黑料吃瓜群网

Organisations around the world are currently reeling from what is being called the worst ransomware outbreak to date, with the UK鈥檚 (NHS) having been particularly badly hit by the attack.

The WannaCry 鈥� also known as WannaCrypt 鈥� ransomware attack over the weekend hit around 200,000 victims across 150 countries. As of early this morning there had only been three Australian companies confirmed as being affected, according to the Prime Minister鈥檚 top cybersecurity advisor, Alastair MacGibbon.

The UK鈥檚 NHS was not so lucky, with at least 16 hospitals being forced to divert emergency patients due to their computer systems being infected with ransomware. An estimated 90% of care facilities in the NHS are still using Windows XP, leaving them vulnerable to the attack.

鈥淲hen a cyber attack literally puts people鈥檚 lives at stake, and not just their data, it indicates just how serious and vindictive hackers have become,鈥� ANZ Regional Sales Manager Simon Howe said.

鈥淎ttacks on critical national infrastructure are becoming increasingly common, so it鈥檚 no surprise that hospitals are a prime target yet again. Health care is such a lucrative target for ransomware because there is a direct correlation between downtime and lasting damage, and as a result, most will surrender to the hacker鈥檚 demands immediately.鈥�

Other notable victims include Spanish telecoms operator Telefonica, FedEx in the USA, German railway company Deutsche Bahn and South America鈥檚 LATAM Airlines.

How it happened

The attack used the high-profile Windows Exploit EternalBlue, a component of the suite of NSA hacking tools leaked by suspected Russian hacking group The Shadow Brokers in April. EternalBlue exploits a vulnerability in Microsoft鈥檚 implementation of the Server Message Block (SMB) protocol that had been patched in a security update issued two months earlier.

Once infected, impacted systems鈥� files are encrypted, and a decryptor is run with a message demanding $300 worth of Bitcoins per infected machine. The program offers to decrypt some files for free as a demonstration, and demands payment within a three-day time limit. After this time, the price is doubled, and after seven days files will be lost forever.

The attack was able to spread so rapidly because it acts as a worm and self-propagates. from shows that the attack uses an initial infection vector of a malicious PDF to download and infect a single system. Once there it uses the SMB exploit to spread to all other endpoints on the internal network, making it the first massive worm discovered in around 15 years.

鈥淭his is a fast propagating ransomware that is crippling critical infrastructure. There are strong indications it could be using a known vulnerability to penetrate networks and then spread laterally,鈥� Malwarebytes Regional Director for ANZ Jim Cook commented.

鈥淥ur research shows the encryption is done with RSA-2048 encryption, which means that it is near impossible to decrypt unless the coders have made an error somewhere.鈥�

As widespread as the attack was, it could have been even worse if a pair of young security researchers hadn鈥檛 accidentally discovered a way to issue a 鈥渒ill switch鈥� stopping the propagation of the worm.

A security researcher known online as MalwareTech discovered the WannaCry code pointed to an unregistered domain, and promptly registered it. Another security researcher, Proofpoint鈥檚 Darien Huss, meanwhile discovered a kill switch within the malware. By linking the kill switch with the domain, MalwareTech was able to halt the spread of the attack.

But this reprieve will be short lived, with MalwareTech warning that it will be trivial for attackers to create a new version removing this domain check.

This means that Australian organisations could still be vulnerable to a second wave of attack, warned founder and Chairman John Paior. 鈥淚t鈥檚 very likely that someone will reverse engineer this ransomware worm to generate an updated version which you can guarantee will not contain a 鈥榢ill switch鈥�,鈥� he said.

In the wake of the attack, Microsoft has taken the highly unusual step of issuing patches for the vulnerability for unsupported versions of Windows, including Windows XP and Windows 8 and Windows Server 2003, despite these operating systems being past their support cycles. The company has to help you if you think your PC could be at risk, with links to download the latest patches at the bottom of the page.

Image credit: 漏lollo/Dollar Photo Club

Follow us on听听and听