Jump to content

WannaCry ransomware attack: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
→‎Reactions: not notable
kill switch and XP and 2003 have been patched now
Line 51: Line 51:


WannaCry is believed to use the [[EternalBlue]] [[Exploit (computer security)|exploit]], which was allegedly developed by the U.S. [[National Security Agency]] to attack computers running [[Microsoft Windows]] operating systems.<ref name=":0" /><ref>{{Cite web|url=http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html|title=Massive ransomware attack hits 74 countries|last=Larson|first=Selena|date=12 May 2017|website=CNNMoney|access-date=12 May 2017}}</ref> Although a patch to remove the underlying vulnerability had been issued on 14 March 2017,<ref name="microsoft.com"/> delays in applying security updates left some users and organisations vulnerable.<ref>{{cite web|url=https://www.theregister.co.uk/2017/05/12/spain_ransomware_outbreak/|title=WanaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain|first1=12 May 2017 at|last1=15:58|first2=John Leyden|last2=tweet_btn()|website=theregister.co.uk|accessdate=12 May 2017}}</ref>
WannaCry is believed to use the [[EternalBlue]] [[Exploit (computer security)|exploit]], which was allegedly developed by the U.S. [[National Security Agency]] to attack computers running [[Microsoft Windows]] operating systems.<ref name=":0" /><ref>{{Cite web|url=http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html|title=Massive ransomware attack hits 74 countries|last=Larson|first=Selena|date=12 May 2017|website=CNNMoney|access-date=12 May 2017}}</ref> Although a patch to remove the underlying vulnerability had been issued on 14 March 2017,<ref name="microsoft.com"/> delays in applying security updates left some users and organisations vulnerable.<ref>{{cite web|url=https://www.theregister.co.uk/2017/05/12/spain_ransomware_outbreak/|title=WanaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain|first1=12 May 2017 at|last1=15:58|first2=John Leyden|last2=tweet_btn()|website=theregister.co.uk|accessdate=12 May 2017}}</ref>

Microsoft has taken the unusual step of releasing patches for Windows XP and 2003. A [[kill switch]] has been found in the code, which prevents new infections has been activated by researchers, but different versions of the attack may be released and systems require patching.


== Background ==
== Background ==

Revision as of 15:43, 13 May 2017

WannaCry ransomware attack
Screenshot of the ransom note left on an infected system
Date12 May 2017 (2017-05-12) (ongoing)
LocationWorldwide
TypeCyber attack
ThemeRansomware encypting hard disc with $300 demand
ParticipantsUnknown
OutcomeMore than 230,000 computers infected[1]

WannaCry, also known as WannaCrypt[2] or WanaCrypt0r 2.0,[3] is a ransomware malware tool. In May 2017, a large cyber attack using it was launched, infecting over 230,000 computers in 99 countries, demanding ransom payments in 28 languages. The attack has been described by Europol as unprecedented in scale.[4]

The attack affected Telefónica and several other large companies in Spain, as well as parts of Britain's National Health Service (NHS),[5] FedEx and Deutsche Bahn.[6][7][8] Other targets in at least 99 countries were also reported to have been attacked around the same time.[9][10] More than 1,000 computers at the Russian Interior Ministry, the Russian Emergency Ministry and the Russian telecommunications company MegaFon, have been reported as infected.[11]

WannaCry is believed to use the EternalBlue exploit, which was allegedly developed by the U.S. National Security Agency to attack computers running Microsoft Windows operating systems.[3][12] Although a patch to remove the underlying vulnerability had been issued on 14 March 2017,[13] delays in applying security updates left some users and organisations vulnerable.[14]

Microsoft has taken the unusual step of releasing patches for Windows XP and 2003. A kill switch has been found in the code, which prevents new infections has been activated by researchers, but different versions of the attack may be released and systems require patching.

Background

The purported infection vector, EternalBlue, was released by the hacker group The Shadow Brokers on 14 April 2017,[15][16] along with other tools apparently leaked from Equation Group, which is believed to be part of the United States National Security Agency.[17][18]

EternalBlue exploits vulnerability MS17-010[13] in Microsoft's implementation of the Server Message Block (SMB) protocol. Microsoft had released a "Critical" advisory, along with an update patch to plug the vulnerability a month before, on 14 March 2017.[13] This patch only fixed Windows Vista and later operating systems but not the older Windows XP.

