The Wannacry / Wannacrypt virus is surging freely across the internet.

The payload took effect on the 12th of May 2017. It has affected over 74 countries so far.

Many NHS trusts (16), hospitals, GP surgeries have been affected by the recent so called “Cyber-Attack.”

What is it?

A worm, that spreads by exploiting SMB file sharing on Microsoft operating systems.

Servers and pc’s affected display a message stating their filesystem has been encrypted and user data is no longer available without paying a $300-$600, fee to an anonymous bitcoin wallet.

At first, it appeared that just XP pc’s had been affected, but many other operating systems that are not patched with (MS17-010) have also been affected even parking coin machines.

 

 

 

Many private/publicly owned companies, Nissan, Telefonica, NHS Trusts, FedEx, Rail companies, universities and many other organisations have been affected.

A researcher going by the @malwaretech twitter name discovered a “kill switch” within the code, an unregistered domain and he was able to temporarily stop the spread of this viral outbreak by purchasing the domain. He was able to track the virus by “sinkholing” connections in to this domain.

 

 

 

 

The domain that MalwareTech registered : iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

“Warning for Monday: If you turn on a system without the MS17-010 patch and TCP port 445 open, your system can be ransomwared.” – Malwaretech.

The wcrypt tracker page https://intel.malwaretech.com/botnet/wcrypt/?t=5m&bid=all

The politicians responses were mostly unhelpful, blaming each other and NHS IT teams.

“This outbreak has been caused because the NHS has the money but it has been redirected away from the NHS IT budget. “

“IT teams should have upgraded from XP ages ago”

“The NHS doesn’t have the money and we should be ashamed we haven’t invested in it sooner.”

“We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers.” Essentially, staff have been told to turn off their non-critical systems, and to keep it that way until the mess is cleaned up – which could take the whole weekend, or longer.”

Who was behind it?

The NSA created the code #WannaCry, #Wannacrypt as a method of hijack and spying on its targets, they named the exploits EternalBlue and DoublePulsar. Shadow Brokers leaked these exploits in April 2017. Supposedly organised crime took these exploits and used them for their own nefarious needs.
https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/

It appears that Russian targets suffered most with the largest number of reported incidents.

The Trident nuclear missile defence system runs on Windows XP. Duck & Cover? I hope they patched it.
http://www.independent.co.uk/news/uk/home-news/nuclear-submarines-windows-xp-ransomware-wannacry-wanna-defender-michael-fallon-defence-secretary-a7734966.html

Its easy with hindsight to look back and see where we went wrong.

Here is Microsoft’s advice https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

What can you do?

  • Patch your operating system.
  • Take a backup.
  • Make sure you have antivirus software running on your device.
  • Don’t click on unknown attachments.
  • Manage your spam.
  • Be safe and think about your actions online.