What is WannaCry
Hackers are deploying a stolen NSA hacking tool, called Eternalblue, in a new strain of ransomware called WannaCry and it’s wreaking havoc across the globe. Kaspersky Labs reported that, “it recorded at least 45,000 attacks in as many as 74 countries.”.
This NSA tool was leaked this last April by a group known as the Shadow Brokers. You can identify this exploit by the .WCRY extension that gets added to the files that it encrypts. Microsoft has released a patch for this vulnerability on March 14th in response to the leak. People who have the patch installed are safe – but many organizations who did not yet install Microsoft’s MS17-010 patch are left vulnerable. The WannaCry malware is affecting hospitals the most with this attack.
According to an article at the NYTimes
“Microsoft rolled out a patch for the vulnerability in March, but hackers apparently took advantage of the fact that vulnerable targets — particularly hospitals — had yet to update their systems.”
How to Protect Yourself
- Make sure that all hosts are running and have enabled endpoint security solutions.
- Install the official patch (MS17-010) from Microsoft, which closes the affected SMB Server vulnerability used in this attack.
- Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Once again, make sure you installed MS17-010 patches.
More Cause for Concern
The WannaCry exploit is a copy of a weapons-grade exploit codenamed: Eternalblue. The NSA has been using it for years to remotely control computers running Microsoft Windows XP all the way to Windows Server 2012R2. WannaCry is the combination of Eternalblue and a self-replicating payload that allows the ransomware to spread from computer to computer without requiring the user to take any action. As of yet, it is unclear whether Eternalblue is the sole means of spreading. Our biggest concern are hackers incorporating more ‘weapons-grade’ exploits into their malicious code. This is the stuff of nightmares.