Fraud Management & Cybercrime , Governance & Risk Management , Next-Generation Technologies & Secure Development
WannaCry Ransomware Outbreak Spreads Worldwide
Spain's Telefonica, England's NHS Are Among the VictimsThis story has been updated.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
Spanish telecommunications giant Telefonica has reportedly instructed all employees to power down their systems in the wake of a massive ransomware attack. In addition, multiple National Health Service trusts in Britain say they've been hit with ransomware.
The Telefonica and NHS incidents appear to be part of a mass ransomware outbreak that has hit numerous organizations and institutions, reportedly ranging from Fedex to Russia's interior ministry. Researchers at Avast claimed that the attacks had spread to 99 nations. Multiple organizations have deactivated all endpoints as a precautionary measure.
The attacks against Telefonica and the NSH have infected endpoints with the WannaCry crypto-locking ransomware, which is also known as WCry and WanaCrypt0r.
Three security professionals with access to details surrounding the Telefonica incident say that attackers penetrated Telefonica's network - after which they deployed the WannaCry ransomware - by using the DoublePulsar "Equation Group" exploit leaked in April by the Shadow Brokers (see DoublePulsar Pwnage: Attackers Tap Equation Group Exploit).
The Shadow Brokers is the shadowy group believed to tie to the Russia government, while the Equation Group appears to be the National Security Agency's in-house hacking team, known as Tailored Access Operations.
Telefonica couldn't be immediately reached for comment.
DoublePulsar is an exploit that was patched in April by Microsoft in the form of MS17-010. That security update patches a server message block, or SMB, server vulnerability present in every Windows operating system from XP to Server 2008 R2, and which appears to have been used by the Equation Group to gain access to targeted networks, at which point additional attack tools could be deployed.
Avast reports that more than 75,000 related outbreaks of what it dubs "WanaCrypt0r 2.0" were seen across 99 countries on May 12.
NHS: Major Emergencies Declared
Security experts have confirmed that the SMB flaw was also used to penetrate multiple NHS networks, after which WannaCry ransomware was deployed, seemingly via automated attacks.
The British government says 48 NHS trusts in England have been hit by ransomware infections, leading the organizations in some cases to declare major emergencies and redirect patients - including to accident and emergency departments - to other locations. In addition, 13 of Scotland's 14 health boards were also hit by the ransomware, as were many doctors' practices in England and Scotland.
Colchester General Hospital, for example, has shut down all computer systems as a precautionary measure, Sky News reports, and issued a statement saying it was "postponing all non-urgent activity for today and we are asking people not to come to A&E."
Britain's national fraud and cyber reporting center, ActionFraud, confirms that multiple NHS trusts and hospitals - in London, Nottingham, Blackburn, Cumbria and Hertfordshire - have been hit in the attacks. Infected endpoints are demanding $300 in bitcoins, it says, adding that intelligence agency GCHQ's National Cyber Security Center is aware of the incident and working with the NHS and the National Crime Agency's National Cyber Crime Unit.
NHS computers have been locked by Wanna Decryptor #ransomware. To protect yourself in the future, follow our advice https://t.co/DVtbNKSk7X
— Action Fraud (@actionfrauduk) May 12, 2017
"The investigation is at an early stage but we believe the malware variant is Wanna decryptor," an NHS Digital spokeswoman says. "NHS Digital is working closely with the NCSC, the Department of Health and NHS England to support affected organizations and to recommend appropriate mitigations. This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors."
The ActionFraud alert also included a copy of this tweet by journalist Lawrence Dunhill:
Here's the malware attack which appears to have hit NHS hospitals right across England today pic.twitter.com/zIAJ6wbAG5
— Lawrence Dunhill (@LawrenceDunhill) May 12, 2017
Alerts Issued in U.S.
Two U.S. agencies issued alerts about the worldwide ransomware attack on May 12.
The U.S. Department of Health and Human Services notes: "HHS is aware of a significant cybersecurity issue in the U.K. and other international locations affecting hospitals and healthcare information systems. We are also aware that there is evidence of this attack occurring inside the United States. We are working with our partners across government and in the private sector to develop a better understanding of the threat and to provide additional information on measures to protect your systems. We advise that you continue to exercise cybersecurity best practices - particularly with respect to email."
In another alert, the Department of Homeland Security's U.S. Computer Emergency Readiness Team says: "The WannaCry ransomware may be exploiting a vulnerability in Server Message Block 1.0 (SMBv1). For information on how to mitigate this vulnerability, review the US-CERT article on Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010. Users and administrators are encouraged to review the US-CERT Alert TA16-091A to learn how to best protect against ransomware."
Experts Warned This Would Happen
One security professional told Information Security Media Group that in the wake of the Equation Group SMB exploit coming to light, no organizations should have still been using unpatched Windows SMB and they should have eliminated all outdated or unpatchable systems that used it. Their failure to do so, this professional said, is evidenced by this ransomware worm now spreading.
Security experts have been predicting this type of outbreak would occur. On April 19, for example, U.K.-based security researcher Kevin Beaumont tweeted his prediction that the exploit would soon be targeted via a "ransomware worm" that would propagate around the world, encrypting as it went.
For any organization that isn't prepared, the U.K.-based security researcher known as Hacker Fantastic says that applying the patch to all systems should happen immediately and that all unpatchable systems should be immediately decommissioned and related firewall rules put in place.
How not to be hit by WCry 2.0: Apply MS17-010 immediately, remove NT4, 2000, XP-2003 from production, Firewall ports 445/139 & 3389. Simple.
— Hacker Fantastic (@hackerfantastic) May 12, 2017
As this attack unfolds - on a Friday, as such attacks inevitably seem to do - it's going to be a busy weekend for many information security professionals.