tracked by antivirus firm Avast. That figure will certainly grow.
Once installed, the ransomware scans for other vulnerable machines and rapidly infects all vulnerable devices. The ransom demand may only be $300, but that figure will be multiplied by the number of infected devices. The ransom demand also doubles after 3 days, with the decrypton keys deleted by the attackers in 7 days if the ransom is not paid. After that time, recovery will not be possible unless a viable backup exists. There is no known decryptor for WannaCry ransomware.
Protecting against this ransomware campaign requires organizations to patch Windows and plug the vulnerability.
These ransomware attacks should serve as a warning to all organizations of the need to apply patches promptly, especially patches that address critical vulnerabilities for which exploits have been developed and released online.