Story image

Exclusive viewpoint: Self-propagating ransomware hits U.K & 90+ other countries

16 May 2017

The reports came swiftly on Friday morning, May 12 – the first I saw were that dozens of hospitals in England were affected by ransomware, denying physicians access to patient medical records and causing surgery and other treatments to be delayed.

Said the BBC,

The malware spread quickly on Friday, with medical staff in the UK reportedly seeing computers go down "one by one".

NHS staff shared screenshots of the WannaCry programme, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer.

Throughout the day other, mainly European countries, reported infections.

Some reports said Russia had seen more infections than any other single country. Domestic banks, the interior and health ministries, the state-owned Russian railway firm and the second largest mobile phone network were all reported to have been hit.

The infections spread quickly, reportedly hitting as many as 100 countries, with Russian systems affected apparently more than others. What was going on? The details came out quickly: This was a relatively unknown ransomware variant, dubbed WannaCry or WCry; WCry had been ‘discovered’ by hackers who stole information from the U.S. National Security Agency (NSA); affected machines were Windows desktops, notebooks and servers that were not up to date on security patches.

Most alarming, WCry did not spread across networks in the usual way, through people clicking on email attachments; rather, once one Windows system was affected on a Windows network, Wcry managed to propagate itself and infect other unpatched machines without any human interaction. The industry term for this type of super-vigorous ransomware: Ransomworm.

Ransomworms spread quickly

Knowing this was a ransomworm, rather than a normal ransomware, I turned to one of the experts on malware that can spread across Windows networks, Roi Abutbul. A former cybersecurity researcher with the Israeli Air Force’s famous OFEK Unit, he is founder and CEO of Javelin Networks, a security company that uses artificial intelligence to fight against malware.

Abutbul told me, “The WannaCry/Wcry ransomware—the largest ransomware infection in history —is a next-gen ransomware. Opposed to the regular ransomware that encrypts just the local machine it lands on, this type spreads throughout the organization’s network from within, without having users open an email or malicious attachment. This is why they call it ransomworm.”

He continued, “This ransomworm moves laterally inside the network and encrypts every PC and server including the organisation backup.”

The good news is that Javelin’s software was able to prevent the spread of Wcry on their customers’ computers, right out of the gate, explained Abutbul. “Javelin’s solution is specifically designed to automatically detect, respond, and contain such spreading in a corporate network in real-time. This ransomworm specifically used Microsoft SMB vulnerability MS17-010 to spread internally (the same vulnerability the NSA utilized for a couple years and was recently exposed via the January NSA tools leak).”

It’s important to emphasise that this is not a hack created by the NSA. Rather, it’s a Windows vulnerability that the NSA knew about, and which was disclosed in January 2017. Microsoft, like other vendors whose vulnerabilities were in the NSA data dump, moved quickly to fix the defect. The problem is that not all customers installed the patch. Microsoft Security Bulletin MS17-010, published on March 14, 2017, describes:

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

The bulletin goes on to say,

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server.

To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

Affected Windows systems include everything from Windows Vista, Windows Server 2008, Windows 7, Windows 8.x, Windows Server 2012, Windows 10 and Windows Server 2016.

Safe for now, but maybe not for long

The good news is Wcry burned quickly – and burned out, and within a couple of days, was no longer a serious threat, although we will hear for weeks about infected systems, because some organisations will be slow to install the patches in Microsoft’s security update.

The bad news is that other ransomworms like this are probably out there. Roi Abutbul warned me, “This time, the attackers used an unpatched rare vulnerability, but there are many other ways to move laterally and spread inside the network. Javelin specifically focuses on the malicious lateral movement in its early phases and has the ability to stop every spread attempt regardless of methodology and help the organisation recover automatically.”

The best advice: First, keep up to date on Windows patches. Too many organisations, particularly those in the public sector, or with limited IT resource like hospitals, defer the installation of patches. Second, use tools like those offered by Javelin Networks, to protect the network against known and unknown malware and attacks. If you’re not patching, and if you’re not using tools like this, there is zero doubt: You are vulnerable.

Article by Alan Zeichick, principal analyst with Camden Associates.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.