Australian businesses targeted with WannaCry

By on
Australian businesses targeted with WannaCry

UPDATED: Twelve Australian businesses have reported being infected, and the global ransomware outbreak may be still a threat to others.

Australian businesses were among those targeted with WannaCry, the global ransomware outbreak that has been described as unprecedented in scale, at last count infecting over 230,000 computers in 150 countries.

The Federal Government revealed on Tuesday that the number of reported infected organisations had increased to 12 – all smaller businesses.

WannaCry, also known as WanaCryptor or WCry, encrypts the files of victims, rendering their system inaccessible unless they pay hundreds of dollars. The UK’s National Health Service (NHS), global delivery service FedEx and Spanish telecommunications company Telefonica are among the victims.

Australia was lucky because the outbreak started early Saturday local time, and we were helped by a security researcher going by the name of MalwareTech who managed to prevent the outbreak from being even bigger using a ‘sinkhole’ technique to ‘capture’ the ransomware.

However, the ransomware may be still a threat to Australians. MalwareTech pointed out that WannaCry could be easily changed to bypass the sinkhole and resume spreading.

How it works

WannaCry is broadly based attack that rapidly propagated via a Windows vulnerability through the SMB (server message block), a network protocol mainly used for providing shared access to files.

The ransomware encrypts data on the computers, demanding payments of US$300 to restore access – a relatively small amount, most likely chosen to entice some victims to pay up. The amount doubles if the ransom isn’t paid within 72 hours, and the criminals warn the files will be deleted if the ransom isn’t paid within one week.

Victims have shared images of the screenshot that shows the ransom demand.

In a security alert, the Spanish National Centre for Cryptology stated: “The ransomware infects a computer, encrypting all its files and, using a remote code execution vulnerability through the SMB, distributes itself to the rest of the Windows machines connected to the same network.”

Jim Cook, Regional Director, ANZ at Malwarebytes said: “There are strong indications it could be using a known vulnerability to penetrate networks and then spread laterally. The vulnerability in question was part of a recent leak of NSA hacking tools by a group known as ‘the Shadow Brokers’ and codenamed ‘EternalBlue’. It allows hackers to gain remote access by exploiting the SMB and NBT protocols found in the Windows operating system.”

Windows XP through to Windows 10 and Windows Server 2003 through to Server 2016 can be all affected by this vulnerability, although Microsoft said “customers running Windows 10 were not targeted by the attack.”

Microsoft issued a patch for the vulnerability in March, so everyone who has Windows Update enabled or who manually installed security update MS17-010 in the following supported versions of the operating system were protected: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016.

In addition, Microsoft following the outbreak took the extraordinary measure of issuing a patch for unsupported versions: Windows XP, Windows 8 and Windows Server 2003.

Earlier reports from Melbourne-based cybersecurity company MailGuard that it had blocked a bulk distribution of malicious emails containing WannaCry were incorrect. The company has since apologised, explaining that the emails in fact contained the malware variant Jaff, “which has many of the same characteristics of the WannaCry”.

Security specialists around the world are still trying to track down the entry point of the WannaCry ransomware attack.

What to do

For a detailed description of the WannaCry outbreak, see the blog post by Troy Hunt, the Australian security expert and creator of breach notification service Have I Been Pwned?.

To prevent being infected by current or potential future variants of WannaCry, MalwareTech said it was “incredibly important” that any unpatched Windows systems are updated as quickly as possible. See our ransomware defence guide for more prevention tips.

If you think your small businesses has been already infected, the Australian Cyber Security Centre recommends that you contact ACORN (the Australian Cyber Crime Online Reporting Network). See our ransomware survival guide for further guidance. 

The global impact

FedEx and the UK’s NHS confirmed their systems were infected with the malware. Telefonica was also hit by a similar attack as well as a range of other Spanish organisations, and reports on Twitter suggest universities are facing similar malware

“Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware,” the FedEx said in a statement.

The NHS shut down multiple hospital IT systems. NHS Digital said the NHS itself was not specifically the target of the attack but part of a wider Wanna Decryptor ransomware campaign.

Hospital trusts across England and Scotland admitted they had been caught up in the attack, with appointments cancelled, phone lines down and ambulances diverted. Doctors and other staff have also been sharing further details on Twitter, with one screenshot suggesting the ransomware is demanding $300 in bitcoin to decrypt files, with the price doubling after three days.

NHS Digital confirmed the attacks, with a spokesperson saying 16 NHS organisations had reported they had been impacted by ransomware.

“The investigation is at an early stage but we believe the malware variant is Wanna Decryptor,” the spokesperson said. “At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.

 “This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors. Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available.”

The East and North Hertfordshire NHS trust confirmed it was hit by the attack. “Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust’s telephone system is not able to accept incoming calls,” a spokesperson said in a statement. “The trust is postponing all non-urgent activity for today…

“To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need.”

Blackpool Teaching Hospitals tweeted that it was having “issues with our computer system”, asking people not to come to their emergency departments unless it's an emergency, while North Staffordshire and Barts Health Trust in London have also said they've been hit by the ransomware. 

