WannaCry Update: More Details about the Ransomware Attack

It has been ten days since the WannaCry ransomware attack was unleashed. It has infected nearly 300,000 devices in 150 countries. During that time, many large organizations—including hospitals, banks, and telecom companies—were brought to a halt when their data was encrypted. The yet-to-be identified attackers had received just under $110,000 in ransom at the time this article was published. Despite the initial chaos, details have emerged about how the attack happened, who may be behind it, and other malicious attacks using comparable techniques.

WannaCry: What We Know So Far

It is now believed that Windows 7 users were the hardest hit by WannaCry, which counters initial reports that stated Windows XP users were the most widely affected. In fact, the version of Windows 7 that suffered the brunt of the attack is the x64 Edition, an operating system widely deployed by large organizations. It is unclear whether enterprises are less likely to stay up-to-date with their security patches, or if there are other explanations for the nature of this vulnerability.

Another rumor states that most systems became infected following the distribution of spam emails. However, it has been proven more recently that the malware began by scanning the internet for devices with open Server Message Block (SMB) ports. It then used a modified version of the security exploit “EternalBlue”, an exploit initially developed by the National Security Agency, to install WannaCry on vulnerable machines. Once installed, WannaCry propagated across networks, infecting connected devices, and encrypting more and more user data as it grew.

Who is Behind the WannaCry Attack?

EternalBlue was initially developed by the NSA, only to be leaked by the hacker group known as The Shadow Brokers, along with a number of other weaponized software exploits on April 14, 2017. The connection between The Shadow Brokers and the group that created WannaCry remains unclear.

Cybersecurity company Kaspersky Lab has pointed out similarities between the code used for WannaCry, and code that was used for attacks carried out by hackers known as the Lazarus Group. The Lazarus Group, which has ties to North Korea, is believed to have carried out the cyberattack against Sony Pictures in 2014, as well as a bank heist in Bangladesh in 2016. North Korea is denying involvement in those attacks, as well as WannaCry.

Shared code between an early, Feb 2017 Wannacry cryptor and a Lazarus group backdoor from 2015 found by @neelmehta from Google. pic.twitter.com/hmRhCSusbR

— Costin Raiu (@craiu) May 15, 2017

New Malware on the Prowl

All of the recent attention on WannaCry has brought to light new threats that are doing damage via the same security exploits that were originally developed by the NSA. One in particular, “EternalRocks”, is malware that makes use of seven of the weaponized exploits The Shadow Brokers have leaked, which is five more than WannaCry used.

Another malware, “Adylkuzz”, has also been spreading using similar security exploits as WannaCry. Although it hasn’t received the same amount of attention that WannaCry generated, it is thought to have been at work longer, and to have done even more damage in the time since its release. Similar to WannaCry’s reliance on the cryptocurrency Bitcoin, Adylkuzz profits from its use of a digital currency called Monero.

Trust the Experts

In March 2017, Microsoft announced the security patch that prevents the SMB vulnerability enabling the latest wave of attacks. At that time, NetWize made sure its customers were protected by implementing the requisite security update. We are also available for consultation regarding user best practices for optimal security. We always make sure our customers are protected with up-to-date anti-virus protection, and a reliable data backup and disaster recovery process. Ask us about Sophos Intercept-X, and its capabilities for protecting against any type of ransomeware attack.

If you have any questions or concerns regarding recent malware attacks, or cybersecurity in general, please call NetWize at (801) 747-3200, option 1.

WannaCry Ransomware: Learn More About the Attack

A new ransomware attack is infecting hundreds of thousands of devices all over the globe. Starting May 12, the ongoing attack uses malicious software called “WannaCry” (also “WannaCrypt” or “Wanna Decryptor”), which locks users out of their computers, and then demands a ransom for restoring the encrypted files. Ransom demands range from $300 to $600, and are to be paid via bitcoin to one of three designated wallets. It is currently unclear whether the unidentified attackers have unlocked files for the users that have made a ransom payment. As of the morning of May 16, ransom payments had reached over $70,000. In 2013, a comparable ransomeware called CryptoWalker was posted to the internet. The attack pulled in an estimated $30 million in its first 100 days.

The the likelihood that the particular vulnerability enabling the spread of WannaCry will affect customers of NetWize is very low. Thanks to the commitment of our engineers to ensuring our customers’ safety, we made the security patch needed to protect against WannaCry shortly after Microsoft’s recommendation. We also offer advice for best practices that reduce a user’s vulnerability. In addition, we always make sure our customers’ antivirus is up-to-date, and that a reliable data backup and disaster recovery process is in place.

[vimeo 217574866 w=640 h=360]

To learn more about the outbreak as it unfolds, check out Wikipedia, and technical support website Bleeping Computer.

As always, if you have any concerns regarding this recent ransomware attack, please call NetWize at (801) 747-3200, option 1.