Wana Decryptor Ransomware Using NSA Exploit Leaked By Shadow Brokers To Spread Ransomware Worldwide

msm1267 quotes a report from Threatpost: A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent Shadow Brokers dump. Researchers said the attackers behind today's outbreak of WannaCry ransomware are using EternalBlue, an exploit made public by the mysterious group in possession of offensive hacking tools allegedly developed by the NSA. Most of the attacks are concentrated in Russia, but machines in 74 countries have been infected; researchers at Kaspersky Lab said they've recorded more than 45,000 infections so far on their sensors, and expect that number to climb. Sixteen National Health Service (NHS) organizations in the U.K., several large telecommunications companies and utilities in Spain, and other business throughout Europe have been infected. Critical services are being interrupted at hospitals across England, and in other locations, businesses are shutting down IT systems. An anonymous Slashdot reader adds: Ransomware scum are using an SMB exploit leaked by the Shadow Brokers last month to fuel a massive ransomware outbreak that exploded online today, making victims all over the world in huge numbers. The ransomware's name is Wana Decrypt0r, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or WCry. The ransomware is using the ETERNALBLUE exploit, which uses a vulnerability in the SMBv1 protocol to infect vulnerable computers left exposed online. Microsoft issued a patch for this vulnerability last March, but there are already 36,000 Wana Decrypt0r victims all over the globe, due to the fact they failed to install it. Until now, the ransomware has laid waste to many Spanish companies, healthcare organizations in the UK, Chinese universities, and Russian government agencies. According to security researchers, the scale of this ransomware outbreak is massive and never-before-seen.
UPDATE: The Guardian reports that "An 'accidental hero' has halted the global spread of the WannaCry ransomware" by discovering a kill switch involving "a very long nonsensical domain name that the malware makes a request to." By registering that domain, the spread of the ransomware was effectively halted.

What boggles my mind

[guruevi]

Is that there are still 45k Windows machine that are directly connected to the Internet.

Any Windows machine I manage (mostly very specific medical software and medical machines) are either VM (and thus behind a firewall and any service proxied to a BSD or Linux host) or airgapped.

National Insecurity Agency

[TiggertheMad]

The NSA (and other ABC agencies that are undoubtedly running the same game plan) are doing what they are tasked with, finding ways to protect America and America's interests. Using hacking as a tool to this end is (relatively) new in the old game pf spycraft, so there are going to be a few epic disasters like this before the black ops people start to figure out all the types of blow back they can experience. The US was really big on foreign covert action in the 50's, and it took the bay of pigs to make people realize that there were ways that things could go horribly wrong. That didn't stop covert action from being used, but I think it was employed more carefully afterwards. Having all their shiny hacking toys stolen and having this happen is the hacking version of the 'Bay of Pigs'.

Also, while the NSA seems to have compiled a formidable array of exploits and tools to compromise enemy systems, that doesn't mean that everyone else isn't playing the exact same game. The only difference between the NSA and EVERY other state intelligence agency on the planet is that they seem to be able to properly secure their black ops toys. Being one of the largest agencies of this sort, there are going to be a lot of people in the know. And the more people involved, the harder it is to keep a secret.

Mind you, that doesn't make this any less tragic or regrettable. I sort of hope the CIA decides that it is in the US interest to find and vanish anyone connected with this ransomware to make an example of them. Alas, that sort of thing only happens in implausible Hollywood scripts.

Re:It hit the NHS hard

They may remain unpatched because of a fear that the patch could cause serious errors in the same systems. Most large organizations don't immediately apply patches throughout their infrastructure. They test the patches extensively before deciding to deploy them. In many cases there are laws and regulations in place that say systems have to be certified before they are deployed. Getting the certification for a patched systems, even when the unpatched system is certified, can be a huge and expensive task which may involve hiring specialized firms to run extensive tests.

Some organizations are just negligent and risk problems by not patching while others are super vigilant and risk different problems by delaying patches.

Re:It hit the NHS hard

Due to microsoft's continuous fuckery with win10, telemetry, updates which break shit and now rolled up updates which makes vetting them(*) an order of magnitude harder and more time consuming the last time my win 7 install was updated was sept 2016 and even that was a due to more fuckery by microsoft.
I left my machine set to 'check for updates but don't install' yet it suddenly flips to install updates automatically after several years without any warning or change by myself - suspicious eh? Since then i have the service stopped and set to never check.

I can't blame ANYBODY for not having a fully patched machine when microsoft tries to make it as painful an experience as possible.

(*) due to a series of botched kernel updates they released a few years ago i ALWAYS wait at least 1 week after patch release then google every single KB before installing to ensure it isn't going to be an issue

That is not how it infects

[dbIII]

Certainly they should have blocked SMB shares from the internet.

That's not how it it gets on a network, even a large one like that. Somebody gets tricked into installing the malware from an email attachment or link via a vunerablity in IE or MS Office (Outlook not so good) and then it spreads across a local network via a weakness in an SMB implementation. Multiple levels of "fail" but not at the firewall, and not a lot that Microsoft's customers can do about it especially in a tight budget situation with IT as a very low priority.

Your suggestion (while a good one that would have already been done since it's so obvious) would not have helped.