On Friday, Microsoft Windows operating systems at large institutions and companies in about 150 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan, were infected. A large number of workstations at UK National Health Service (NHS) hospitals are among the victims of the attack called WannaCry. According to Europol, the ransomware attack is at an “unprecedented level” and requires international investigation.
Microsoft states that customers running Windows 10 were not targeted by the attack. “The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack”, says the company.
“The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S”, says United States Computer Emergency Readiness Team (US-CERT).
The first signs of the attack appeared at 15.30 on Friday when 16 NHS organizations informed about the threat. Following reports about the attack came from Spanish multinational broadband and telecommunications provider Telefonica, American multinational courier delivery services company FedEx and universities in China.
American software company Symantec says that the malware is a new variant, v2.0, of the Ransom.CryptXXX family of ransomware, which is detected as Ransom.Wannacry and is also known as Wcry or WanaCrypt0r ransomware.
In February, Malwarebytes researcher S!Ri discovered Version 1.0 of this malware. In March, Microsoft released an update to improve security against potential risks. “Those who have Windows Update enabled are protected against attacks on this vulnerability,” said the company.
The ransomware presents a text file demanding $300 worth of bitcoin, with no other payment options. The message contains a ransom that should be paid, and starts a countdown timer. If the ransom is not paid in 3 days, it doubles. If the ransom is not paid in 7 days, the files become permanently unrecoverable.
The message is localized in 28 languages; Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.
There are three bitcoin addresses used by WannaCry’s latest version:
- 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 had 77 transactions worth over 11.52 bitcoins;
- 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw had 68 transactions worth over 11.65 bitcoins;
- 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn had 62 transactions worth over 8.03 bitcoins.
“That could well go up though,” says Microsoft Regional Director Troy Hunt, who has examined the attack in depth. “Regardless of the kill switch, many machines remain infected and if there’s a 3-day window of payment before the cost escalates, you’d expect plenty of people to be holding off for a bit. It’ll be interesting to look at those Bitcoin addresses in another 48 hours.”
Jonathan Levin, a co-founder at blockchain forensics startup Chainalysis investigated the addresses and linked them to addresses at many different Bitcoin exchanges, says that Russian users seem to have been hit the hardest by the attacks.
Soon after the attack on Friday, a UK cybersecurity researcher working for MalwareTech registered a domain he found hardcoded in the program and managed to stop the spread of the ransomware. However, he noted that “our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible.”
The Computer Security Incident Response Team at the Spanish Government’s National Cryptologic Center (CCN-CERT) has developed a tool to prevent the WannaCry 2.0 ransomware infection. The “CCN-CERT NoMoreCry Tool” is available to all organizations that need to use it.