Ransomware Attack Uses NSA 0-Day Exploits To Go On Worldwide Rampage

On Friday, multiple organizations, including hospitals and telecommunications companies, reported falling victim to ransomware, and researchers said a worldwide campaign of attacks was ongoing.
This has infected over 70,000 computers at this point and is still a growing threat.

Important Information:
• How can I get Infected? An Email is sent that has an attachment in it. Once this Zip File is launched its initial infection vector is a phishing/macro email. According to CrowdStrike’s vice president of intelligence Adam Meyers, the initial spread of WannaCry is coming through spam, in which fake invoices, job offers and other lures are being sent out to random email addresses. Within the emails is a .zip file, and once clicked that initiates the WannaCry infection.

• What Window OS’s are Infected: All Microsoft Windows operating systems prior to Windows 8.1 are susceptible to this attack.

• How do I know if I am Infected: “Ooops, your files have been encrypted!” is the note left on machines.” A picture below is what your computer will look like if infected.

• If Infected what should I do: Call BluZebra Hotline Immediately (206) 388-1600 Option 4 (this Hotline is setup just for this virus immediately over the weekend)

Notes About this Virus:

Bleepingcomputer said: “Whoever is behind this ransomware has invested heavy resources into Wana Decrypt0r’s operations. In the few hours this ransomware has been active, it has made many high-profile victims all over the world. According to Avast security researcher Jakub Kroustek, Wana Decrypt0r made over 57,000 victims in just a few hours. Given the malware is scanning the entire internet for vulnerable machines, and as many as 150,000 were deemed open to the Windows vulnerability as of earlier this month, WannaCry ransomware explosion is only expected to get worse over the weekend.
“You only have 3 days to submit the payment. After that the price will be doubled. Also if you don’t pay in 7 days, you won’t be able to recover your files forever,” the message, provided to Motherboard, reads.

Sky News Technology Correspondent Tom Cheshire described the attack as “unprecedented”.

Technical Information:
The ransomware appears to use NSA 0-day ETERNALBLUE and DOUBLEPULSAR exploits which were made public earlier this year by a group calling itself the Shadow Brokers.
But the most concerning aspect of WannaCry is its use of the worm-like EternalBlue exploit. “This is a weapon of mass destruction, a WMD of ransomware. Once it gets into an unpatched PC it spreads like wildfire,” he told Forbes. “It’s going through financials, energy companies, healthcare. It’s widespread.”

If you can apply this patch immediately.
In the meantime, harden yourselves against this threat and ensure that all systems are fully patched with the “MS17-010” security update (link below) and remind all staff to Think Before They Click when they receive any out of the ordinary emails. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Leave a Reply

Your email address will not be published. Required fields are marked *