Executives in charge of security should immediately warn employees against opening any suspicious Word documents and apply patches to any legacy Windows systems
Executives in charge of security should immediately warn employees against opening any suspicious Word documents and apply patches to any legacy Windows systems to avoid falling victim to a ransomware attack that is sweeping the globe.
Several antivirus vendors, including Kaspersky, are reporting an attack that has compromised tens of thousands of computers across as many as 100 countries. The UK is among the hardest hit, with its National Health Service being disrupted. European telco Telefonica as also affected.
While a key URL that enabled the worm’s spread has been disabled, the ransomware can still spread to unpatched systems running legacy versions of Windows and requiring a proxy to access the Internet – the norm for corporate networks.
The malware being used to orchestrate the attack is ransomware that’s been weaponized with the EternalBlue worm, a piece of National Security Administration spy kit that was leaked by a group called The Shadow Brokers in April. It’s unknown who is behind the attacks.
Here’s what EternalBlue looks like in action:
The WannaCrypt or WannaCry virus targets all Windows versions prior to Windows 10 that did not patched for MS-17-010, which Microsoft released in March. The malware is being delivered in an infected Microsoft Word file that is sent in an email, disguised as a job offer, an invoice, or another relevant document.
Once opened, the ransomware encrypts a user’s files and demands that $300 to $600 in Bitcoin be sent as payment to restore them. A countdown timer appears, suggesting a limited amount of time to pay before the files are deleted for good.
Microsoft issued customer guidance on Friday addressing the attacks. It explains that machines that have Windows Update enabled are protected. Those that don’ t have it enabled should immediately deploy Microsoft Security Bulletin MS17-010.
Microsoft also updated its Windows Defender software to detect the threat. Many other antivirus products also protect against the threat. It also issued patches for its OS versions that no longer receive general support, including Windows XP, Windows 8, and Windows Server 2003.
An analysis by Malwarebytes finds the worm tries to connect to a website at URL www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, but that address is now sinkholed, with the host now resolving to an IP address that hosts a website. As a result, nothing will happen on new systems running the infected file unless that system requires proxy access to the Internet.
Microsoft says the threat could evolve over time and says customers hould consider disabling legacy Server Message Block (SMB) communications on your network – SMBv1, SMBv2 and SMBv3.