The event
A global cyberattack launched on Friday, May 12, took entire networks down, infecting large numbers of computers around the planet.
Cybersecurity experts have so far detected over 75,000 instances of the Wanna Decryptor 2.0 strain ransomware worldwide.
The onslaught began on Friday afternoon, hitting the UK and Spain hard. At least 16 NHS trusts in the UK were successfully infected, along with the network of Spanish technology giant Telefonica.
The virus quickly spread like wildfire, laying waste to many machines in its path.
The culprit?
Wanna Decryptor (a.k.a. WCry, WannaCry, WCry, WanaCrypt and WanaCrypt0), a particularly insidious piece of malware intended to extort money from the owner/s of the infected machines.
The so-called ‘ransomware’ works by copying certain files, encrypting the copies and renaming them with extensions wnry, .wcry, .wncry and .wncrypt, and then deleting the originals, leaving the user with a series of inaccessible files. The virus then displays a note asking for money (‘ransom’) to obtain the decryption information. Payment is demanded in Bitcoin currency.
WCry utilizes AES and RSA encryption ciphers , which means the hackers can directly decrypt system files using a unique decryption key.
It exploits a known Windows vulnerability (MS17 -010). This vulnerability, discovered some way back, allowed remote code execution if an attacker sent certain messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
Microsoft released a patch to fix MS17-010 in March, but it is likely that some organizations may not have yet updated their networks, leaving them vulnerable to such exploit.
Who did it?
Hackers are usually professional, well organized groups that go to great lengths to cover their tracks, for obvious reasons.
This latest attack is believed to have originated in China, and is targeting mainly Russia and Taiwan, though the malware spread rapidly
elsewhere. Some reports quote that the malware has popped up in 100 countries so far.
Though it is only speculation, experts believe that the current strain evolved from a cyber weapon linked to the NSA, and obtained by a
shady hacker crew called Shadow Brokers, who in turned released it into the darknet.
The consequences
Once the virus shows itself, it is already too late. Files inside your computer have become encrypted, and only the hackers can provide the
decryption key.
For a single user, this may be a mild annoyance. For large corporations, it can spell disaster, and may even put lives at risk. Local sources said that patients had to be turned away from medical facilities in the UK as the malware shut networks down, causing widespread disruption to services.
Unless you have a strict data backup policy, payment is usually the only way out.
Experts also believe that this is only the beginning. Wanna Decryptor keeps scanning the net for vulnerable machines, and the situation is
bound to get worse on Monday, as organizations try to figure out what to do about the situation.