75,000 computers, 99 countries, 28 languages, 1 massive attack

Print Friendly, PDF & Email

It's been a hectic day in the world.  99 countries were hammered with a ransomware attack against industries of all kinds.  Over 75,000 machines were infected as of this afternoon

What's going on?

A relatively young piece of ransomware called WanaCrypt0r has been spreading rapidly since this morning.  A variant of WanaCrypt0r, named WeCry, was originally discovered in February of this year .

What makes this piece of ransomware so prolific today is that it is packaged as part of an exploit tool called ETERNALBLUE that leverages a known vulnerability in Windows that was patched in March as part of Windows Updates.  This was an SMB vulnerability (MS17-010), which allowed malicious code to travel from system to system.  Older Windows systems that are no longer supported would not have received a patch, and many supported systems were simply not updated.  Delays caused by compatibility testing and limited resources often leave systems unpatched and at risk.

The exploit is delivered via email attachment.  Once the exploit is detonated, the worm will spread the ransomware through RDP sessions and the SMB vulnerability referenced above.  The worm does the work of spreading the ransomware to as many systems as possible, as fast as possible.  The ransomware encrypts the target files and presents the ransom note to the victim.  This MalwareBytes thread has a detailed analysis of the code and the executable.

The attackers are charging up to $600 in bitcoin for the decryptor.

The exploit tool ETERNALBLUE was made public in the April 2017 Shadow Brokers leak.  This leak included hacking tools and exploits that the Shadow Brokers claim to have to have stolen from NSA.   As of this writing, the attacker[s] responsible for the attack remain unknown, and a ‘kill switch' has been triggered which prevents new infections from this variant.  

What's next?

Multiple layers of Barracuda Advanced Threat Protection were detecting these executables early on, and Barracuda customers with an active Energize Updates subscription are protected from this exploit. 

Jonathan Tanner, Barracuda Software Engineer and security blogger, offers this advice on defending ourselves from these attacks:

What did we learn?

A multi-layer security solution and a data protection strategy are critical components of cybersecurity, but it's never been more important to help your colleagues and company leadership understand the risk of cyberattack.  This understanding, combined with ongoing training and awareness initiatives, will help your users protect themselves. 

 

For information on how we can help protect your organization from this type of attack, visit the Barracuda ransomware solutions site at www.barracuda.com/ransomware

Click here for our on-demand webinar on how to keep healthcare networks safe from ransomware.

Scroll to top
Tweet
Share
Share