Last Friday the world witnessed one of the greatest cyber attacks ever recorded. Europol said that the attack was of an “unprecedented level and requires international investigation.”
Attack started on Friday and it involved a zero-day hack leaked from the NSA, which was altered to be a hybrid ransomware-worm virus which can spread rapidly, ﬁnally affecting more than 200.000 hosts in 150 countries. The ransomware, called WannaCry, locks down all the ﬁles on an infected computer and asks the computer’s administrator to pay in order to regain control of them.
What’s interesting about this ransomware is that WannaCry attackers are leveraging a Windows exploit harvested from the NSA called EternalBlue, which was dumped by the Shadow Brokers hacking group over a month ago. Microsoft released a patch for the vulnerability in March (MS17-010), but many users and organizations remain unpatched and vulnerable to the attack.
The exploit has the capability to penetrate into machines running unpatched versions of Windows XP through 2008 R2 by exploiting ﬂaws in Microsoft Windows SMB Server (remote command execution vulnerability). SMB (server message block) is a service used for ﬁle sharing and accessing ﬁle servers within a network. It is a standard used by most organizations in the world. Once a single computer in your organization is hit by the WannaCry ransomware, the worm looks for other vulnerable computers and infects them as well. This is why WannaCry campaign is spreading at an astonishing pace.
“Affected machines have six hours to pay up and every few hours the ransom goes up,” said Kurt Baumgartner, the principal security researcher at security ﬁrm Kaspersky Lab. “Most folks that have paid up appear to have paid the initial $300 in the ﬁrst few hours.” One of the ﬁrst reported and most notable victims was UK’s NHS (National Health Service), with computers, phones and emergency bleepers in hospitals and GP surgeries going out of order. Some hospitals said they were forced to divert emergencies to other facilities. The reason why NHS was so heavily affected is that most of its computers were running Windows XP, because, reportedly, they recently failed to renew a maintenance contract with Microsoft. Other notable victims include German railways, car manufacturer Renault, FedEx, Spanish cellular network provider Telefonica, Russian ministries, and more .
The most-affected country appears to have been Russia according to Kaspersky Lab, which has recorded more than 45,000 attacks.
Microsoft released a patch for Windows that can prevent the ransomware from running, but this won’t help already affected hosts. An interesting fact is that an individual managed to stall the spread of the malware by simply registering a non-existant domain that the malware checked before executing. There was a kill-switch built in the ransomware, either willingly or not. WannaCry introduced us the next generation malware and Cyber Attacks. Ransomware with extreme exploitation capabilities that will be able to infect a whole intranet from just one victim. This is the most shocking thing of the day. Internal networks that won’t be prepared and properly conﬁgured for these kind of attacks are under the threat of a total WannaCry successful attack with undeﬁned cost.
Babis Kalevrosoglou, Information Security Manager at ASPIDA’s Cyber Security Division noted “We are all witnessing the greatest cyber attack in recent history, proving for once more, that hackers rely on lack of proper cyber security awareness, which would have prevented this attack. Everyone needs to update their systems now, to secure themselves from this attack, plus keep updating in the future to reduce the risk of future attacks.” No one has claimed responsibility for this attack yet, but whoever they are they can be tens of thousands of dollars richer by now.