UPDATED: Twelve Australian businesses have reported being infected, and the global ransomware outbreak may be still a threat to others.
Australian businesses were among those targeted with WannaCry, the global ransomware outbreak that has been described as unprecedented in scale, at last count infecting over 230,000 computers in 150 countries.
The Federal Government revealed on Tuesday that the number of reported infected organisations had increased to 12 – all smaller businesses.
WannaCry, also known as WanaCryptor or WCry, encrypts the files of victims, rendering their system inaccessible unless they pay hundreds of dollars. The UK’s National Health Service (NHS), global delivery service FedEx and Spanish telecommunications company Telefonica are among the victims.
Australia was lucky because the outbreak started early Saturday local time, and we were helped by a security researcher going by the name of MalwareTech who managed to prevent the outbreak from being even bigger using a ‘sinkhole’ technique to ‘capture’ the ransomware.
However, the ransomware may be still a threat to Australians. MalwareTech pointed out that WannaCry could be easily changed to bypass the sinkhole and resume spreading.
How it works
WannaCry is broadly based attack that rapidly propagated via a Windows vulnerability through the SMB (server message block), a network protocol mainly used for providing shared access to files.
The ransomware encrypts data on the computers, demanding payments of US$300 to restore access – a relatively small amount, most likely chosen to entice some victims to pay up. The amount doubles if the ransom isn’t paid within 72 hours, and the criminals warn the files will be deleted if the ransom isn’t paid within one week.
Victims have shared images of the screenshot that shows the ransom demand.
Here's the malware attack which appears to have hit NHS hospitals right across England today pic.twitter.com/zIAJ6wbAG5— Lawrence Dunhill (@LawrenceDunhill) May 12, 2017
In a security alert, the Spanish National Centre for Cryptology stated: “The ransomware infects a computer, encrypting all its files and, using a remote code execution vulnerability through the SMB, distributes itself to the rest of the Windows machines connected to the same network.”
Jim Cook, Regional Director, ANZ at Malwarebytes said: “There are strong indications it could be using a known vulnerability to penetrate networks and then spread laterally. The vulnerability in question was part of a recent leak of NSA hacking tools by a group known as ‘the Shadow Brokers’ and codenamed ‘EternalBlue’. It allows hackers to gain remote access by exploiting the SMB and NBT protocols found in the Windows operating system.”
Windows XP through to Windows 10 and Windows Server 2003 through to Server 2016 can be all affected by this vulnerability, although Microsoft said “customers running Windows 10 were not targeted by the attack.”
Microsoft issued a patch for the vulnerability in March, so everyone who has Windows Update enabled or who manually installed security update MS17-010 in the following supported versions of the operating system were protected: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016.
In addition, Microsoft following the outbreak took the extraordinary measure of issuing a patch for unsupported versions: Windows XP, Windows 8 and Windows Server 2003.
Earlier reports from Melbourne-based cybersecurity company MailGuard that it had blocked a bulk distribution of malicious emails containing WannaCry were incorrect. The company has since apologised, explaining that the emails in fact contained the malware variant Jaff, “which has many of the same characteristics of the WannaCry”.
Security specialists around the world are still trying to track down the entry point of the WannaCry ransomware attack.
What to do
To prevent being infected by current or potential future variants of WannaCry, MalwareTech said it was “incredibly important” that any unpatched Windows systems are updated as quickly as possible. See our ransomware defence guide for more prevention tips.
If you think your small businesses has been already infected, the Australian Cyber Security Centre recommends that you contact ACORN (the Australian Cyber Crime Online Reporting Network). See our ransomware survival guide for further guidance.
The global impact
FedEx and the UK’s NHS confirmed their systems were infected with the malware. Telefonica was also hit by a similar attack as well as a range of other Spanish organisations, and reports on Twitter suggest universities are facing similar malware.
“Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware,” the FedEx said in a statement.
The NHS shut down multiple hospital IT systems. NHS Digital said the NHS itself was not specifically the target of the attack but part of a wider Wanna Decryptor ransomware campaign.
Hospital trusts across England and Scotland admitted they had been caught up in the attack, with appointments cancelled, phone lines down and ambulances diverted. Doctors and other staff have also been sharing further details on Twitter, with one screenshot suggesting the ransomware is demanding $300 in bitcoin to decrypt files, with the price doubling after three days.
NHS Digital confirmed the attacks, with a spokesperson saying 16 NHS organisations had reported they had been impacted by ransomware.
“The investigation is at an early stage but we believe the malware variant is Wanna Decryptor,” the spokesperson said. “At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.
“This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors. Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available.”
The East and North Hertfordshire NHS trust confirmed it was hit by the attack. “Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust’s telephone system is not able to accept incoming calls,” a spokesperson said in a statement. “The trust is postponing all non-urgent activity for today…
“To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need.”
Blackpool Teaching Hospitals tweeted that it was having “issues with our computer system”, asking people not to come to their emergency departments unless it's an emergency, while North Staffordshire and Barts Health Trust in London have also said they've been hit by the ransomware.
“We are experiencing a major IT disruption and there are delays at all of our hospitals. We have activated our major incident plan to make sure we can maintain the safety and welfare of patients,” a statement from Barts said. “We are very sorry that we have to cancel routine appointments, and would ask members of the public to use other NHS services wherever possible. Ambulances are being diverted to neighbouring hospitals. The problem is also affecting the switchboard at Newham hospital but direct line phones are working. All our staff are working hard to minimise the impact and we will post regular updates on the website.”
Research last year revealed that 90% of NHS trusts still used no-longer-supported Windows XP in some way.
Next: Other ransomware threats