On 12 May 2017, WannaCry began affecting computers worldwide.[19] After gaining access to the computers, the ransomware encrypts the computer's hard disk drive,[20][21] then attempts to exploit the SMB vulnerability to spread to random computers on the Internet,[22] and "laterally" between computers on the same LAN.[23]

The Windows vulnerability is not a zero-day flaw, but one for which Microsoft had made available a security patch on 14 March 2017[13] – almost exactly two months before. The patch was to the Server Message Block (SMB) protocol used by Windows.[24] Microsoft has also been advising people to stop using the old SMB1 protocol and use the newer, more secure SMB3 protocol instead.[25] Organizations that lacked this security patch were affected for this reason, although there is so far no evidence that any were specifically targeted by the ransomware developers.[24] Any organization still running the older Windows XP[26] were at particularly high risk because until 13 May,[2] no security patches had been released since April 2014.[27] Following the attack, Microsoft has released a security patch for Windows XP.[2]

Impact

The ransomware campaign was unprecedented in scale according to Europol.[4] The attack impacted many NHS hospitals in the UK.[28] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.[6][29] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[26] Nissan Motor Manufacturing UK in Tyne and Wear, one of Europe's most productive car manufacturing plants, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.[30][31]

List of affected companies and institutions

Response

Several hours after the initial release of the ransomware on 12 May 2017, a "kill switch" hardcoded into the malware allowed the initial infection to be halted,[33] though variants without the kill switch are expected to be created.[34]

On 13 May 2017, it was reported that Microsoft had taken the unusual step of providing a security update for Windows XP and Windows Server 2003, despite these versions being well past their support cycles, along with a patch for Windows 8.[2][35]

Reactions

  • British Prime Minister Theresa May said of the ransomware, "This is not targeted at the NHS. It is an international attack. A number of countries and organizations have been affected."[36]
  • Microsoft has created security patches for its now un-supported versions of Windows including Windows XP, Windows 8 and Windows Server 2003.[37]

