A new strain of ransomware has spread quickly all over the world, causing crises in National Health Service hospitals and facilities around England, and gaining particular traction in Spain, where it has hobbled the large telecom company Telefonica, the natural gas company Gas Natural, and the electrical company Iberdrola. You know how people always talk about the Big One? As far as ransomware attacks go, this looks a whole lot like it.
The ransomware strain WannaCry (also known as WanaCrypt0r and WCry) that caused Friday's barrage appears to be a new variant of a type that first appeared in late March. This new version has only gained steam since its initial barrage, with tens of thousands of infections in 74 countries so far today as of publication time. Its reach extends beyond the UK and Spain, into Russia, Taiwan, France, Japan, and dozens more countries.
One reason WannaCry has proven so vicious? It seems to leverage a Windows vulnerability known as EternalBlue that allegedly originated with the NSA. The exploit was dumped into the wild last month in a trove of alleged NSA tools by the Shadow Brokers hacking group. Microsoft released a patch for the exploit, known as MS17-010, in March, but clearly many organizations haven't caught up.
"The spread is immense," says Adam Kujawa, the director of malware intelligence at Malwarebytes, which discovered the original version of WannaCry. "I’ve never seen anything before like this. This is nuts."
Ransomware works by infecting a computer, locking users out of the system (usually by encrypting the data on the hard drive), and then holding the decryption or other release key ransom until the victim pays a fee, usually in bitcoin. In this case, the NHS experienced hobbled computer and phone systems, system failures, and widespread confusion after hospital computers started showing a ransom message demanding $300 worth of bitcoin.
As a result of Friday's infection, hospitals, doctors' offices, and other health care institutions in London and Northern England have had to cancel non-urgent services and revert to backup procedures. Multiple emergency rooms around England spread word that patients should avoid coming in if possible. The situation doesn't appear to have resulted in any unauthorized access to patient data so far.
In England, the National Health Service said that it is rushing to investigate and mitigate the attack, and UK news outlets reported that hospital personnel have been instructed to do things like shut down computers and larger IT network services. Other victims, like Telefonica in Spain, are taking similar precautions, telling employees to shut down infected computers while they wait for instructions about mitigation.
Hospitals make for popular ransomware victims because they have an urgent need to restore service for their patients. They may therefore be more likely to pay criminals to reinstate systems. They also often make for relatively easy targets.
“In healthcare and other sectors we tend to be very slow to address these vulnerabilities,” says Lee Kim, the director of privacy and security at the Healthcare Information and Management Systems Society. “But whoever is behind this is clearly extremely serious.”
WannaCry didn't go after NHS alone, though. "This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors," the NHS said in a statement. "Our focus is on supporting organizations to manage the incident swiftly and decisively."
In some ways, that makes things worse. WannaCry's not just coming for hospitals; it's coming for whatever it can. Which means this'll get worse—a lot worse—before it gets better.
The NHS portion of the attack has rightly been drawing the most focus, because it puts human lives at risk. But WannaCry could continue to expand its range indefinitely, because it exploits at least one vulnerability that has persisted unprotected on many systems two months after Microsoft released a patch. Adoption is likely better on consumer devices, so Malwarebytes' Kujawa says that WannaCry is mostly a concern for business infrastructure.
The creators of WannaCry seem to have developed it with broad, long-term reach in mind. In addition to the Windows server vulnerability from Shadow Brokers, MalwareHunter, a researcher with the MalwareHunterTeam analysis group who discovered the second generation of WannaCry, says that "probably there are more" vulnerabilities the ransomware can take advantage of as well. The software can also run in 27 languages---the type of development investment an attacker wouldn't make if he were simply trying to target one hospital or bank. Or even one country.
It's equally bad on a more micro level. Once WannaCry enters a network, it can spread around to other computers on that same network, a typical trait of ransomware that maximizes the damage to companies and institutions. It's also unclear so far exactly where the attacks originated, making it harder to remediate on a large scale. Security analysts will eventually be able to use information from victims about how attackers were able to first get in (things like phishing, malvertising, or more personalized targeted attacks) to trace the origins.
While it's likely too late for those already impacted (the question for them now is whether to pay or not), there is a way to provide at least some protection from WannaCry before it hits: Get that Microsoft update ASAP. Or, since it's a server-level patch, find the nearest sysadmin who can.
"I would say it's having so much 'success' because people and companies aren't patching their systems," MalwareHunter says.
Until they do, expect WannaCry to keep spreading. And make sure you're ready before the next big ransomware wave hits.
