Ransomware is infecting businesses across the globe, from healthcare to telecommunications. And the malware is spreading via a known exploit that was leaked and patched months ago.
Updated 5/15/17: Just as we guessed it, Monday is here and companies are beginning to realize that they too are infected with WannaCrypt 2.0 ransomware. News sites are even calling it "WannaCry" now. Whether that was intentional or not, who knows. But it might be a fitting name due to the heartache it will be causing companies this week.
Some other companies that are being infected now include FedEx and Telfonica from Spain.
There is some good news coming out of this, however. Our white hat pals, or security researchers, have been working around the clock to thwart the ransomware.
I'll share this excerpt from Bleeping Computer since they explain it well:
"The kill switch works because the WannaCry ransomware pings a hard coded domain (the kill switch) before the encryption process starts. If the domain is not registered, the encryption goes on as planned, but if the domain is registered, the encryption process stops."
Also important to note is that if your files are encrypted by this ransomware, the price to release your files has gone up. There are also companies claiming to have services to decrypt WannaCrypt 2.0's encryption. These are scams, so you should tread lightly. Security experts have yet come up with a way to decrypt files.
It started early Friday. Ransomware that was making its mark on 16 healthcare companies in the UK, is not only an issue of data security, but is proving to cause life or death situations for patients that need to be moved to other facilities due to systems being down. But it doesn't end with the UK hospitals and clinics.
Details are scarce on how the malware is infecting businesses across the globe, but we definitely haven't seen a ransomware attack of this scale and magnitude. What's astonishing is how this ransomware is spreading like wildfire. This isn't a run of the mill DDoS that causes havoc from time to time, this is a mass scale ransomware attack.
Something like this is incredibly significant, we've not seen P2P spreading on PC via exploits at this scale in nearly a decade.
— MalwareTech (@MalwareTechBlog) May 12, 2017
The first healthcare facilities to cry for help were part of the UK's National Health Service (NHS), but other hospitals and clinics are affected as well. It's safe to say that this isn't a direct attack on NHS and healthcare anymore. News is trickling out that businesses in Europe, Russia, and Asia are being infected as well.
This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” the NHS said. “At this stage we do not have any evidence that patient data has been accessed.”
Other countries being affected by the malware that comes from the NSA's hacking toolkit called WanaCrypt0r 2.0.
Fresh IDR based heatmap for WanaCrypt0r 2.0 ransomware (WCry/WannaCry).
— MalwareHunterTeam (@malwrhunterteam) May 12, 2017
Also follow @MalwareTechBlog's tracker: https://t.co/mjFwsT3JzH pic.twitter.com/SPeZfBpckm
Patch Your Systems Now!
The problem with this type of attack isn't that it was leaked by ShadowBrokers and said to be part of the NSA's arsenal of cyber weapons. It's the fact that this was leaked over 2 months ago and there have been updates available for some time to patch the security holes this malware exploits.
I spoke with Stephen Rogacki who is an IT Manager at Universal Health Services (UHS) and he wasn't surprised.
"The reality of the world we live in today, Windows Server patching isn't just about keeping your systems up to date, it's about keeping them and the data that lives on them secure," explains Steve.
"We're good, we patch bi-monthly. We actually have a patch event coming up next weekend."
As Steve suggests, the issue stems from not patching systems on a regular basis or using old verions of operating systems, like XP. Honestly, there is no reason that any business should be using Windows XP in 2017. If you are then it may be too late.
It still makes sense that you spend some time patching this vulnerability, called MS17-010, and Microsoft has released emergency updates for XP as well.
Leave a Reply
Your email address will not be published. Required fields are marked *