Over the weekend the world was infected by malicious ransomware known as “WannaCrypt”. This software began in the UK and Spain and quickly spread across the globe. While there’s been limited public declaration (expect many are keeping quiet) that Australian users have been impacted on a large scale, it does speak to the lack of updating that’s happening to connected systems.
Microsoft have posted an extensive explanation of the exploit, highlighting that this is an exploit that was drawn from the leaked exploits used by the NSA in the United States.
The exploit was actually patched MS17-010 a month earlier, on March 14th which means everyone on a supported version of Windows who’s doing their regular Windows Updates would not be vulnerable to this ransomware. As evidenced by the hundreds of thousands of machines affected across the globe, this is not occurring as it should be. If you have a machine online (or even on a LAN), it needs to be updated.
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
If you get WannaCrypt on your machine, you’re files will be encrypted and the key to unlock is held by the creators of the software until you pay. Payments are transacted through bitcoin and while we don’t know who the BitCoin wallet belongs to yet, it is possible to see how many people have paid, thankfully not many.
There are 3 Bitcoin wallet addresses hard coded into the ransomware and they currently have 47, 52 and 40 transactions. Given the estimates of 200,000+ machines being affected, 150 payments is surprisingly small. For those playing at home, here’s the 3 BitCoin addresses where impacted users were asked to pay 300 Bitcoin to unlock their PCs.
- 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
- 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
- 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
This is another example of why its important to make sure your machine is disposable with regular backups or the use of online storage like OneDrive, Google Drive, Dropbox etc. For those users who get infected and have backups, they can simply blow away the machine, reinstall Windows and restore their files, assuming updates get done to prevent reinfection.
Most of the photos shared online are actually public displays of which the connected machines have been compromised, but perhaps the most dramatic example of unhatched machines was in the UK’s National Health Service which runs their hospitals. Without patient records available to staff, some hospitals were effectively shut down.
https://twitter.com/henkvaness/status/863269936264826880
https://twitter.com/henkvaness/status/863306181623861249
https://twitter.com/GossiTheDog/status/863899850252967940
So widespread is this Windows exploit, that Microsoft took the extraordinary step of actually patching unsupported operating systems. This includes Windows XP, Windows 8 and server version Windows Server 2003. If for some weird reason you’re still responsible for a machine running any of these out of date OS’s, you can find more information about the fix here – https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
It is worth noting that Windows 10 was unaffected by the ransomware as the exploit was fixed ahead of Microsoft’s latest release.
Some of the best reporting I’ve seen on ths comes from Troy Hunt.
