[German]A massive ransomware campaign started May 12, 2017, infected worldwide thousands of Windows systems. Hospitals, banks, companies are out of order, because their systems are affected and critical data are encrypted. Here a short overview, what is known so far.
I received an e-mail a few days ago containing a zip attachment claiming it contains a scanned bill. Well, the name given as sender was known to me – but I didn't expect a bill from this person. Inspecting the source code of the e-mail showed clearly, that it was a phishing attempt, so I deleted this mail. I don't know, whether it's related to the current ransomware campaign – currently I'm fighting with cold viruses causing a kind of 'shutdown' yesterday and probably also today.
WannaCry, WanaCrypt0r, Wanna Cryptor ….
The name of this ransomware isn't clear, I've seen several names given in the title above in articles. Malwarebytes has told me some first details about the ransomware campaign.
Two campaigns
The new ransomware has spread worldwide into Windows based networks and is causing critical infrastructures to shut down. According to Bleeping Computer, there has been two version of this ransomware.
- Version 1.0: This variant has been detected by Malwarebytes on February 10, 2017 – and Karsten Hahn, GData found a short campaign on March 25, 2017.
- Version 2.0: This variant has been detected at May 12, 2017 from MalwareHunter. This version is responsible for the massive infection during the last hours.
The reason, why this ransomware is spreading like a wild fire, seems to be clear. Security analysts from Malwarebytes told me:
There are strong circumstantial, that the ransomware is using known vulnerabilities [in Windows], to intrude networks and may be spread as a worm. The vulnerability has been part of the NSA hacking tools (code name „ETERNALBLUE") leaked by „The Shadow Brokers". The NSA tool enables the attackers remote access via an exploit to SMB & NBT protocols used in Windows systems. Malwarebytes users are protected against this exploit.
Within this blog post security analysts from MalwareBytes are discussing, how the worm will spread. The ransomware uses a vulnerability already patched by Microsoft at March 14, 2017 (MS17-010 Security Update for Microsoft Windows SMB Server (4013389)). It seems, that a lot of unpatched systems are out there (probable also some Windows XP and Windows Server 2003 systems).
It isn't clear yet, how the initial attack has been instrumented – maybe a spear phishing attack or a vulnerability in Microsoft's Windows systems has been used. Malwarebytes recommends to shut down old Windows XP systems and patches the other supported Windows computers. A good documentation of the history of this attack and more details may be found at talosintelligence.com.
Thousands of systems infected
Since a few hours thousands of Windows systems are infected with this ransomware. Victims sees the following message, after the files has been encrypted.
(Source: MalwareBytes)
Currently hospitals (NHS in Great Britain), telecommunication company Telefonica in Spain are heavily affected. There are other articles mentioning Spanish firms like KPMG, BBVA and Santander bank, the electricity provider Iberdrola and also Vodafone are affected. In Germany, the railway Bundesbahn is affected (see this tweet).
Just got to Frankfurt and took a picture of this… #Sbahn, you got a #Ransomware! pic.twitter.com/w0DODySL0p
— Marco Aguilar (@Avas_Marco) 12. Mai 2017
It seems that an unpatched Windows 7 is working there. Malwarebytes supposes also Russia, Ukraine and Taiwan are victims of this ransomware, as this tweet suggests.
36,000 detections of #WannaCry (aka #WanaCypt0r aka #WCry) #ransomware so far. Russia, Ukraine, and Taiwan leading. This is huge. pic.twitter.com/EaZcaxPta4
— Jakub Kroustek (@JakubKroustek) 12. Mai 2017
The New York Times has published a map showing infections worldwide.
Check out this NYT post, they made a really cool time based map with my data https://t.co/K7lVjagq29
— MalwareTech (@MalwareTechBlog) 13. Mai 2017
Hat the campaing been stopped?
A person tweeting under @MalwareTechBlogs has found a 'kill switch' to shutdown the massive malware campaign. He registered a domain hard coded within the malware – this was the 'kill switch' the author of the malware has included.
Some analysts are suggesting by sinkholing the domain we stopped the infection? Can anyone confirm?
— MalwareTech (@MalwareTechBlog) 12. Mai 2017
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
— MalwareTech (@MalwareTechBlog) 13. Mai 2017
British The Guadian has an article with more details. It helps, until a new variant of this ransomware will be released. And the kill switch doesn't help, if the files on an infected system encrypted.
Microsoft patches Windows XP, Windows Server 2003, Windows 8
Microsoft has released patches for Windows XP, Windows Server 2003 and Windows 8 to stop WannaCrypt (and similar) infections. Further details may be found within MSRC-Blog. (via)
Final thoughts
This ransomware campaign shows, how weak the critical infrastructure we are using, is. I just remember the show, Microsoft's management presented on BUILD 2017. Cloud, Cloud, Cloud everywhere – and we all shall be heading to big data, Internet of Things and big brother. Also the 'sirens' are trying to lure companies to total networking, called Industry 4.0. I'm not confident that the current attack is the last one – and I fear, the damaged will be stronger in future.
Just a last thought: It's time now, to claim IT manager the responsible for the decision they made. It's negligently to use Windows within critical infrastructure projects like hospitals or railway information systems.