The ransomware has spread to 200,000 computers in 150 countries, affecting U.S. FedEx, telecoms and gas companies in Spain, 61 NHS organizations, the Russian Ministry of Internal Affairs and many others, according to the Economist and BBC. A few different variations of the malware have been detected.
What you can do:
Microsoft has taken the “highly unusual step” of providing a security update for Windows XP, Windows 8 and Windows Server 2003, available here.
Windows 10 users are not affected, only older versions of the operating system. Other suggestions include disabling the SMB protocol in Windows computers and updating antivirus solutions.
Take other precautions such as using the Chrome browser, and disable Adobe Flash Player. Forward suspicious/possible phishing emails to your security team and don’t click on any links. Back up your data on a physical hard drive disconnected from the Internet, in addition to a cloud service (but beware, it could get infected), as recommended by PCWorld.
Start tracking devices running out-of-date operating systems, browsers, plugins and more with Duo’s Device Insight and block them with Endpoint Remediation to prevent the access of potentially risky software into your systems.
A widespread, worm-like ransomware attack has shut down computers across Europe and Asia, hitting the Spanish telecom provider, Telefonica and operations in major U.K.-based health systems especially hard. Many other mission-critical organizations have also been disrupted, including banks and power companies.
The attack has taken down at least 16 National Health Service (NHS) hospital systems across England, affecting parts of Scotland, as reported by ZDNet. Hospitals in Manchester, Lister Hospital in Hertfordshire and Bart’s Health NHS Trust in London are all affected.
The hospitals have diverted patients to neighboring hospitals and are urging others not to visit their emergency departments. Routine appointments have been cancelled, with entire systems shut down and some hospitals reporting problems with their telephone networks.
Ransomware Leverages Latest Windows Vulnerability
According to NHS Digital, the organization that runs IT systems for the health service, the malware variant used is Wanna Decryptor.
BleepingComputer reports that the ransomware’s name is actually WCry, but is referenced online by various similar names. There have been several reports that the ransomware is using an NSA exploit leaked by Shadow Brokers last month, a vulnerability in the SMBv1 protocol affecting Windows machines.
It uses a self-replicating payload that allows the ransomware to spread across machines quickly without requiring any user action, according to Ars Technica. Below is a photo of the ransomware encryption message that users are seeing on their computers:
There were reports early Friday on social media of the ransomware spreading quickly through Russian, Ukraine and Taiwan:
Although Microsoft patched the critical vulnerability in March, not all Windows users or administrators have necessarily applied the security update. Unpatched computers are easy targets of exploitation and malware installation.
Back in January, Barts Health NHS hospitals were hit by a ransomware infection which took its systems offline. According to Barts Health NHS Trust, their antivirus software failed to detect the virus. Another attack last November against the Northern Lincolnshire and Goole NHS Foundation Trust infected their systems with a type of ransomware known as Globe2.
Windows XP Run Rampant in U.K. Health Systems
Running extremely out-of-date operating systems (OSs) like Windows XP can be a contributing factor. And as Duo’s data has shown in the past, the healthcare industry has twice as many Windows machines running XP than our average customer.
An analysis of Freedom of Information Act (FoI) requests by Citrix also supports our findings. A survey of 63 NHS trusts (42 responses) in the U.K. revealed that:
90 percent of hospital organizations were running Windows XP on a small percentage of their overall devices.
But even one device running an unsupported (unpatched and unprotected against new vulnerabilities) OS could be the weak link at a hospital system, allowing for malware infection. Windows XP is particularly bad due the fact it was released in 2001 and is not capable of receiving security updates since April 2014 - meaning a hospital system running the OS could be easily exploited by ransomware that leverages a Windows vulnerability only patched in March.
Protecting Against Ransomware
Updating and patching your software regularly against the latest vulnerabilities is key to protecting your systems against malware infection.
Make sure you have applied Microsoft’s March Update and the MS17-010 update to protect against these types of vulnerabilities that are helping to spread the ransomware to Windows machines worldwide. Check often for emergency patches that are released out of the regular Patch Tuesday cycle for the most critical vulnerabilities.