On Friday news outlets began reporting that hospitals across the UK were forced to shut down and turn away patients after being hit by a Ransomware attack and that Spanish telco Telefónica, natural gas company Gas Natural, and the electrical company Iberdrola and a number of other business and government organizations were also affected.
The initial infections took place around 07:24 UTC. It spread via worm functionality using MS17-010.
The Ransomware is known as WannaCry or WCry. It has been in the wild previously but Friday’s outbreak was Version 2.0 of the malware. It behaves similar to other Ransomware families – encrypting users files and demanding a ransom in Bitcoin (BTC). The ransom amount is currently $300-$600 worth of BTC.
In the hours that followed, there were widespread reports that other high profile organizations were hit including the Russian Interior Ministry, FedEx, the Russian Police, one of the largest cellphone operators in Russia (MegaFon), and the Frankfurt S-Bahn.
After obtaining and investigating some samples of the malware and corroborating what other researchers have reported, we have determined that this version of the WannaCry Ransomware is using the recently patched and rated ‘Critical’ MS17-010 vulnerability in order to spread by sending “specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.”
A worm is a type of malware that auto-propagates over a network. This can include internal networks as well as over the Internet. When a machine is infected, it begins scanning local and external networks looking for additional machines to infect. One situation that was reported was remote users bringing an infected machine into an office or similar internal network which in turn infected much or all of the internal network.
By using the MS17-010 vulnerability for auto-propagation, this places WannCry 2.0 as the first Ransomware worm. This vulnerability was made public in the recent Shadow Brokers leak of supposed NSA hacking tools on April 14, 2017, and is code named “EternalBlue.” The vulnerability was patched by Microsoft on March 14th of this year.
Since the attack primarily propagates as a worm, machines running Windows that haven’t been patched with updates from Microsoft are vulnerable, even without an end user clicking on a link in an email. Therefore the best protection against this attack is to ensure that all Windows systems are patched with the latest updates, or to turn the machines off.
Whilst a kill switch was discovered by researchers (the worm would stop propagating once the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com was registered), it is paramount that users ensure all unpatched Windows systems are patched and that port 445 is blocked by a firewall, as the original attackers or new attackers will very likely update the code and start again.
Here are some useful links to what others are saying about the attack:
Point form summary of the attack:
Infection map of the attack:
NOTE: An earlier version of this post contained the suggestion that WannaCry may have been initially spread by spam email. This was based on the best information we had at the time, but further research has failed to confirm this.