Last year the Internet was taken down by cyber criminals through a massive Distributed Denial of Service Attack (DDoS) attack using the infamous Mirai malware. But last Friday afternoon, almost 99 countries including Russia, UK, USA and Australia became victims of a worldwide mass cyber-attack that has been reported to have caused major disruptions to systems that were being used by hospitals, companies, and other institutions.
The Shadow Brokers and the NSA
An unknown hacking group launched ransomware attack to a number of computers worldwide that is seemingly powered by a hacking tool developed by the National Security Agency for spying purposes.
The tool got leaked online by the “Shadow Brokers” group as part of their agenda to accumulate hacking tools developed by the agency. The tool is apparently given the name “Eternal Blue” and it exploits a vulnerability in Microsoft Windows.
What does the vulnerability to do?
According to experts, the vulnerability in Microsoft’s flagship operating system can be exploited by Eternal Blue which blocks access to a computer completely. What is more, is that the hacking group demanded a sum of $600 from the victims if they wanted to re-access their systems and de-encrypt the files accordingly.
Who has been affected?
Up till now, almost 75,000 computers have been reported to have become the victim of the cyber-attack. Moreover, over 40 NHS organizations had been affected initially on Friday in the UK, disrupting the entire health system of the country.
Experts say that the ransomware was spreading at an exponential rate of five million emails per hour resulting in the virus affecting a number of other countries as well, including Australia, Germany, Mexico, Italy, Belgium, France and Russia.
— Kaspersky Lab (@kaspersky) May 12, 2017
Also, FedEx, one of the world’s leading courier organizations, had its entire system brought down. The German rail system also had its ticketing system hijacked by the ransomware.
Whoops. Foto vom Kollegen bekommen – Chemnitz Hauptbahnhof hat wohl ein Cryptolocker Problem. pic.twitter.com/IH5B5dyKvM
— Ｎｉｃｋ Ｌａｎｇｅ (@Nick_Lange_) May 12, 2017
However, none of these were as big as the disruption which took place in Spain’s major telecommunication company, Telefonica. This was accompanied by attacks made on the power firm, Iberdrola, and the utility firm Gas Natural.
How was the attack carried out and stopped?
A security researcher going by the online handle of @MalwareTechBlog told AFP that the ransomware was spreading due to being connected to an unregistered domain. The researcher, therefore, said that the spread can be stopped by registering the domain and updating the systems immediately.
According to The Guardian, @MalwareTechBlog with the assistance of Darien Huss from security firm Proofpoint found and activated a “kill switch” in the malicious software. The switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.
“I saw it wasn’t registered and thought, ‘I think I’ll have that.” The purchase cost him $10.69. Immediately, the domain name was registering thousands of connections every second. They get the accidental hero award of the day,” said Proofpoint’s Ryan Kalember. “They didn’t realize how much it probably slowed down the spread of this ransomware.”
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
— MalwareTech (@MalwareTechBlog) May 13, 2017
The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organizations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.
Also, many NHS organizations had Windows XP installed on their computers. Microsoft long stopped supporting the old version of Windows and hence the ransomware took advantage of this and was able to spread so conveniently. The old operating system did not alert the users of any viruses and did not have updates against such threats.
Microsoft’s take on the situation
A Microsoft’s spokesperson said that those who had enabled updates and had the company’s free antivirus software installed were not affected. Also, the company released an update earlier today which detects this threat as Ransom: Win32/WannaCrypt.
Microsoft has made the patch for MS17-010 available for XP and 2k3. Patch over the weekend. It's worth the overtime. https://t.co/XqXjprWtC1
— Jake Williams (@MalwareJake) May 13, 2017
The NHS system was the most badly hit
Soon after the attack, various hospitals postponed non-urgent appointments and ambulances changed routes. The systems were made to shut down altogether with doctors complaining about the major delays that occurred as a result. Up till now, all that is known is that various organizations have paid the demanded amount in Bitcoin. However, since all bitcoin transactions are recorded in a public ledger, it is hard to tell specifically which organizations paid the ransom.
At the time of publishing this article, the attacks were stopped. The @MalwareTechBlog also released in-depth details highlighting how he was able to accidentally stop the attack which can be read here.