WanaCry Ransomware Attack
May 16, 2017 | POSTED BY COREY BOLGER IN SECURITY, MALWARE, WINDOWS, MICROSOFT, PATCH MANAGEMENT
On Friday, a ransomware attack known as WanaCry or WanaCrypt made waves as it spread rapidly around the globe. The attack was first detected in the UK, targeting vulnerable healthcare networks, but quickly spread to many countries around the world. Although healthcare networks were among the first infected, it appears that the attack is not directly targeted at them, instead simply attacking and infecting as many machines as it can find. Numerous large and small organizations have been affected, including the Spanish telecom company Telefonica, the Russian Interior Ministry, FedEx, the French car company Renault, as well as many others.
While the attack does not seem to focus on any single industry, companies that still operate legacy software systems such as Windows XP and Server 2003 should use extreme caution in the coming weeks. As of Monday morning, Avast claimed it had detected the attack on over 200,000 machines in 112 countries with these numbers continually rising. The original malware, WanaCrypt0r, was released in February of this year and has since evolved into the attacks we are seeing today.
What makes WanaCry unique is its two-part payload. Typical ransomware is spread through phishing campaigns, and while WanaCry is being distributed this way, it is also using an SMB exploit known as MS17-010 to infect any unprotected Windows devices that it can find. Microsoft issued a critical security patch for MS17-010 back in March, but that patch did not apply to Windows XP, Windows Server 2003, or Windows 8. Microsoft has since released patches for each of these systems, which can be found here.
The exploit was initially leaked online by the hacking organization known as the Shadow Brokers, and is thought to be one of the tools lost by the NSA. WanaCry uses the Tor network to connect back to its Command and Control server. Therefore, blocking access to the Tor network can help companies mitigate some of the risk caused by WanaCry. Additionally, companies that do not rely on SMBv1 should disable it in order to prevent the automatic spread of the malware. The implications of this attack are far reaching. Attacks that were previously reserved for nation-states can now be carried out by individuals with little to no hacking skills. Because of this, companies must be more diligent than ever when it comes to cybersecurity.