For now, the malware, also sometimes referred to as WannaCrypt, appears to have been stopped but computer users are not yet out of the woods, according to one security expert.
The attacks appeared to have started in the United Kingdom and Spain. From there the WannaCry software rapidly spread globally. It prevented users from accessing their own data. Users were ordered to ransom their data in Bitcoins
“This event should serve as a global wake-up call – the means of delivery and the delivered effect is unprecedented,” Rich Barger, director of cyber research for San Francisco-based software company Splunk. “While Spain and Russia look to be hit the hardest, other countries including Italy, Portugal, Ukraine and Pakistan look to be affected as well… “Initial reports that this malware is propagating on its own – for those who remember the early 2000s, this is a worm – malware that infects a machine and then looks for other vulnerable hosts on the same network or randomly scans and looks for other vulnerable hosts to infect.”
For instance, he said, numerous IT systems in businesses across England were shut down last Friday and that hospital was turning away ambulances because the staff was not confident they could take care of patients. The ransomware worm also disrupted operations in factories, schools, and stores.
In Canada, officials of Lakeridge Health in Oshawa, one of the largest community hospitals in Ontario, said they believe their computer system was attacked by WannaCry. However, the hospital’s IT team was able to thwart the attack and reset the system without any damage to patient and hospital records.
How ‘accidental heroes’ blocked WannaCry
The spread of WannaCry was brought to halt on Sunday when security researchers from Proofpoint and the MalwareTech blog “inadvertently activated a kill switch” in the malware, according to the California-based security company.
One of the accidental heroes was Darien Huss from Proofpoint’s U.S. operations. The other was a researcher who identifies himself as MalwareTech in the UK.
The kill switch was built into the malware in case the creator wanted to stop it spreading. The termination signal involved a very long nonsensical domain name that the malware makes a request to just as if it was looking up any Web site. If the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.
“The recent WannaCry ransomware attack, that has hit 99+ countries, would have been much larger had it not been for the early actions of both a UK cybersecurity researcher who blogs for Malwaretech and two Proofpoint researchers,” wrote Ryan Kalember, senior vice-president of cybersecurity strategy, Proofpoint, in his blog.”
By sinkholing the domain, the researchers stopped WannaCry from spreading further.
But Kalember warns this is not the end of WannaCry.
“We believe it was just a matter of time for an attack like this to occur because this Microsoft exploit was tailor made for malware that spread within an organization’s network—and ransomware is so profitable for cybercriminals,” he said.
Proofpoint’s research indicates new ransomware variants have appeared every 2-3 days for the last 18 months. In Q1 2017, over four times as many new ransomware variants hit the market versus Q1 2016.
How you can protect your organization
Splunk said initial reports describe WannaCry as a self-propagating variant of malicious ransomware.
“At this time, it appears as if the malware is leveraging Server Message Block (SMB) exploits of which Microsoft issued a critical patch (MS17-010) for on March 14,” Barger said. “Once infected the malware encrypts the local contents of the host (using AES and RSA), denying the user access to their data until a ransom is paid.”
Barger recommends the following steps to mitigate the attack:
- Organizations should consider compartmentalizing and self-containing until they can report 100 per cent patching compliance.
- Consider disabling or blocking the SMB v1 service
- Consider monitoring for and or mitigating scan behavior on TCP/445, externally and internally
NSA links and stockpiling of vulnerabilities
“The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States,” Brad Smith, president and chief legal officer of Microsoft, wrote in a blog on Sunday. “That theft was publicly reported earlier this year. A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. “
Smith said WannaCrypt should be seen as a “wake-up call” for governments to alter their current approach to cyber weapons.
“…this attack provides yet another example of why stockpiling of vulnerabilities by the government is such a problem,” he said. “This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on Wikileaks, and now this vulnerability stolen from the NSA has affected customers around the world.”
He said exploits held by governments are bound to leak into the public domain and create widespread damage. Smith equated such a threat to the potential scenario of the “U.S. military having some of its Tomahawk missiles stolen.”
Microsoft, on Friday, issued a call for the creation of what it called a new “Digital Geneva Convention” that would govern the issue of hoarding vulnerabilities and require governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…