Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wana Decryptor Ransomware Using NSA Exploit Leaked By Shadow Brokers To Spread Ransomware Worldwide (threatpost.com)

Posted by BeauHD on from the never-before-seen dept.

msm1267 quotes a report from Threatpost: A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent Shadow Brokers dump. Researchers said the attackers behind today's outbreak of WannaCry ransomware are using EternalBlue, an exploit made public by the mysterious group in possession of offensive hacking tools allegedly developed by the NSA. Most of the attacks are concentrated in Russia, but machines in 74 countries have been infected; researchers at Kaspersky Lab said they've recorded more than 45,000 infections so far on their sensors, and expect that number to climb. Sixteen National Health Service (NHS) organizations in the U.K., several large telecommunications companies and utilities in Spain, and other business throughout Europe have been infected. Critical services are being interrupted at hospitals across England, and in other locations, businesses are shutting down IT systems. An anonymous Slashdot reader adds: Ransomware scum are using an SMB exploit leaked by the Shadow Brokers last month to fuel a massive ransomware outbreak that exploded online today, making victims all over the world in huge numbers. The ransomware's name is Wana Decrypt0r, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or WCry. The ransomware is using the ETERNALBLUE exploit, which uses a vulnerability in the SMBv1 protocol to infect vulnerable computers left exposed online. Microsoft issued a patch for this vulnerability last March, but there are already 36,000 Wana Decrypt0r victims all over the globe, due to the fact they failed to install it. Until now, the ransomware has laid waste to many Spanish companies, healthcare organizations in the UK, Chinese universities, and Russian government agencies. According to security researchers, the scale of this ransomware outbreak is massive and never-before-seen.
UPDATE: The Guardian reports that "An 'accidental hero' has halted the global spread of the WannaCry ransomware" by discovering a kill switch involving "a very long nonsensical domain name that the malware makes a request to." By registering that domain, the spread of the ransomware was effectively halted.

6 of 197 comments (clear)

  1. Say "thanks" to your "security"-agency... by ffkom · · Score: 5, Insightful

    who chose to weaponize security holes rather than having them fixed for some actual security.

    1. Re:Say "thanks" to your "security"-agency... by Anonymous Coward · · Score: 5, Insightful

      No. Say thanks to Micro$oft for making people extremely gunshy after their concerted efforts to force Windows 10 down everyone's throats.

      It's bad enough to worry that an update to a bad driver will brick your machine without the problem of waking up to find Windows 10 on your machine.

      I'm sure there's enough blame to go around here, but don't forget that the update paranoia around Windows OS's was brought to you by none other than Micro$oft themselves.

    2. Re:Say "thanks" to your "security"-agency... by dbIII · · Score: 5, Insightful

      But this isn't a zero-day. "Microsoft issued a patch for this vulnerability last March, but there are already 36,000 Wana Decrypt0r victims all over the globe, due to the fact they failed to install it."

      Since there were so many people that turned off updates to avoid getting MS Windows 10 unasked I don't think blaming the victims is a useful approach.

  2. Obscurity is not security. by Gravis+Zero · · Score: 5, Insightful

    I've said it before but it bears repeating.

    When you create an exploit, you create a weapon but when you submit a fix, you make that weapon ineffective. So now instead of having the world's best armor, we have an absurd cache of weapons and those weapons have been stolen. The moral isn't to protect your weapons better, it's that you should be making better armor.

    --
    Anons need not reply. Questions end with a question mark.
  3. It hit the NHS hard by Anonymous Coward · · Score: 5, Interesting

    I'm a doctor in the NHS. It hit my hospital hard. The bosses triggered the MAJAX protocols meaning everyone off work was called to come in and help. Computers are used for everything, so blood tests, admissions, scan requests, referrals, all had to be done by hand. The public were asked to keep away from A+E because hundreds of people were waiting. It was terrifying how little failsafe infrastructure there was. The hospital just stopped working.

    1. Re:It hit the NHS hard by Anonymous Coward · · Score: 5, Informative

      They may remain unpatched because of a fear that the patch could cause serious errors in the same systems. Most large organizations don't immediately apply patches throughout their infrastructure. They test the patches extensively before deciding to deploy them. In many cases there are laws and regulations in place that say systems have to be certified before they are deployed. Getting the certification for a patched systems, even when the unpatched system is certified, can be a huge and expensive task which may involve hiring specialized firms to run extensive tests.

      Some organizations are just negligent and risk problems by not patching while others are super vigilant and risk different problems by delaying patches.