On Friday, May 12, a global ransomware attack affected nearly 100 different countries. The Ransomware named “Wannacry” uses a vulnerability based on National Security Agency tools that were leaked by a group known as the Shadow Brokers. The InfoSec community is still trying to determine the initial infection vector and those who are responsible for it.
The first major sightings of Wannacry infections occurred in the United Kingdom and Scotland where the malware targeted the National Health Service’s (NHS) digital infrastructure. This caused files within their systems to become encrypted and demand a ransom of $300 in Bitcoin to decrypt their records. As of this afternoon, 16 NHS partner organizations have reported infections. This resulted in health services being impaired in several hospitals and requiring the transfer of patients to other facilities.
While it seemed that the ransomware attack was targeted at the United Kingdom, several other countries and organizations have reported being infected by Wannacry. According to analyst at Avast, there are about 75,000 worldwide infections. Some of the organizations affected include Fedex UK, Telecom in Spain, and allegedly the Russian Interior Ministry. Analysts at Kaspersky labs estimate nearly 74 countries have been hit with Russia, Ukraine, India, and Taiwan leading the pack.
As of now, it is unknown who is behind the attacks. What is known is that malware is based off a powerful ransomware variant called “WannaCryptor 2.0” which uses a 128 bit AES encryption key. It also exhibits worm-like properties causing it to replicate itself without the need for the user to take any action. Wannacry takes advantage of “Eternalblue,” an NSA developed Windows vulnerability that was released in a batch alongside other tools in April by the Shadow Brokers. Eternalblue is capable of remotely accessing systems running on Windows. The vulnerability was patched by Microsoft a month before the Shadow Brokers released the NSA tools. It begs the question whether organizations like the ones affected by Wannacry are consistently updating their security patches.
The spread of the worm was stopped when security researcher MalwareTech registered a domain containing the self-replicating code. The domain address served as a way to cease the proliferation of the malware. It helped slow down the spread of the worm, however, computers that have already been infected are still locked down. This might seem like a sigh of relief, yet according to security editor Dan Goodin, there is no way to know if Eternalblue is the only way for the Wannacry to distribute itself.