Ransomware attacks sourced to the Wanna Decryptor (a.k.a. Wannacrypt) virus have been identified in over 70 countries across Europe and Asia, as well as in the United States. Over 36,000 Wannacrypt cases have been detected worldwide. The ransomware exploits a vulnerability in Microsoft systems discovered initially by the U.S. National Security Agency, reportedly around 2013. This hacking tool was lifted in the summer of 2016 by a previously obscure group calling itself the “Shadow Brokers.”
Though the code is (relatively) old and Microsoft has rolled out patches, many organizations — including hospital, government and infrastructure sectors — have been slow or negligent to adopt the protections. The attack has reportedly struck targets as diverse as the Russian Ministry of the Interior and Reuters, as well as European banks, utilities and telecom companies. The U.K. National Health Service (NHS) was forced to shut down some hospitals and divert emergency care patients elsewhere, and at Spain’s largest telecom firm, Telefonica, 85 percent of employee computers were said to be affected. (Telefonica reported no system disruptions.)
The way ransomware works is simple: attackers send victims an email with a link or attachment that, when clicked, opens access to a system and encrypts the data. The malware then sends emails to contacts throughout that system and can also spread along a connected network. In exchange for unlocking the system the attacker(s) usually demand a ransom, often paid through bitcoin or money transfer. In 2016 California's Hollywood Presbyterian Medical Center reportedly paid a ransom of about $17,000 in Bitcoin.
Ransomware is an increasingly common cyber threat. It initially targeted smartphones but over the last several years has struck larger IT systems. An NBC report estimated that in 2016 U.S. police departments, hospitals and libraries paid out $200 million in ransom. (The actual figure is likely higher because many of these attacks go unreported.)
As mentioned above, the Wannacrypt attack appears to use an exploit initially developed by the U.S. government but released into the wild by the Shadow Brokers as part of a large cache of cyber tools they allegedly obtained from the U.S. National Security Agency. The group attempted to sell the tools for one million Bitcoins.
It appears this attack was long in the making and not an act of terror, but instead motivated by profit. If the hackers escape with a large sum of cash we anticipate similar large-scale attacks will become more common. We strongly advise security managers to train employees to spot phishing attempts and ensure systems are properly patched and all data is backed up. We offer our own tips here.