Update 5/13/3017: Yesterday evening the WannaCryptor (WannaCry) ransomware family infected thousands of computers across the world. In just 24 hours, the number of infections has spiked to 185,000 machines in more than 100 countries. Analysis of the Bitcoin wallets hardcoded into the samples show that the group behind WannaCryptor managed to extort roughly $US 25,000 worth of Bitcoin.
A new family of ransomware called WannaCryptor has started targeting businesses in more than 70 countries around the world. Hospitals, telelcom companies or gas and utilities plants are just some of the verticals that suffered massive disruptions caused by data being held at ransom.
Conventional ransomware is still one of the most visible threats for both consumers and businesses across the world. While most of it spreads via malicious e-mail attachments, browser and third-party exploits in web-facing applications, today’s attack automates the exploitation of a vulnerability called MS17-010 that is present in most versions of Windows. This flaw allows a remote attacker to run code on the vulnerable computer and use that code to plant ransomware without anybody having to click malicious links or recklessly open e-mail attachments. This wormable behavior makes it the perfect tool to hold at ransom data stored on computers that are not operated by a human, such as servers running a vulnerable version of the Server Message Block (SMB protocol).
In case “SMB exploit” or “MS17-010” does not ring a bell, maybe you remember it as the “EternalBlue” flaw, a zero-day exploit leaked earlier in April along with a bigger dump of data allegedly exfiltrated from the NSA. This hybrid threat combines a ransomware payload with a wormable behavior that can be remotely exploited, making it the world’s most dangerous piece of ransomware written to date.
This vulnerability has become public along with the release of a series of other hacking techniques allegedly used by the US government agencies to spy on citizens. It has subsequently been weaponized and added in the commercial malware circuit, thus causing widespread havoc and forcing businesses to shut down in order to protect their assets.
Patch this immediately and install additional safeguards
In mid-March, Microsoft released a patch for MS17-010 that blocks this exploitation avenue, but an unknown numer of computers and servers around the world – including those running unsupported versions of Windows – have not got it, and risk getting held for ransom anytime. In order to minimize the risk, you are advised to deploy the MS17-010 hotfix and update your local anti-malware solution immediately.
In addition to patching, make sure that your security solution can block both the delivery mechanism (the MS17-010 exploitation technique) and the variants of the WannaCryptor ransomware known to date. Businesses running our innovtive Hypervisor Introspection technology on virtualized servers are not affected by this exploitation mechanism as demonstrated earlier in April.
Author: Bogdan Botezatu
Bogdan Botezatu has spent the past 10 years as a Senior E-threat Analyst at Bitdefender. His areas of expertise include malware deobfuscation, detection, removal and prevention. Bogdan is the author of A History of Malware and Botnets 101. Before joining Bitdefender, he worked at one of Romania’s largest and oldest universities as network administrator in charge of SecOps and policies.