EuroPol has described the WannaCry ransomware, which shut down hospital infrastructure all over the UK and uses a leaked exploit first developed by the National Security Agency, as unprecedented in scale.
The attack was launched on Friday 12 May and quickly spread to more than 200,000 systems around the world. Security researcher Kafeine found that WannaCry had code based on the NSA’s EternalBlue malware, which was leaked earlier this year by the group calling itself the Shadow Brokers. According to BleepingCompuer, EternalBlue exploits a vulnerability in the Server Message Block protocol to spread through file sharing networks. MalwareBytes Labs reports that the worm creates two threads, first to scan for hosts on the local network, and the other that scans hosted online. Infected machines will see the malware demand a payment of up to $600 to decrypt the files.
Microsoft had patched the exploit in update MS17-010 in March this year, but unpatched systems or those running older versions of Windows without Windows Update enabled were still open to infection. The company took the unusual step of releasing another patch for older operating systems, including the generally unsupported Windows XP.
But by that time hospitals, doctor’s surgeries and accident and emergency wards in the UK had been affected by the attack and some were even reportedly turning patients away. Home secretary Amber Rudd confirmed that one in five NHS England trusts had been hit by the attack, but insisted no patient data had been compromised.
Elsewhere, organisations hit by the attack included Telefonica in Spain, Renault in France, and delivery company FedEx in the USA, as well as China’s state oil company and railways in Germany. Russia was believed to have most instances of the attack.
Security researchers warn that another wave of attacks is likely, and that the code could easily be evolved to become more sophisticated and harder to stop. It’s suspected that an organised criminal group was behind the attack.