Leaked NSA Exploit Spreading Ransomware Worldwide

Attackers behind today’s WannaCry ransomware outbreak in Europe are spreading the malware using the EternalBlue exploit leaked by the ShadowBrokers.

A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent ShadowBrokers dump.

Researchers at Kaspersky Lab said the attackers behind today’s outbreak of WannaCry ransomware are using EternalBlue, the codename for an exploit made public by the mysterious group that is in possession of offensive hacking tools allegedly developed by the NSA.

EternalBlue is a remote code execution attack taking advantage of a SMBv1 vulnerability in Windows. Microsoft patched the vulnerability on March 14, one month before the exploit was publicly leaked. Spain’s Computer Emergency Response Team, Kaspersky Lab, and others are recommending organizations install MS17-010 immediately on all unpatched Windows machines.

Most of the attacks are concentrated in Russia, but machines in 74 countries have been infected; researchers at Kaspersky Lab said in a Securelist report published today they’ve recorded more than 45,000 infections so far on their sensors, and expect that number to climb.

Sixteen National Health Service (NHS) organizations in the U.K., several large telecommunications companies and utilities in Spain, and other business worldwide have been infected. Critical services are being interrupted at hospitals across England, and in other locations, businesses are shutting down IT systems.

The BBC reports that hospitals in London and other major cities in England have been hit. Patient care has been impacted at some hospitals with non-urgent surgeries being postponed and emergency patients redirected to other facilities.

The Guardian said hospitals run by the East and North Hertfordshire NHS Trust, Barts Health in London, and other facilities in Southport and Blackpool are known to be down. The ransomware has locked admins out of email servers and medical staff cannot access patient and clinical systems.

MS17-010, experts warned, would haunt IT systems for years to come, much in the same way MS08-067, the Conficker vulnerability, continues to show up in pen-tests today close to a decade after it was patched. The vulnerability affects Microsoft SMB server deployments on all supported versions of Windows going back to Vista. Attackers would need to find a vulnerable SMB Server on the internet and send it a malicious packet to trigger the vulnerability.

The patch shuts down a number of attacks leaked by the ShadowBrokers that are part of the Fuzzbunch exploit platform, including EternalBlue. Each of the exploits in the platform drops the DoublePulsar post-exploitation Windows kernel attack onto compromised machines. DoublePulsar is a kernel payload that allows an attacker to execute shellcode payloads.

“This is a full ring0 payload that gives you full control over the system and you can do what you want to it,” Sean Dillon, senior security analyst at RiskSense told Threapost last month. Dillon was the first to reverse-engineer a DoublePulsar payload. “This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it’s still found in a lot of places,” Dillon said. “I find it everywhere. This is the most critical Windows patch since that vulnerability.”

As for today’s attacks, England’s health care system is among the hardest hit.

NHS issued a statement identifying the ransomware as “Wanna Decryptor,” the WanaCrypt0r variant of WCry or WannaCry identified by Malware Hunter Team.

Users report being locked out of systems, which are now displaying a ransom note similar to those used by many other ransomware families demanding a $600 payment in Bitcoin. The note says files on the infected system have been encrypted and provides victims with instructions on how to recover their data before it is permanently lost. The tool and payment instructions were designed to address users in dozens of countries and were translated in many languages.

“The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands,” researchers at Kaspersky Lab said. The ransom note shows a clock counting down until the ransom demand is raised, with a threat that user may permanently lose their files after the clock times out.

This ransomware family is relatively new with the first iteration popping up in February. Early versions appended the .WCRY extension to encrypted files; today’s outbreak is also appending .WNCRY, some reports say.

Kaspersky Lab said in its report that the malware directs victims to a page with a QR code at btcfrog; that QR code links to the attackers’ main Bitcoin wallet, which was showing five transactions so far today. Two other transactions were recorded at another Bitcoin wallet listed in the malware readme file.

The researchers said the malware runs command and control through Tor, and published a list of .onion domains for hidden services acting as C2. Kaspersky Lab also published hashes of samples it has observed in the wild and a list of detection names.

“Kaspersky Lab experts are currently working on the possibility of creating a decryption tool to help victims,” researchers said. “We will provide an update when a tool is available.”

NHS, which is England’s public national healthcare system, said it is investigating, but does not believe that patient data has been accessed.

“The attack was not specifically targeted at NHS and is affecting organizations from across a range of sectors,” NHS said.

Suggested articles