On 12 May 2017, WannaCry began affecting computers worldwide. The initial infection might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack. When executed, the malware first checks the “kill switch” domain name.
If it is not found, then the ransomware encrypts the computer’s data, then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet, and “laterally” to computers on the same network. As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of around $300 in bitcoin within three days or $600 within seven days
In Asia, where many offices closed before the WannaCry ransomware struck on Friday, the attack has been less severe than expected.The ransomware takes over users’ files, demanding $300 (£230) to restore them.
Only about $50,000 (£39,000) has been paid so far, according to Elliptic Labs which tracks illicit use of the internet currency Bitcoin.
What is WannaCry?
WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack was launched using it, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency Bitcoin in 28 languages.The attack has been described by Europol as unprecedented in scale.
This Ransomeware attack has created problems in the UK mostly to the NHS (National Health Service) as they are using computers running Windows XP. Microsoft abruptly brought out a patch to fix the exposed backdoor which compromised the security of many mainframes and devices.
Which People were Affected?
The attack affected Telefónica and several other large companies in Spain, as well as parts of Britain’s National Health Service (NHS), FedEx, Deutsche Bahn, and LATAM Airlines. Other targets in at least 99 countries were also reported to have been attacked around the same time.
Like previous ransomware, the attack spreads by phishing emails, but also uses the EternalBlue exploit and DoublePulsar backdoor developed by the U.S. National Security Agency (NSA) to spread through a network which has not installed recent security updates to directly infect any exposed systems. A “critical” patch had been issued by Microsoft on 14 March 2017 to remove the underlying vulnerability for supported systems, but many organizations had not yet applied it.
Impact on Global Economy
The ransomware campaign was unprecedented in scale according to Europol. The attack affected many National Health Service hospitals in England and Scotland, and up to 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment – may have been affected.On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.
In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP. NHS hospitals in Wales and Northern Ireland were unaffected by the attack.Nissan Motor Manufacturing UK in Tyne and Wear, England halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.
The attack’s impact could have been much worse had an anonymous security expert, who was independently researching the malware, not discovered that a kill-switch had been built in by its creators.Cybersecurity expert Ori Eisen from AdTruth said that the attack appears to be “low-level stuff”, given the ransom demands of $300 and states that the same thing could be done to crucial infrastructure, like nuclear power plants, dams or railway system
How to stay safe?
The vulnerability does not exist within Windows 10, the latest version of the software, but is present in all versions of Windows prior to that, dating back to Windows XP.As a result of Microsoft’s first patch, users of Windows Vista, Windows 7, and Windows 8.1 can easily protect themselves against the main route of infection by running Windows Update on their systems.
In fact, fully updated systems were largely protected from WanaCrypt0r even before Friday, with many of those infected having chosen to delay installing the security updates.Users of Windows XP, Windows Server 2003 and Windows 8 can defend against the ransomware by downloading the new patch from Windows.
All users can further protect themselves by being wary of malicious email attachments, another major way through which the ransomware was spread.International investigation is on going to uncover the the face behind this attack.but trust me this hack is an organizational thing.