Unknown attackers were using the EternalBlue exploit leaked by the ShadowBrokers in April to spread WannaCry, a variant of the WCry malware, which surfaced in February. EternalBlue, an offensive hacking tool allegedly developed by the NSA, exploits a Windows SMBv1 vulnerability that was patched by Microsoft in March in security bulletin MS17-010.
Yesterday’s attack overran many businesses in Europe at the start, hitting hardest in Russia, Ukraine and India. Large telecommunications companies in Spain and many NHS healthcare facilities in the United Kingdom were also affected, as were other enterprises worldwide. Employees were told to shut down and unplug machines, and in the case of the U.K. hospitals, patient care at many facilities was affected. Non-emergency surgeries were postponed and patients were diverted to other facilities.
The ransomware locked up machines, encrypted files and demanded approximately $600 in Bitcoin for a recovery key.
Microsoft acknowledged the dire straits many of its customers were in, and rolled out a patch for all computers that were not protected by the March update.
“Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful,” Microsoft said last night. “Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers.”
The March update was made available one month before the ShadowBrokers’ high-profile leak of Windows exploits, including the Fuzzbunch platform that included EternalBlue and other exploits. EternalBlue targeted a then-unknown Windows SMBv1 remote code execution vulnerability. The widespread impact of yesterday’s attack—close to 100,000 infections so far in 99 countries by some accounts—indicates a lack of patching vigilance despite ample warning.
Experts immediately warned of the potential severity and staying power of MS17-010, comparing it to MS08-067 (Conficker). Some, such as Sean Dillon of RiskSense and Matthew Hickey of The Hacker House, telling Threatpost that it would be a matter of time before criminals would take advantage of the flaw to spread ransomware and other commodity attacks through this exploit.
While experts said that attackers could scan for SMB servers exposed to the internet on port 445 (not a recommended practice) and send malicious packets their way, Microsoft said yesterday it was also aware of phishing attacks spreading the ransomware.
“Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download,” Microsoft said. “This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.”
Microsoft said that it also released an update for Windows Defender that detects the threat as Ransom:Win32/WannaCrypt.
“This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections,” Microsoft said in its advisory. “For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks.”
Kaspersky Lab on Friday published its analysis of the ransomware, providing a list of .onion domains used by the malware on Tor hidden services for command and control. It also published hashes for the ransomware samples it has found in the wild, and detection names.
In addition to installing the available patches from Microsoft, Kaspersky Lab said its System Watcher component is able to roll back changes implemented by the ransomware.
“This is extremely useful in case a ransomware sample slips past defenses and attempts to encrypt the data on the disk,” Kaspersky Lab said.