On May 12, an extremely powerful ransomware strain called WCry 2.0 (nicknamed “WannaCry) struck over 90 countries and infected at least 100,000 machines worldwide. The attack primarily focused on Russia, Ukraine and Taiwan, but also affected many targets globally including UK hospitals, Spanish telecommunications companies, German railroad station terminal computers and FedEx. It spread much more quickly than normal ransomware by using a Windows networking flaw that the Shadow Brokers leaked from the NSA called ETERNALBLUE.
Our CTO Corey Nachreiner predicted that in 2017 we would see the first “ransomworm,” a variant of ransomware that spreads on its own using network worm techniques. This attack certainly seems to fit that profile. Corey spoke with Seattle technology news site GeekWire about the attack and a public patch that Microsoft issued on May 13 for older versions of Windows to fix the vulnerability that WCry 2.0 exploits. You can reach that article here: https://www.geekwire.com/2017/microsoft-issues-highly-unusual-ransomware-patch-xp-old-windows-versions/.
Corey went into more detail about the ransomware attack and how you can defend against it in a guest post on GeekWire. An excerpt and some main points from that article are below, and you can read the full article on GeekWire.
While it’s still unknown who the original attackers are at this point, the techniques used suggest that this was actually a normal criminal ransomware campaign. I don’t believe these attackers are specifically targeting NHS, or telcos. Rather it’s a criminal malware campaign that seems to be especially effective, likely due to its use of the leaked NSA flaw.
Corey’s advice for defending against WCry 2.0 and similar ransomware:
- Patch systems quickly – Microsoft fixed the ETERNALBLUE exploit in March, so anyone who patched their systems between that date and WCry’s release is safe.
- Avoid using outdated software if possible – Some of the hospitals infected with WCry 2.0 still used Windows XP, which Microsoft does not patch or support. If businesses can’t get rid of outdated software, they should be aware that they will need to do more to protect it.
- Plan for a disaster, ransomware included – Back up your data!
- Invest in advanced malware protection and layered defenses – Signature-based antivirus does not protect against new threats like WCry, and malware authors often repackage malware so it will evade these detection methods.
Watch more of WatchGuard’s coverage of WCry 2.0 here, dig into the technical details of the malware on Talos and read Corey’s full 2017 security predictions, including ones about ransomworms and the consequences of nation-states hoarding vulnerabilities, here on Secplicity.
It seems Microsoft DID patch XP because of this threat but maybe too late (and XP machines probably weren’t looking for an update either since M$ supposedly stopped providing updates for XP long ago).