Last Friday, May 12, a rapidly moving global ransomware attack unfolded, primarily affecting Europe and Asia but eventually making its way to the U.S. and South America. The ransomware strain was known either as WannaCrypt, WanaDecrypt or Wanna.Cry. Once a system was attacked, it would encrypt the files and request a ransom of $300 in bitcoin to decrypt the files and revert control. Estimates suggest that over 100,000 systems were rapidly infected worldwide. The variants hit the UK’s National Hospital System hard–greatly affecting operations at 16 hospitals as their computer systems were targeted.
The ransomware were all variants of WannaDecryptor, a threat begun two weeks ago by exploiting a Microsoft SMB vulnerability that had been patched in March. The ransomware particularly damaged unpatched systems or those using unsupported operating systems such as Microsoft XP and older OS, such as Windows 8. Microsoft made an exception and quickly released a patch (MS17-010) for XP and Windows 8 due to the significant impact and spread of this ransomware variant.
The spread was halted when a UK-based researcher only identified as “MalwareTech” realized the code had a kill-switch. The ransomware would look for a specific, nonsensically long domain name on the internet and once located, it would deactivate. MalwareTech registered the domain name and this appears to have activated the kill-switch and halted the spread of the malware…for now. This vulnerability suggests that the ransomware creator was either lazy with the programming or purposely imbedded the kill-switch, or worse yet, was sending a message on how easy it is to cripple so many systems, maybe testing for something far more sinister. Regardless, systems infected prior to the kill-switch activation would remain infected by the ransomware.There are developing reports of newer variants of WannaDecryptor in the wild that either have a kill-switch with different domains or no kill-switch. Promptly patching systems is essential to prevent future infections.
To protect yourself, consider and implement the following best practices: