This Week's Massive Ransomware Attack Was Mostly Preventable — Here’s How To Avoid It

By Dell Cameron on at

Ransomware may be mostly thought of as a (sometimes costly) nuisance, but when it hinders the ability of doctors and nurses to help people with an emergency medical problems, that qualifies as armed robbery.

On Friday, a quickly spreading, nasty piece of malware crossed mountains and oceans to infect more than 70,000 machines around the world in its first few hours. Among those infected were more than a dozen English hospitals, a telecom in Spain, FedEx’s offices here in the UK, and apparently, the Russian Interior Ministry. Within half a day, there were instances detected on six continents.

What’s sad is that this was all largely preventable, had more Windows users simply installed the security patch Microsoft released for it two months ago. (Unless you’re one of the 8.45 per cent of users still running Windows XP, which hasn’t been supported for three years.)

Here’s what happened: Unknown attackers deployed a virus targeting Microsoft servers running the file sharing protocol Server Message Block (SMB). Only servers that weren’t updated after March 14 with the MS17-010 patch were affected; this patch resolved an exploit known as ExternalBlue, once a closely guarded secret of the National Security Agent, which was leaked last month by ShadowBrokers, a hacker group that first revealed itself last summer.

The ransomware, aptly named WannaCry, did not spread because of people clicking on bad links. The only way to prevent this attack was to have already installed the update.

Through the ExternalBlue exploit, the malware installed an NSA backdoor payload called DoublePulsar, and through it went WannaCry, spreading rapidly and automatically to other computers on the same network — potentially hundreds at a time.

Unfortunately, it looks like attacks might make some serious bread for their efforts. Researchers combing through samples of the ransomware have already discovered several bitcoin wallets in which thousands of dollars have been deposited. It’s fine to say we shouldn’t negotiate with hackers demanding ransom — though the people who say that almost always do — but when the target is an emergency room, and lives are at stake, there’s really no choice.

If you think you might be vulnerable to WannaCry, or you don’t remember installing any updates over the past month, your first step is to address that issue immediately. As Sean Dillon, the RiskSense security analyst who reverse engineered DoublePulsar, told ThreatPost: “This is the most critical Windows patch since [Conficker],” which is one the largest similar infections to date.

Despite having been patch nearly a decade ago, the Conficker worm is still in circulation. “I find it everywhere,” says Dillon, adding that WannaCry, too, “is going to be on networks for years.”

The importance of downloading and installing security updates (as opposed to just clicking “remind me tomorrow” for several weeks in a row) cannot be overstated. Just ask the patients of the 16 hospitals in England whose delay in care could have been easily avoided.

[ThreatPost]