Worldwide Ransomware Attack Using Stolen NSA Tools
A worldwide ransomware campaign using a stolen NSA hacking tool is currently underway, consisting of more than 200,000 attacks in 150 countries, including the crippling of Britain’s main healthcare system, Spain’s Telefonica and Russia’s MegaFon, according to global media reports and Kaspersky Lab.
The attackers are demanding $300 in bitcoin currency to unlock encrypted files.
Perhaps the most significant target thus far has been Britain’s National Health Service, that nation’s main healthcare apparatus.
“Earlier today, our products detected and successfully blocked a large number of ransomware attacks around the world,” Kaspersky Lab said in its Securelist blog. “In these attacks, data is encrypted with the extension ‘.WCRY’ added to the filenames.”
“Our analysis indicates the attack, dubbed ‘WannaCry,’ is initiated through an SMBv2 remote code execution in Microsoft Windows,” the piece continues. “This exploit (codenamed “EternalBlue”) has been made available on the Internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.”
Unfortunately, Kaspersky points out, many organizations have not yet installed the Microsoft patch.
Shadowbrokers is a hacking group blamed for a hack last summer of the U.S. National Security Agency (NSA), which exposed that secretive agency’s hacking tools, including several Zero Day exploits.
Cybersecurity experts differ on particular assumptions about the attack, but all agreed the campaign appears massive and possibly unprecedented in scope.
“So far it’s not yet clear when exactly the infected machines were compromised, but quite probably it’s a very recent large-scale phishing attack targeting hospitals with ransomware,” Ilia Kolochenko, CEO of web security firm High-Tech Bridge, said in a statement. “But we cannot exclude a well-thought out attack, planned and prepared for months, which continuously infected more and more NHS victims, preparing to demand ransom at once and cause panic.”
“Without further technical investigation – it’s impossible to say who is behind the attack, but it can be virtually anyone – from a small group of Black Hats seeking profit, to a state-sponsored hacking group,” the statement continued. “In any case – this incident clearly demonstrates how our everyday life depends on technology and how vulnerable we are.”
Finding the perpetrators will rely on the hope that the hackers made a technical mistake while preparing the attack, Kolochenko said.
“Otherwise, such an attack can be technically un-investigable,” the statement said. “IT companies maintaining hospital networks can also be found negligent or at least careless, as usually a properly maintained and duly updated system is immune to the vast majority of ransomware.”
It’s frustrating that attacks like this continue to victimize unprepared systems, said Ron Culler, CTO of managed security services provider, Secure Designs Inc.
“Microsoft released a patch for the vulnerability in March, so those systems should have been patched,” he said. “Also, as with almost all of these types of infections, if you don’t click on it, you don’t get infected.”
“It starts with a solid and enforced policy, training, and patch management,” Culler went on. “When one or all of these are either not in place or enforced, you end up leaving the doors open to these types of attacks.”
The real story, he said, would emerge in the coming days and weeks, following thorough analysis of what happened.
“I just hope they (the victims) have a good backup of those systems,” Culler said. “My guess is probably not, considering they were not patched.”
Send tips and news to MSPmentorNews@Penton.com.