Just a quick note that a huge ransomware cyber attack is going around the world. A lot of news reports popped up the last couple of hours about how the UK's NHS got hit by a large ransomware attack but more recent reports indicate the situation is a lot worse as it's a worm that's hitting users and businesses in dozens of countries around the globe. The worm encrypts PC user data and demands a $300 ransom to get back control of the PC. The ransom has to be paid via Bitcoin, which makes it very hard to track.
Kaspersky Lab offers coverage over here. The worm is called WannaCry (or Wcry) and uses the "EternalBlue" SMB exploit from the NSA. This exploit was leaked to the Internet via the ShadowBrokers dump about a month ago.
The WannaCry worm uses a Windows vulnerability that enables it to spread automatically via internal LAN and WAN, without requiring any user action. That's why it's causing so much ruckus, once it's inside a vulnerable network it can rapidly replicate itself.
A few hours ago, Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their site about a massive ransomware attack affecting several Spanish organizations. The alert recommends the installation of updates in the Microsoft March 2017 Security Bulletin as a means of stopping the spread of the attack.
The National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical institutions. We have confirmed additional infections in several additional countries, including Russia, Ukraine, and India.
It’s important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak.
All Windows operating systems from XP to 10 are vulnerable but the good news is that Microsoft patched this vulnerability on March 14, 2017 (MS17-010). So based on current knowledge, it appears organizations that got hit big by this worm are either using unsupported software like Windows XP or neglect to install security updates on a regular basis. Patched systems can get infected too but this will require a user action.