World Biggest Ransomware Attack Hits 74 Countries
- Approx 74 countries affected
- Currently, 45000 computers are infected
- Many Hospitals have reported about Ransomware Attack.
- Ransomware Using NSA Windows Exploit
- Cyber attackers ask Ransom in return of Bitcoin payment address.
Kaspersky detected and successfully blocked a large number of Ransomware attacks around the world, data is encrypted with the extension “.WCRY” added to the filenames.
Kaspersky analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 ( you can read our post here about the dumps and downloads) and patched by Microsoft on March 14.
But many organizations who did not patch their systems are open to Ransomware attacks.
Currently recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia.
 |
| Image source: Kaspersky |
British Prime Minister Theresa May said, “We are aware that a number of NHS organisations have reported that they have suffered from a ransomware attack. This is not targeted at the NHS, it’s an international attack and a number of countries and organisations have been affected,” May said, referring to the country’s National Health Service.
“The National Cyber Security Centre is working closely with NHS digital to ensure that they support the organisations concerned and that they protect patient safety,” May added.
A official statement from National Health service (NHS)
A number of NHS organisations have reported to NHS Digital that they have been affected by a ransomware attack.
The investigation is at an early stage but we believe the malware variant is Wanna Decryptor.
This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.
At this stage we do not have any evidence that patient data has been accessed.
NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.
Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available.
According to Telegraph, Andrea Zapparoli Manzoni, a senior manager in the Information Risk Management division of Kpmg Advisory in Italy, said: “The ransomware attack is happening in a haphazard fashion and is hitting every country in the world, including Italy.”This particular ransomware contains a vulnerabilty, called Eternal Blue, which was developed in U.S. intelligence circles and was then stolen. That gives you an idea about why the level is risk is particularly high. The aim isn’t to hit any specific country but to strike as widely as possible to make money.”
Hospitals were a prime target, Manzoni said, because “they are very vulnerable to cyber attacks and ready to pay because they cannot afford any shutdowns.”
International shipping company FedEx also gets affected like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware,” a spokeswoman said in a statement. “We are implementing remediation steps as quickly as possible.”
The ransomware, a variant of WannaCry, infects the machine by encrypting all its files and, using the vulnerability MS17-010 using EternalBlue that allows the execution of remote commands through Samba (SMB) and is distributed to other Windows machines in That same network.
As stated in the threat report on Ransomware, making the payment for the rescue of the equipment does not guarantee that the attackers send the decryption utility and / or password, only rewards their campaign and motivates them to continue massively distributing this type of Harmful code
In case of having been affected by this campaign and did not have backups, it is recommended to keep the files that had been encrypted by the sample of ransomware before disinfecting the machine, since it is not possible that in the future a tool appeared That would allow to decipher the documents that would have been affected.
The file extensions that the malware is targeting contain certain clusters of formats including:
- Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
- Less common and nation-specific office formats (.sxw, .odt, .hwp).
- Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
- Emails and email databases (.eml, .msg, .ost, .pst, .edb).
- Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
- Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
- Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
- Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
- Virtual machine files (.vmx, .vmdk, .vdi).
Edward Snowden reacts on Twitter
How To Protect?
- Update your Windows Latest Version now.
- Backup your files now
