75,000 computers, 99 countries, 28 languages, 1 massive attack

Article authored by

Anshuman Singh,
Senior Director Product Management,
Barracuda Networks Inc.

It’s been a hectic day in the world.  99 countries were hammered with a ransomware attack against industries of all kinds.  Over 75,000 machines were infected as of this afternoon. 

What’s going on?

A relatively young piece of ransomware called WanaCrypt0r has been spreading rapidly since this Friday.  A variant of WanaCrypt0r, named WeCry, was originally discovered in February of this year.

What makes this piece of ransomware so prolific today is that it is packaged as part of an exploit tool called ETERNALBLUE that leverages a known vulnerability in Windows that was patched in March as part of Windows Updates.  This was an SMB vulnerability (MS17-010), which allowed malicious code to travel from system to system.  Older Windows systems that are no longer supported would not have received a patch, and many supported systems were simply not updated.  Delays caused by compatibility testing and limited resources often leave systems unpatched and at risk.

The exploit is delivered via email attachment.  Once the exploit is detonated, the worm will spread the ransomware through RDP sessions and the SMB vulnerability referenced above.  The worm does the work of spreading the ransomware to as many systems as possible, as fast as possible.  The ransomware encrypts the target files and presents the ransom note to the victim.  This MalwareBytes thread has a detailed analysis of the code and the executable.

The attackers are charging up to $600 in bitcoin for the decryptor.

The exploit tool ETERNALBLUE was made public in the April 2017 Shadow Brokers leak.  This leak included hacking tools and exploits that the Shadow Brokers claim to have to have stolen from NSA.   As of this writing, the attacker[s] responsible for the attack remain unknown, and a ‘kill switch’ has been triggered which prevents new infections from this variant.  

What’s next?

Multiple layers of Barracuda Advanced Threat Protection were detecting these executables early on, and Barracuda customers with an active Energize Updates subscription are protected from this exploit. 

Jonathan Tanner, Barracuda Software Engineer and security blogger, offers this advice on defending ourselves from these attacks:

•    Keep current on updates, especially on technologies that have a history of multiple vulnerabilities.  Maintain active subscriptions on your anti-virus solutions, and subscribe to Energize Updates if you’re a Barracuda customer. 
•    End-of-Life Operating Systems should be replaced as soon as possible.  Operating systems that are beyond extended support should be removed from networks immediately, even if you can’t replace it right away.
•    We cannot overstate the importance of vigilance when it comes to email and email attachments.  Email is the primary method of attack for almost everything.  In this attack, one person to open the exploit could lead to the infection of all other vulnerable devices on the network.
•    Shut down unused and unnecessary services on your systems.  Every service is a potential attack surface.
•    Deploy a powerful email security gateway to protect your users from these attacks.  Barracuda offers 30-day free trials on email security appliances and services so you can try them out for yourself.
•    Back up all of your data on a regular basis.  Get a free trial of Barracuda Backup if you are looking for a comprehensive solution with flexible deployment options.

What did we learn?

A multi-layer security solution and a data protection strategy are critical components of cybersecurity, but it’s never been more important to help your colleagues and company leadership understand the risk of cyberattack.  This understanding, combined with ongoing training and awareness initiatives, will help your users protect themselves.