Massive Ransomware Attack Hits Several Computers in 99 Countries

By | May 13, 2017

Security researchers found a ransomware called “WannaCry” or “Wanna Decryptor” is a type of ransomware which spreads from machine to machine silently and remains invisible to users until it unveils itself, Which then warns users that all their files have been encrypted with a key known only to the attacker and that they will belocked out until they pay to an anonymous party using the cryptocurrency Bitcoin.

A massive cyber-attack using tools believed to have been developed by the US National Security Agency has struck organisations around the world. Computers in 99 Countries at thousands of locations have been locked by a programme that demands $300 (£230) in Bitcoin.

In April hackers known as The Shadow Brokers claimed to have stolen the tools and released them online. Microsoft released a patch for the vulnerability in March, but many systems may not have been updated.

Microsoft said on Friday its engineers had added detection and protection against WannaCrypt. The company was providing assistance to customers.

Spreading Channel

Like all ransomware the WannaCry also spreads through Word documents, PDFs and other files normally sent via email.

The malware is delivered as a Trojan through a loaded hyperlink that can be accidentally opened by a victim through an email, advert on a webpage or a Dropbox link. Once it has been activated, the program spreads through the computer and locks all the files with the same encryption used for instant messages.

Once the files have been encrypted it deletes the originals and delivers a ransom note in the form of a readme file, and this malware modifies files in the /Windows and /windows/system32 directories and enumerates other users on the network to infect. Both of these actions require administrative privileges.

How big is the attack?

There have been reports of infections in 99 countries, including the UK, US, China, Russia, Spain, Italy and Taiwan.

Cyber-security firm Avast said it had seen 75,000 cases of the ransomware – known as WannaCry and variants of that name – around the world.

“This is huge,” said Jakub Kroustek at Avast.

Many researchers say the incidents appear to be linked, but say it may not be a coordinated attack on specific targets.

Meanwhile wallets for the digital cryptocurrency Bitcoin that were seemingly associated with the ransomware were reported to have started filling up with cash.

Some experts say the attack may be have been built to exploit a weakness in Microsoft systems that was identified by the NSA and given the name EternalBlue.

The NSA tools were then stolen by a group of hackers known as The Shadow Brokers, who then attempted to sell the encrypted cache in an online auction.

Who has been affected?

The UK’s National Health Service (NHS) has been hit and screenshots of the WannaCry program were shared by NHS staff.

Hospitals and doctors’ surgeries were forced to turn away patients and cancel appointments. One NHS worker told the BBC that patients would “almost certainly suffer” as a result.

Some reports said Russia had seen more infections than any other single country. Russia’s interior ministry said it had “localised the virus” following an “attack on personal computers using Windows operating system”.

Mitigation

Researchers found that WannaCry attack is based on an attack developed by the NSA, codenamed ETERNALBLUE. Once a computer is infected, the ransomware typically contacts a central server for the information it needs to activate, and then begins encrypting files on the infected computer with that information. Once all the files are encrypted, it posts a message asking for payment to decrypt the files – and threatens to destroy the  information if it doesn’t get paid.

These are following mitigation to avoid these kind of attacks,
1. Back up your data.
2. Use updated antivirus software.
3. Update latest patches of windows. (MS17-010 is a patch for ETERNALBLUE vulnerability.)

Subscribe for latest security updates