UPDATE (5/16) – Britain’s National Health Service (NHS) is still reeling from the effects of WannaCry. Some say that 95% of the NHS computers are still running Windows XP, which Microsoft stopped supporting over 3 years ago and for which there was no patch to block this malware. Many people attribute the fact that these computers are still running an operating system released 16 years ago due to large budget cuts for the NHS. Hospitals, as of today, are still canceling appointments due to the outbreak. One more indication that patching is important. Even critical.
UPDATE: Apparently, this version of the ransomware has a kill switch which will stop the virus from propagating and that switch has been flipped. Whether the next variant will have one or not is unknown.
But, in a really rare move, Microsoft released a patch to stop this malware for three old, obsolete operating systems (Windows XP, Windows 8.0 – not 8.1, that is still supported and Windows Server 2003). I tried running Windows Update on an XP box that I have for testing and Update didn’t run at all, so I suspect people may have to install the patch manually some how – which will greatly reduce the number of people who actually install it.
I was going to write about something else, but this story is just too big to ignore.
An exploit believed to have been discovered and weaponized by the NSA and leaked recently by the group called The Shadow Brokers is being used around the world to attack computers and encrypt files. If owners do not have backups, then they either need to be willing to pay the ransom or lose their data. As the FBI always says and statistics bear out, your odds of getting your files back if you pay the ransom is about 50/50.
The NSA vulnerability, called ETERNALBLUE exploits a bug in Windows to infect computers. This is combined with another NSA weapon called DOUBLEPULSAR which allows the malware to propagate at amazing speed.
This 1-2 punch is being called WannaCryptor.
We saw it early today when it affected many hospitals and doctor’s offices associated with England and Scotland’s National Health Service. Infected hospitals were telling people to stay away unless it was an emergency and even then, some hospitals were directing patients to other facilities. While the spin doctors at NHS were saying that patient care was not affected, the Medical doctors were saying that they could not order tests or X-Rays and could not read test results.
CNN is reporting more than 75,000 infections in 99 countries. Whether that means 75,000 computers or 75,000 networks of computers is not clear, but either number is large.
Telefonica, Spain’s mega telephone provider told employees via emergency loud speakers to immediately turn off their computers.
Initially, the attack was not affecting the U.S., but now reports are saying that it has reached U.S. soil.
And, the attack is still growing.
In a bit of irony, the country hit hardest by the attack is RUSSIA. Revenge is a dish best served ….
So why is this story big?
Because Microsoft released a patch for the bug that this malware exploits in March. Microsoft was only able to patch the bug because The Shadow Broker leaked the tool. If organizations have applied the patch, they could not be infected by the attack.
What this means is that lots of organizations are not installing patches in a timely fashion.
If this applies to your organization, you should at least make sure that the patch associated with Microsoft fix MS17-010 is installed.
This attack would only be an annoyance if people have good backups. While you might be down for some time while you rebuild your computers and restore the data, nothing will be lost. If your backup is online and connected to your system, it may well be encrypted along with the system that it is connected to. At least one backup should be OFFLINE so that it cannot be compromised.
In the next few days this will likely fade into history since a patch IS available to block the attack, but ransomware is not going anywhere any time soon.
The message? Make sure that you have installed your patches and that you have good backups.
Information for this post came from CNN.