The attack has been described by Europol as “unprecedented in scale”, infecting more than 230,000 computers in over 150 countries. Russia, the Ukraine, India, Taiwan, Europe and North and South America have reportedly fallen victim, with the Russian Ministry of the Interior, the UK’s National Health Service (NHS), Spanish telco Telefonica, global logistics giant FedEx and LATAM Airlines among those suffering the consequences.
WannaCry spreads across local networks and the internet to systems that have not run the most recent security updates, directly infecting exposed systems. It reportedly uses an Eternal Blue exploit developed by the US National Security Agency (NSA).
Just before Easter, tech publication Ars Technica reported: “The Shadow Brokers – a mysterious person or group that has leaked a gigabyte worth of the National Security Agency's weaponized software exploits – just published its most significant release yet.” According to Ars Technica: “The dump contained potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world.”
A "critical" patch was issued by Microsoft on 14 March this year to address the underlying vulnerability for supported systems but many organisations did not apply it. Those still running older, unsupported operating systems were initially at particular risk of exposure but Microsoft has now taken the unusual step of releasing updates for those operating systems for all customers.
As researchers look for clues as to WannaCry’s origins, many similar programs are coming to light, and giving us more information about the sheer scale of the damage caused by EternalBlue. Examples include Adylkuzz, which exploits the vulnerability to mine an obscure cryptocurrency called Monero, or UIWIX, which can infect machines without writing files to permanent storage, making it difficult to detect.
Australian experts discuss the WannaCry outbreak
Speaking at an executive lunch on Wednesday, MailGuard CEO Craig McDonald remarked: “WannaCry is an interesting topic. This is just one of thousands of similar attacks that occur on a daily basis. It did get media coverage, for all the right reasons, and from an educational point of view I welcome that.”
McDonald went on to note: “Cybercrime is now the number one economic crime for Australia. This is organised crime and they’re targeting worldwide businesses and individuals within those businesses. And Australia is getting hit really, really hard.
“These criminals are organised and they’re making lots of money. Ninety percent of these attacks start via email.”
Regarding WannaCry, the good news is that patching the single vulnerability will protect against the different variants, particularly now that Microsoft has released its emergency XP patch.
Some experts see WannaCry’s sudden rise to fame as a timely reminder for businesses.
Speaking at the Surviving Cybercrime executive lunch hosted by MailGuard in Melbourne on Wednesday, Alastair MacGibbon, Australia’s Special Adviser to the Prime Minister on Cyber Security, said events such as WannaCry were opportunities to take stock as a country.
“In a weird way, we missed the brunt of what happened on the weekend. When I was contacted by our crisis coordinations centre, and I contacted my counterpart in the UK – who wasn’t having a great evening – we prepared for the worst here. We wondered how this would spread and impact Australia.
“As of yesterday morning (Tuesday 16 May AEST) there were 12 likely victims in this country, that had been reported to us. All were small businesses. For those small businesses, it’s not acceptable. It’s a chronically underreported crime, like all crime online is.
“But even if we were to extrapolate that number, we dodged a serious bullet with WannaCry. But we don’t every day, when it comes to ransomware. We know this is something that impacts businesses on a daily basis. As does other online crime.”
Steve Miller, SMB Director for Microsoft Australia, said WannaCry highlighted the need for individuals and organisations to take responsibility on matters of security.
“It’s of such fundamental importance that the same amount of effort that you put into thinking about how you grow revenue should also be applied to how you think about protecting your organisation’s revenue, your organisation’s intellectual property, and the people who work for you and count on you every single day. And that starts at the user.
“Why we work with partners like MailGuard – why MailGuard is so important to us – is they are at the cutting edge. And I don’t mean the cutting edge in Australia; I mean the cutting edge globally.
“The ability for the guys to respond to threats that are coming in, at the front line, to get fixes in place and to protect your business, is second to none, from what we see.”
Here’s a quick WannaCry snapshot:
- Security specialists around the world are still trying to track down the entry point of the WannaCry outbreak.
- It appears to be a worm, meaning that it spreads quickly and indiscriminately through open network ports after finding its way onto a computer.
- Nobody has identified with certainty where WannaCry originated – although there’s plenty of speculation.
- The worm is now popping up in unusual places, such as billboards in Thailand, electronic parking ticket machines in the UK, hotel lobbies in Canada and German railway station TV screens
- MailGuard has not seen a single WannaCry infection via emails delivered via our network. We have confidence we will not see this malware variant affect customers protected by MailGuard.”
- MailGuard blocked a very similar ransomware outbreak, known as Jaff, the day before the WannaCry outbreak. Despite having strikingly similar characteristics to WannaCry, it has had very little publicity, which goes to show that ransomware is being used to target business networks around the globe every minute of every day.
For a few dollars per staff member per month, add MailGuard's cloud-based email and web filtering solution to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network.