Skip to main content

75,000 computers, 99 countries, 28 languages, 1 massive attack

By: Anshuman Singh_Senior Director Product Management at Barracuda Networks Inc.

It’s been a hectic day in the world.  99 countries were hammered with a ransomware attack against industries of all kinds.  Over 75,000 machines were infected as of this afternoon.

What’s going on?

A relatively young piece of ransomware called WanaCrypt0r has been spreading rapidly since this Friday.  A variant of WanaCrypt0r, named WeCry, was originally discovered in February of this year.

What makes this piece of ransomware so prolific today is that it is packaged as part of an exploit tool called ETERNALBLUE that leverages a known vulnerability in Windows that was patched in March as part of Windows Updates.  This was an SMB vulnerability (MS17-010), which allowed malicious code to travel from system to system.  Older Windows systems that are no longer supported would not have received a patch, and many supported systems were simply not updated.  Delays caused by compatibility testing and limited resources often leave systems unpatched and at risk.

The exploit is delivered via email attachment.  Once the exploit is detonated, the worm will spread the ransomware through RDP sessions and the SMB vulnerability referenced above.  The worm does the work of spreading the ransomware to as many systems as possible, as fast as possible.  The ransomware encrypts the target files and presents the ransom note to the victim.  This MalwareBytes thread has a detailed analysis of the code and the executable.

The attackers are charging up to $600 in bitcoin for the decryptor.

The exploit tool ETERNALBLUE was made public in the April 2017 Shadow Brokers leak.  This leak included hacking tools and exploits that the Shadow Brokers claim to have to have stolen from NSA.   As of this writing, the attacker[s] responsible for the attack remain unknown, and a ‘kill switch’ has been triggered which prevents new infections from this variant.

What’s next?

Multiple layers of Barracuda Advanced Threat Protection were detecting these executables early on, and Barracuda customers with an active Energize Updates subscription are protected from this exploit.

Jonathan Tanner, Barracuda Software Engineer and security blogger, offers this advice on defending ourselves from these attacks:

Keep current on updates, especially on technologies that have a history of multiple vulnerabilities.  Maintain active subscriptions on your anti-virus solutions, and subscribe to Energize Updates if you’re a Barracuda customer.
End-of-Life Operating Systems should be replaced as soon as possible.  Operating systems that are beyond extended support should be removed from networks immediately, even if you can’t replace it right away.
We cannot overstate the importance of vigilance when it comes to email and email attachments.  Email is the primary method of attack for almost everything.  In this attack, one person to open the exploit could lead to the infection of all other vulnerable devices on the network.
Shut down unused and unnecessary services on your systems.  Every service is a potential attack surface.
Deploy a powerful email security gateway to protect your users from these attacks.  Barracuda offers 30-day free trials on email security appliances and services so you can try them out for yourself.
Back up all of your data on a regular basis.  Get a free trial of Barracuda Backup if you are looking for a comprehensive solution with flexible deployment options.

What did we learn?

A multi-layer security solution and a data protection strategy are critical components of cybersecurity, but it’s never been more important to help your colleagues and company leadership understand the risk of cyberattack.  This understanding, combined with ongoing training and awareness initiatives, will help your users protect themselves.

Popular posts from this blog

Radisson Blu Hotel, Dubai Improves Guest Wi-Fi Coverage and Performance with Aruba Wireless Solutions

Radisson Blu Hotel, in Al Sufouh at Dubai Media City has recently deployed wireless infrastructure from Aruba, a Hewlett Packard Enterprise Company, to deliver secure, seamless, high-speed, wireless internet connectivity across its hotel rooms, suites and public areas. The implementation has resulted in improvement in rating of Wi-Fi services and drastic reduction in volume of IT help desk calls, besides the fact that the design of the Access Points (APs) blends seamlessly with the hotel aesthetics and AP management, monitoring and troubleshooting has become centralized and simplified. launches “Smart Living Store”

How would it be if you could stream online videos or browse websites on your TV? How about a device that could measure your level of activity throughout the day? How would it be if a device helps keep your home secure? With the Smart Living Store you can find out! announces the launch of “Smart Living Store” - a dedicated store aimed at providing customers the one stop shop for all smart devices across various product categories.

Pi DATACENTERS Achieves Uptime Institute Tier IV Design Certification

Pi DATACENTERS, India, an enterprise class datacenter and Cloud service provider based at Amaravati, the new capital region of Andhra Pradesh, today announced that the company has been awarded Uptime Institute Tier IV Design Certification, achieving the highest standards for infrastructure, functionality and capacity as demonstrated on the design documents. To earn a Tier Certification of Design Documents, a facility is evaluated on mechanical, electrical, structural and site elements, and certified facilities also receive expert recommendations to enhance Operational Stability over the long-term.
“We are pleased to award Pi DATACENTERS with the Uptime Institute Tier IV Design Certification,” said John Duffin, Managing Director, South Asia, Uptime Institute. “Achieving a Tier IV Fault Tolerant Design Certification illustrates that the facility meets the highest standards for infrastructure functionality and capacity as demonstrated on the design documents. This ensures that plans are…