“WannaCry” Ransomware Outbreak & Carnage

On May 12th 2017 we witnessed the 1st global outbreak of the “WannaCry” ransomware variant.
What we can say is…if you didn’t know what ransomware is – -YOU DO NOW.

This particular attack was much different from past variants like PETYA, ZEPTO, JIGSAW, etc. as it took the global networks by storm!

Although WannaCry was still active over the first few days most of the propagation was subsided due to a malware researcher who accidentally triggered a “kill switch” preventing the ransomware from spreading further.
That being said, WannaCry rapidly spread across 200+ countries and infected more than 200,000 machines!
In Japan, Trend Micro is reporting 16,436 machines infected, third behind Mexico and Taiwan.

How did this happen so fast?

Most ransomware we are familiar with originally arrives in the form of a phishing email with an attachment that looks legitimate.
The unsuspecting user clicks on the attachment which infects the host machine and everything it can see on the network.
However, there is no evidence of a phishing email in the case of WannaCry.
WannaCry has a worm component that will search the internet for vulnerable machines (NO CLICKING REQUIRED) – YIKES!!
So, the first machines hit with the ransomware were unprotected on the internet and the vulnerability was exploited.

This ransomware variant targets unpatched Windows machines using an exploit originally developed by the NSA (later stolen and released by hacker group Shadow Brokers).
Most importantly, the security updates were released on March 14th 2017, but not for Windows XP or Windows 2003 server.
60 days after the exploit was in the wild!!

This left thousands of unpatched XP and 2003 machines completely vulnerable to attack (not to mention the pirated copies of Windows that can’t receive updates).
That’s why we saw lots of POS machines and legacy devices hit so hard.

  • In an unprecedented manner Microsoft issued a special patch for windows XP/2003 server in the midst of this attack

There is still many unanswered questions in the wake of the aftermath of this attack, but we do know the hackers have collected about $75,000 in payments from attack. Also, there is no evidence that anyone who paid the ransom actually received a decryption key.
This means even if you paid the ransom of $300 you still can’t access your files!!

Globally, big names like Hitachi, JR East, FedEx, British NHS, Renault, Telefonica and thousands more were victims of this attack.

This was the first of a kind for a ransomware attack of this caliber and we expect more to come!
More and more companies will want to learn how to best prevent becoming a victim of future ransomware attacks.

Lessons learned here: patch your machines and make sure you have good backups!