See also

References

  1. ^ Cameron, Dell. "Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It". Retrieved 13 May 2017.
  2. ^ a b c d MSRC Team. "Customer Guidance for WannaCrypt attacks". Microsoft. Retrieved 13 May 2017.
  3. ^ a b Fox-Brewster, Thomas. "An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak". Forbes. Retrieved 12 May 2017.
  4. ^ a b "Cyber-attack: Europol says it was unprecedented in scale". BBC News. 13 May 2017. Retrieved 13 May 2017.
  5. ^ Marsh, Sarah (12 May 2017). "The NHS trusts hit by malware – full list". The Guardian. London. Retrieved 12 May 2017.
  6. ^ a b "NHS cyber-attack: GPs and hospitals hit by ransomware". BBC News. 12 May 2017. Retrieved 12 May 2017.
  7. ^ Hern, Alex; Gibbs, Samuel (12 May 2017). "What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS?". The Guardian. London. ISSN 0261-3077. Retrieved 12 May 2017.
  8. ^ "Statement on reported NHS cyber attack". digital.nhs.uk. Retrieved 12 May 2017.
  9. ^ Cox, Joseph (12 May 2017). "A Massive Ransomware 'Explosion' Is Hitting Targets All Over the World". Motherboard. Retrieved 12 May 2017.
  10. ^ Larson, Selena (12 May 2017). "Massive ransomware attack hits 99 countries". CNN. Retrieved 12 May 2017.
  11. ^ "Ransomware virus plagues 75k computers across 99 countries". RT International. Retrieved 12 May 2017.
  12. ^ Larson, Selena (12 May 2017). "Massive ransomware attack hits 74 countries". CNNMoney. Retrieved 12 May 2017.
  13. ^ a b c d "Microsoft Security Bulletin MS17-010 – Critical". technet.microsoft.com. Retrieved 13 May 2017.
  14. ^ 15:58, 12 May 2017 at; tweet_btn(), John Leyden. "WanaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain". theregister.co.uk. Retrieved 12 May 2017. {{cite web}}: |last1= has numeric name (help)CS1 maint: numeric names: authors list (link)
  15. ^ Menn, Joseph (17 February 2015). "Russian researchers expose breakthrough U.S. spying program". Reuters. Retrieved 24 November 2015.
  16. ^ "NSA-leaking Shadow Brokers just dumped its most damaging release yet". Ars Technica. Retrieved 15 April 2017.
  17. ^ Fox-Brewster, Thomas (16 February 2015). "Equation = NSA? Researchers Uncloak Huge 'American Cyber Arsenal'". Forbes. Retrieved 24 November 2015.
  18. ^ "Latest Shadow Brokers dump — owning SWIFT Alliance Access, Cisco and Windows". Medium. 14 April 2017. Retrieved 15 April 2017.
  19. ^ Newman, Lily Hay. "The Ransomware Meltdown Experts Warned About Is Here". Wired.com. Retrieved 13 May 2017.
  20. ^ "Russian-linked cyber gang blamed for NHS computer hack using bug stolen from US spy agency". The Telegraph. Retrieved 12 May 2017.
  21. ^ Bilefsky, Dan; Perlroth, Nicole (12 May 2017). "Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool". The New York Times. ISSN 0362-4331. Retrieved 12 May 2017.
  22. ^ Clark, Zammis. "The worm that spreads WanaCrypt0r". Malwarebytes Labs. malwarebytes.com. Retrieved 13 May 2017.
  23. ^ Samani, Raj. "An Analysis of the WANNACRY Ransomware outbreak". McAfee. Retrieved 13 May 2017.
  24. ^ a b "WannaCry Ransomware Attack Hits Victims With Microsoft SMB Exploit". eWeek. Retrieved 13 May 2017.
  25. ^ "The Deprecation of SMB1 – You should be planning to get rid of this old SMB dialect". Retrieved 13 May 2017.
  26. ^ a b "NHS Hospitals Are Running Thousands of Computers on Unsupported Windows XP". Motherboard. Retrieved 13 May 2017.
  27. ^ "Windows XP End of Support". www.microsoft.com. Retrieved 13 May 2017.
  28. ^ "Global cyberattack strikes dozens of countries, cripples U.K. hospitals". cbsnews.com. Retrieved 13 May 2017.
  29. ^ Wong, Julia Carrie; Solon, Olivia (12 May 2017). "Massive ransomware cyber-attack hits 74 countries around the world". The Guardian. London. Retrieved 12 May 2017.
  30. ^ Sharman, Jon (13 May 2017). "Cyber-attack that crippled NHS systems hits Nissan car factory in Sunderland and Renault in France". www.independent.co.uk. Retrieved 13 May 2017.
  31. ^ Rosemain, Mathieu; Le Guernigou, Yann; Davey, James (13 May 2017). "Renault stops production at several plants after ransomware cyber attack as Nissan also hacked". www.mirror.co.uk. Retrieved 13 May 2017.
  32. ^ a b c "El ataque alcanza ya a un centenar de países: desde Renault en Francia hasta bancos rusos — Europol afirma que el ataque informático es de un "nivel sin precedentes"". tecnologia.elpais.com (in Spanish). 13 May 2017. Retrieved 13 May 2017.
  33. ^ Solon, Olivia (13 May 2017). "'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack". The Guardian. London. Retrieved 13 May 2017.
  34. ^ Kan, Micael. "A 'kill switch' is slowing the spread of WannaCry ransomware". PC World. Retrieved 13 May 2017.
  35. ^ Surur (13 May 2017). "Microsoft release Wannacrypt patch for unsupported Windows XP, Windows 8 and Windows Server 2003". Retrieved 13 May 2017.
  36. ^ CNN, Laura Smith-Spark, Milena Veselinovic and Hilary McGann. "UK prime minister: Ransomware attack is global". CNN. Retrieved 13 May 2017. {{cite web}}: |last= has generic name (help)CS1 maint: multiple names: authors list (link)
  37. ^ "Customer Guidance for WannaCrypt attacks". MSRC. Retrieved 13 May 2017.
Retrieved from "https://en.wikipedia.org/w/index.php?title=WannaCry_ransomware_attack&oldid=780194041"