It’s called WannaCry / WannaCryptor and is possibly the biggest attack in history
What is it
This new form of ransomware named “WannaCrypt0r/WannaCry” has been confirmed by Kaspersky Labs to already have recorded more than 45,000 attacks in at least 74 countries in the last few hours.
It’s infecting Windows-based operating systems at a rapid rate.
If a computer is infected with this virus, it will seek out connections to other computers on the same network, mapped drives, shared folders, etc, and start encrypting data.
Microsoft has actually known about this vulnerability before March 14th, 2017, and released asecurity bulletin [updated: page was removed and now redirects to Microsoft Security Response Center] about it, however, many systems remain unsecured and as a result, it is severely impacting schools, governments, and healthcare institutions worldwide.
Reports indicate the patch is not included for Windows XP systems and those operating systems should be retired immediately. Unfortunately, some medical institutions are still using Windows XP, and as a result, services have had to be diverted to another neighboring medical service provider who was not infected.
How This Affects WholesaleBackup Channel Partners
I just got off the phone with one of our WholesaleBackup Partners. He had some questions about the offsite cloud backup software and was just calling to double-check on some of the backup settings after performing a full data restore and successfully recovering all of the accounting records for one of his customers.
Incidentally, the customer had accidentally deleted the data by mistake during a transition to a new computer setup.
He brought up this WannaCry attack and how he does not want to mess around, having experienced dealing with this before.
He brought up the time around three years ago when another version of ransomware (some version of Cryptolocker) was running rampant and infected this exact customer and everything was lost.
The only saving grace was that he was running our offsite cloud backup software, and was able to fully restore the business back to normal and recovered all of the accounting and business data successfully.
This is what it’s all about, staying ahead of these attacks by simply keeping an offsite copy of your most important data.
Whether you want to provide and very light or robust service the choice is yours, you can offer local onsite, vaults, Disc Image Restores (BMR), and offsite cloud storage using AWS S3 / Google Cloud or even use your own Backup Server and store the data yourself.
At least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer systems there were infected with ransomware, a type of malicious software that encrypts a victim’s documents, images, music and other files unless the victim pays for a key to unlock them.
The ransomware screen is similar to others we’ve seen in the past, explaining you have been hacked and your data is being held hostage, with a time-limit to meet the demands, generally demanding between 300 – 600 dollars from its victims.
Origins of this virus traced to NSA leaked tools (EternalBlue)
The use of the NSA EternalBlue exploit was confirmed by an independent malware researcher known as Kafeine:
Kafeine told Forbes that it was unsure if the exploit was being used as the ransomware’s primary method of infection, but was certain it was used in some capacity. Separately, UK-based researcher Kevin Beaumont tweeted that WannaCry was using the NSA attack, which exploited a now-patched Microsoft Windows vulnerability, also known as MS17-010. And a Spanish Computer Emergency Response Team (CERT) said the vulnerability was used by the ransomware crooks.
If you need the patch it’s available now
Our analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.
Retain at least 30 days worth of backup history (this is done from the Backup Retention settings), this provides around a month’s worth of good data stored offsite to recover from.
Have more than one backup vault. Our Backup software allows you to create a zero-cost (included) local vault in addition to your remote vault, having more than one vault is highly recommended and a best practice, in addition restoring from a local vault is much faster.
Monitor accounts and customers from an online backup monitoring tool, like our Backup Ops Web Console. There will be key indicators present if things are going wrong and that will help you stay on top of things.
Create reports to be emailed to you directly so that you can monitor the last connection times and data transfers.
Create alert notifications for when computers don’t connect or send any new data.
These are just a few things WholesaleBackup can do for you that provide you with a great advantage to ensure data continuity.
WannaCry Update 05.15.2017
On Friday the initial reports stated 45,000 hacked PCs, now Monday we are seeing over 200,000 hacked PC’s across 99 countries.
That’s a staggering 344% increase within 48 hours!
As stated previously the attack is exploiting a Windows SMB package called EternalBlue which is confirmed as one of the several leaked CIA tools reported in March by Wikileaks.
Former CIA employee Edward Snowden stated that if the NSA had privately disclosed the flaw used to attack the hospitals when they “found” it, this tragedy could have been avoided. He also stated that Congress should be asking if the NSA knows of any other vulnerabilities in software used in our hospitals.
If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened https://t.co/lhApAqB5j3
Another workaround has been shared to stop this threat.
On all Windows systems, you can stop/disable SMB on your Operating System.
What is the SMB?
The Server Message Block (SMB) Protocol is a network file-sharing protocol, and as implemented in Microsoft Windows is known as Microsoft SMB Protocol. The set of message packets that defines a particular version of the protocol is called a dialect. The Common Internet File System (CIFS) Protocol is a dialect of SMB. [Source: MSFT]
Despite many security researchers working tirelessly to find a way to stop the infection like @MalwareTechBlog very skilled 22-years-old malware hunter who first discovered that there’s a kill-switch, you can use it to stop an ongoing ransomware attack.
A new strain has emerged and has been quickly dubbed version 2.0 which is not disabled by this killswitch.
The killswitch has slowed things down a bit but has not stopped it. The curious part about this Killswitch is that it is believed to be built in by design. The script consistently checked for a fake obscure URL that was unregistered. The security researchers registered the fake URL and the virus immediately shut down.
Experts are confused why they built it this way, but believe it may have been a way to manually shut it down when they wanted to stop it.
“It was all pretty shocking, really,” MalwareTech says. The kill switch “was supposed to work like that, just the domain should [have been] random so people can’t register it.”
Check out this video demonstration of WannaCry ransomware Windows SMB to compromise the system.
8 things you can do right now to stop WannaCry
1. Install all security updates immediately
2. Patch SMB Vulnerability
3. Disable SMB
4. Enable Firewall & Block SMB Ports
5. Use an Antivirus Program
6. Be suspicious of EMails, Websites and Apps
7. *Most Important* Make Daily Backups of your files using offsite cloud backup
Google Researcher Discovers similarities in WannaCry code identical to Lazarus Group
Neel Mehta a Google security researcher has identified identical patterns in the WannaCry ransomware code similar to that used by the hacking group called Lazarus, who has also been blamed for the Sony hack in 2014 and the Bangladesh bank in 2016.
If this proves to be true, WannaCry would be the first ransomware attack launched powered by a nation, using leaked NSA tools.
Security firm Symantec says it has “identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry,” which could have been used to help spread the worm to vulnerable computers. The company adds that the shared code is based on “a specific sequence of 75 ciphers, which to date have only been seen across Lazarus tools.”
The team at WholesaleBackup is happy to listen, and share their backup & recovery expertise spanning over 15 years of business-class backup software solutions for resellers, MSPs, and IT Pros. If you are ready to begin building a more profitable and reliable backup service you’re in the right place.
Learn how to get started with labeling & deploying your own backup service
See how to schedule, run backups, and restore data
Understand how to remotely manage and monitor end-users backups
Get any questions you have addressed
Take a minute to fill out the form and we’ll follow up with you about your request. For a quicker response start a conversation in the chat.
My name is Ryan, and I am a software engineer at WholesaleBackup - a software development company with global partnerships that delivers cloud-based & self-hosted backup software in a reliable, secure, and simple way to Resellers, MSPs, VARs, and IT Pros for running their backup businesses. Let me know your thoughts on Twitter @wholesalebackup it helps me focus my future writings.