It's been a matter of weeks since a shady hacker crew called Shadow Brokers dumped a load of tools believed to belong to the National Security Agency (NSA). It now appears one leaked NSA tool, an exploit of Microsoft Windows called EternalBlue, is being used as one method for rapidly spreading a ransomware variant called WannaCry across the world.
The ransomware has hit UK hospitals hard, with multiple sources reporting closures of entire wards, patients being turned away and some National Health Service (NHS) staff being sent home. Barts Health, a central London NHS trust, advised patients to look for assistance elsewhere and said ambulances were being diverted elsewhere, while another NHS organization said it had to turn away outpatients and limit its radiology services. In the Essex town of Colchester, the hospital decided to close much of its A&E department to accept only those in "critical or life-threatening situations."
Here's what a London GP sees when trying to connect to the NHS network pic.twitter.com/lV8zXarAXS
— Rory Cellan-Jones (@ruskin147) May 12, 2017
The NHS confirmed 16 NHS organizations had reported that they were hit by the WannaCry ransomware.
But the WannaCry outbreak has hit systems in at least 11 other nations. A security researcher with AVG Avast, Jakub Kroustek, said he'd recorded 36,000 detections of the malware variant today. Russian security firm Kaspersky later said it'd seen as many as 45,000 in 74 countries. According to the MalwareHunterTeam, which said WannaCry was "spreading like hell," Russia has been the hardest hit, but Spain also seems to be under severe attack too, with telecoms giant Telefonica reportedly affected.
As shown on a map from another independent security researcher, MalwareTech, a large number of U.S. organizations have been hit. According to the researcher, at least 1,600 have been infected with WannaCry in America, compared to 11,200 in Russia and 6,500 in China.
The outbreak of WannaCry has hit tens of thousands of systems across the world, including PCs in... [+]
Victims have been asked to pay up to $300 to remove the infection from PCs, otherwise their files remain locked and their computers rendered unusable.
FedEx confirmed to Forbes it was one of the America organizations attacked: "Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware. We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers."
Eternal Blue danger
The use of the NSA EternalBlue exploit was confirmed by an independent malware researcher known as Kafeine:
WannaCry/WanaCrypt0r 2.0 is indeed triggering ET rule : 2024218 "ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response" pic.twitter.com/ynahjWxTIA
— Kafeine (@kafeine) May 12, 2017
Kafeine told Forbes that it was unsure if the exploit was being used as the ransomware's primary method of infection, but was certain it was used in some capacity. Separately, UK-based researcher Kevin Beaumont tweeted that WannaCry was using the NSA attack, which exploited a now-patched Microsoft Windows vulnerability, also known as MS17-010. And a Spanish Computer Emergency Response Team (CERT) said the vulnerability was used by the ransomware crooks.
As Forbes had previously reported, Russian cybercriminals have been discussing ways in which to make use of the Shadow Brokers leak. That included the possible use of EternalBlue, which abused the Server Message Block (SMB), a network file sharing protocol.
"MS17-010 is the best candidate for this ransomware attack," said Matthew Hickey, co-founder of British cybersecurity training hub Hacker House. He compared it to another massive malware outbreak of yore, called Conficker, which used worm-like features to spread rapidly across the world.
What's disconcerting is that if MS17-010 was used in these fresh cybercriminal attacks, it would indicate many hadn't patched despite the widespread reporting of the issue, which was fixed in March. "Is it unsurprising that people don't apply fixes? Not really," added Hickey. "MS17-010 will be widely used for these kind of purposes. If anything I am only surprised it hasn't happened sooner.
"It does indeed highlight dangers of NSA exploits being released to the public. I have made the point repeatedly that people should not downplay the significance of the recently released tools and exploits. They are weapons-grade and available for easy use. Attacks like the one hitting the NHS are an easy way for criminals to capitalize on these exploits."
'WMD of ransomware'
According to CrowdStrike's vice president of intelligence Adam Meyers, the initial spread of WannaCry came through spam, in which fake invoices, job offers and other lures are being sent out to random email addresses. Within the emails is a .zip file, and once clicked that initiates the WannaCry infection, according to Meyers.
But it's unlikely phishing emails were the primary infection method, given few have shared emails laced with the malware. Cisco's Talos division does not believe any phishing emails were used, though Microsoft also said emails were used to propagate the ransomware. Instead, Cisco believes vulnerable systems were left open on the internet and could be attacked without any need for phishing.
The most concerning aspect of WannaCry is its use of the worm-like EternalBlue exploit, added Meyers. "This is a weapon of mass destruction, a WMD of ransomware. Once it gets into an unpatched PC it spreads like wildfire," he told Forbes. "It's going through financials, energy companies, healthcare. It's widespread."
Given the malware is scanning the entire internet for vulnerable machines, and as many as 150,000 were deemed open to the Windows vulnerability as of earlier this month, WannaCry ransomware explosion is only expected to get worse over the weekend.
