Ransomware going viral?

A NEW STRAIN of ransomware has spread quickly all over the world, causing crises in National Health Service hospitals and facilities around England, and gaining particular traction in Spain, where it has hobbled the large telecom company Telefonica, the natural gas company Gas Natural, and the electrical company Iberdrola. You know how people always talk about the Big One? As far as ransomware attacks go, this looks a whole lot like it.

The ransomware strain WannaCry (also known as WanaCrypt0r and WCry) that caused Friday’s barrage appears to be a new variant of a type that first appeared in late March. This new version has only gained steam since its initial barrage, with tens of thousands of infections in 74 countries so far today as of publication time. Its reach extends beyond the UK and Spain, into Russia, Taiwan, France, Japan, and dozens more countries.

One reason WannaCry has proven so vicious? It seems to leverage a Windows vulnerability known as EternalBlue that allegedly originated with the NSA. The exploit was dumped into the wild last month in a trove of alleged NSA tools by the Shadow Brokers hacking group. Microsoft released a patch for the exploit, known as MS17-010, in March, but clearly many organizations haven’t caught up.

“The spread is immense,” says Adam Kujawa, the director of malware intelligence at Malwarebytes, which discovered the original version of WannaCry. “I’ve never seen anything before like this. This is nuts.”
Heatmap-C_pR2jEXcAAWiP5.jpg
MALWAREHUNTERTEAM
A Bad Batch
Ransomware works by infecting a computer, locking users out of the system (usually by encrypting the data on the hard drive), and then holding the decryption or other release key ransom until the victim pays a fee, usually in bitcoin. In this case, the NHS experienced hobbled computer and phone systems, system failures, and widespread confusion after hospital computers started showing a ransom message demanding $300 worth of bitcoin.

As a result of Friday’s infection, hospitals, doctors’ offices, and other health care institutions in London and Northern England have had to cancel non-urgent services and revert to backup procedures. Multiple emergency rooms around England spread word that patients should avoid coming in if possible. The situation doesn’t appear to have resulted in any unauthorized access to patient data so far.

ransomware
RELATED VIDEO
What is Ransomware and How Do You Deal With It?

In England, the National Health Service said that it is rushing to investigate and mitigate the attack, and UK news outlets reported that hospital personnel have been instructed to do things like shut down computers and larger IT network services. Other victims, like Telefonica in Spain, are taking similar precautions, telling employees to shut down infected computers while they wait for instructions about mitigation.

Hospitals make for popular ransomware victims because they have an urgent need to restore service for their patients. They may therefore be more likely to pay criminals to reinstate systems. They also often make for relatively easy targets.

“In healthcare and other sectors we tend to be very slow to address these vulnerabilities,” says Lee Kim, the director of privacy and security at the Healthcare Information and Management Systems Society. “But whoever is behind this is clearly extremely serious.”

RANSOMWARE EVERYWHERE
Handcuffs in binary pattern
LILY HAY NEWMAN
Ransomware Turns to Big Targets—With Even Bigger Fallout
Why Hospitals Are the Perfect Targets for Ransomware
KIM ZETTER
Why Hospitals Are the Perfect Targets for Ransomware
ransomware
KIM ZETTER
4 Ways to Protect Against the Very Real Threat of Ransomware
WannaCry didn’t go after NHS alone, though. “This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” the NHS said in a statement. “Our focus is on supporting organizations to manage the incident swiftly and decisively.”

In some ways, that makes things worse. WannaCry’s not just coming for hospitals; it’s coming for whatever it can. Which means this’ll get worse—a lot worse—before it gets better.

Wide Range
The NHS portion of the attack has rightly been drawing the most focus, because it puts human lives at risk. But WannaCry could continue to expand its range indefinitely, because it exploits at least one vulnerability that has persisted unprotected on many systems two months after Microsoft released a patch. Adoption is likely better on consumer devices, so Malwarebytes’ Kujawa says that WannaCry is mostly a concern for business infrastructure.

The creators of WannaCry seem to have developed it with broad, long-term reach in mind. In addition to the Windows server vulnerability from Shadow Brokers, MalwareHunter, a researcher with the MalwareHunterTeam analysis group who discovered the second generation of WannaCry, says that “probably there are more” vulnerabilities the ransomware can take advantage of as well. The software can also run in 27 languages—the type of development investment an attacker wouldn’t make if he were simply trying to target one hospital or bank. Or even one country.

Atms, train stations, and other infastructre things are being hot had in Europe and Asia