.png)
Organizations around the world have been with the Wana Decrypt0r (aka WannaCry) ransomware, in what seems to be the most massive ransomware delivery campaign to date.
Boom, we have insight!#WannaCrypt http://pic.twitter.com/Tji2e1D6sK
— MalwareTech (@MalwareTechBlog) May 12, 2017
So far, we have recorded more than 45,000 attacks of the #WannaCry ransomware in 74 countries around the world. Number still growing fast.
— Costin Raiu (@craiu) May 12, 2017
By many accounts, the success of the campaign is due to the attackers leveraging EternalBlue, an exploit capable of penetrating machines running unpatched Windows XP through 2008 R2, by exploiting vulnerabilities in Microsoft Windows SMB Server.
WannaCry/WanaCrypt0r 2.0 is indeed triggering ET rule : 2024218 "ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response" http://pic.twitter.com/ynahjWxTIA
— Kafeine (@kafeine) May 12, 2017
Confirmed – wcry ransomware spreading across Europe uses EternalBlue/MS17-010/SMB. PATCH NOW EVERYWHERE.
— Kevin Beaumont (@GossiTheDog) May 12, 2017
The aforementioned vulnerabilities have been patched by Microsoft in March, but as we all know it takes a while for organizations to implement patches to all their systems.
The EternalBlue exploit has been leaked by the Shadow Brokers in April, along with other Windows exploits supposedly stolen from the Equation Group (i.e. the NSA), and it didn’t take long for criminals to start using it.
The victims
Among the victim organizations are:
The number keeps rising, showing just how many organizations are not keeping up with the patching.
Judging by some of the Bitcoin adresses associated with the attack, some victims are starting to pay up the requested ransom.
“The ransomware infection that is spreading throughout the United Kingdom, and the world, is version 2.0 of WanaCypt0r (aka WCry, WannaCry, and WannaCryptor). Recorded Future saw the first appearance of this ransomware on March 31st, but the version that is rapidly spreading has made some significant changes,”noted Allan Liska, Senior Solutions Architect at Recorded Future.
“Specifically, the new version takes advantage of the SMB vulnerability outlined in Microsoft Security Bulletin (MS17-010), also known as the EternalBlue exploit. The worm-like capabilities are the new feature added to this ransomware.”
“The attacks that have taken place do not appear to be targeted attacks, instead they appear to be part of a phishing campaign, though that has not been fully confirmed. Infections of the new version of WanaCypt0r started in Spain earlier today, but have since spread to the United Kingdom, Russia, Japan, Taiwan, the United States and many more,” he noted.
“Given the relative ineffectiveness of the first version of WanaCypt0r, it is likely the author did not expect this type of success from the new campaign, which could cause problems for any organisation that attempts to pay the ransom. For now, the best advice is to ensure that all Windows systems are fully patched, to ensure that firewalls are blocking access to SMB and RDP ports, and to educate users to watch out for suspicious emails.”
from Help Net Security http://ift.tt/2pGeFBq
0 comments:
Post a Comment