If ever there was a perfect example of stupidity, the new highly virulent strain of WanaCrypt ransomware that is currently spreading like wildfire, is it. And that stupidity is care of the NSA; who in their infinite wisdom, wrote exploits based on 0-day vulnerabilities that should have been reported to the relevant vendors, but was instead appropriated.
Well the Shadow Brokers have now in turn appropriated this code from the NSA and and someone else has gotten hold of it to create a self-replicating variant of WannaCrypt or Wcry malware, that is currently causing havoc in hospitals, banks, telecom services, utilities and others, by encrypting drives and blocking access to systems.
Another cause for concern: wcry copies a weapons-grade exploit codenamed Eternalblue that the NSA used for years to remotely commandeer computers running Microsoft Windows. Eternalblue, which works reliably against computers running Microsoft Windows XP through Windows Server 2012, was one of several potent exploits published in the most recent Shadow Brokers release in mid-April. The Wcry developers have combined the Eternalblue exploit with a self-replicating payload that allows the ransomware to spread virally from vulnerable machine to vulnerable machine, without requiring operators to open e-mails, click on links, or take any other sort of action.
The exploit spreads via vulnerabilities in network -accessible Windows subsystems although the exact details are still vague. Microsoft has released a patch in March for the issue however many companies have yet to install the update.
Numerous companies have been affected during the course of today including Telefonica, Vodafone, 16 NHS hospitals across the UK, and many others. The ransomware has been detected in over 74 countries already and the demands include Bitcoin payment of up to $600 per infection. The speed and violence of infection show a highly capable piece of malware with advanced network replication techniques bypassing standard methods of protection.
What can you do to protect yourself?
- shutdown any non-critical network file access/shares
- seeing as the malware is probably initiated via email, be especially vigilant for spam emails
- update all Windows systems with the patch listed above
- segment sections of your network where possible
And in other news, HP has been including a dodgy Windows audio driver from Conexant for the last 2 years on many HP Laptops which, wait for it … logs all your keystrokes! Yay!