WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor or similar ) is a ransomware program targeting Microsoft Windows. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting over 230,000 computers in 150 countries, demanding ransom payments in bitcoin in 28 languages. The attack has been described by Europol as unprecedented in scale. The attack affected Telefónica, FedEx, Deutsche Bahn, and the UK’s National Health Service (NHS), among other corporate and governmental entities.
On 12 May 2017, WannaCry began affecting computers worldwide. The initial infection might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack. When executed, the malware first checks the “kill switch” website. If it is not found, then the ransomware encrypts the computer’s hard disk drive, then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet, and “laterally” to computers on the same Local Area Network (LAN). As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of $300 in bitcoin within three days.
According to IBM XForce “research shows that this is ransomware being distributed through a phishing attack (PDF File) and then infecting the victim network through an auto-propagating worm utilizing an SMB exploit
Wanna Cry ransomware cyber attack: 104 countries hit, India among worst affected, US NSA attracts criticism
The Wanna Cry ransomware attack – one of the largest ever cyber attacks – appeared to be slowing around 24 hours after it wrecked havoc and shut down tens of thousands of computer systems across 104 countries.
India was among the countries worst affected by the Wanna Cry attack, data shared by Kaspersky, a Russian anti-virus company, showed. According to initial calculations performed soon after the malware struck on Friday night, around five per cent of all computers affected in the attack were in India.
Mikko Hypponen, chief research officer at a Helsinki-based cyber security company called F-Secure, told news agency AFP that the it was the biggest ransomware outbreak in history and estimated that 130,000 systems in more than 100 countries had been affected.
US INTELLIGENCE CRITICISED
Wanna Cry, researchers say, uses an exploit first developed by the United States National Security Agency. The exploit called EternalBlue was first made public last month after a group of hackers called Shadow Brokers released data and hacking tools purportedly belonging to the NSA.
The countries affected are on MalwareTech interactive map.
Affected Operating Systems
The operating systems below are affected, the detailes are in MS17-010. (Microsoft Security Bulletin MS17-010)
- Windows XP
- Microsoft Windows Vista SP2
- Windows 7
- Windows 8.1
- Windows RT 8.1
- Windows 10
- Windows Server 2008 SP2 and R2 SP1
- Windows Server 2012 and R2
- Windows Server 2016
- Ensure clients are patched on MS17-010. (Microsoft Security Bulletin MS17-010 was released on March 14, 2017 marked “Critical”)
- Disable SMB on Windows (More information can be found on Microsoft Support and The Deprecation of SMB1 – You should be planning to get rid of this old SMB dialect.)