“We are experiencing a major IT disruption and there are delays at all of our hospitals. We have activated our major incident plan to make sure we can maintain the safety and welfare of patients,” a statement from Barts said. “We are very sorry that we have to cancel routine appointments, and would ask members of the public to use other NHS services wherever possible. Ambulances are being diverted to neighbouring hospitals. The problem is also affecting the switchboard at Newham hospital but direct line phones are working. All our staff are working hard to minimise the impact and we will post regular updates on the website.”

Research last year revealed that 90% of NHS trusts still used no-longer-supported Windows XP in some way.

Next: Other ransomware threats

Other ransomware threats

While WannaCry is the most widespread ransomware outbreak so far, there have been several other nasty attacks over the past year, including some that are still active.

TeslaCrypt

Believed to be a derivative of the original CryptoLocker ransomware, TeslaCrypt uses super-strong, "uncrackable" encryption to lock a user's files. According to Kaspersky's report, it is by far the number-one ransomware family, responsible for 58% of infections. It tends to be spread via phishing and spam emails.

However, there's some great news for anyone infected by it. In a highly unusual move, the creators behind it have shut down their operations and released a free decryption key on the website that was previously used to accept the ransom in Bitcoin. You can use this key to unlock encrypted files, or download the recently updated TeslaDecoder.

CTB-Locker

CTB-Locker – also known as Onion Ransomware – is, according to Kaspersky Lab, the second-worst ransomware family in existence and responsible for 23.5% of infections. It uses the Tor Project's anonymous network to evade detection and even offers an affiliate programme, which lets anyone spreading it take a cut of the profits. A new variant specifically targets web servers.

CryptoWall

This ransomware family is the third most prevalent according to Kaspersky, and is typically spread through spam messages. It encrypts files using AES-265 and RSA encryption, which makes it impossible to crack, and it is regularly updated to add new features that make it harder to circumvent.

The latest version, CryptoWall 4, renames files as it encrypts them, while another variant encrypts files over several weeks to prevent recovery from backups.

CryptoWall may target outdated versions of Flash Player, so make sure you keep Adobe's plugin up to date on your PC.

Locky

Arguably the most aggressive type of ransomware, Locky encrypts files across any drive, including Bitcoin wallets, and attacks Windows, Mac OS X and Linux. It spreads through macros in Word documents that purport to be invoices, by persuading users to enable the edit function. While Kaspersky only ranks it at number seven in its latest report, Locky has been spreading like wildfire and, in March, infected the IT systems of at least one of three US hospitals hit by ransomware.

Malwarebytes and Bitdefender both offer free anti-ransomware tools that can protect against Locky.

Dogspectus

This recently detected ransomware attacks Android phones and is installed via a malicious advert that the victim encounters on the web. It requires no user interaction to install and, once infected, the phone is locked and a ransom request displayed. This is payable not in Bitcoin, but iTunes cards. To remove it, you will need to perform a factory reset of your phone. The process will vary depending on the device type and version of Android that it's running.

Chimera

This ransomware mostly targets small companies (primarily in Germany, so far, although it has spread beyond) through fake business offers and job applications. Once it has encrypted the files, it requests a ransom in Bitcoin and, for an extra kicker, threatens to publish the victim's data online if the demand is not met (there's no proof it can do this, however). To add insult to injury, the ransom note also invites Chimera's victims to sign up for its affiliate programme.

At the time of writing, it looks as if Chimera has died out, although a new ransomware threat called Rokku shares similarities with it, suggesting it may come from the same developers.

KeRanger

What sets KeRanger apart from other ransomware is that it targets Apple Macs rather than Windows PCs. It encrypts files on a Mac three days after infecting it and was initially spread via the Transmission BitTorrent client installer for OS X.

Transmission removed the infected files and Apple revoked the certificate that allowed the malware to bypass its Gatekeeper protection, so Mac users should hopefully now be safe from the KeRanger threat, provided they are using the most up-to-date version of the software.

CryptXXX

This ransomware not only demands a fee to unlock encrypted files, but also attempts to copy personal data and steal any Bitcoins stored on a user's hard drive. It targets both local and connected drives, and to avoid detection, waits a brief while after infection before going to work.

Kaspersky Lab managed to crack CryptXXX very quickly and released a tool that allowed victims to decrypt their files for free. Unfortunately, the ransomware developers have since updated CryptXXX, rendering the company's decryption tool useless.

Alpha

Alpha is a new strain of ransomware that uses AES-256 encryption to lock all the files stored on fixed drives.
Oddly, on your system drive (the one with Windows installed), it will only encrypt files on the Desktop and in the My Pictures and Cookies folders. Like Dogspectus, Alpha requests its ransom in iTunes gift cards. A decryptor for Alpha has been developed that you can use to free your files. You can download it here using the password 'false-positive'.

TorrentLocker

Despite the name, this ransomware has nothing whatsoever to do with BitTorrent and is simply named after a Registry key generated by the earliest versions. TorrentLocker is spread through spam emails and, as well as encrypting files, it attempts to steal email addresses from your system so it can spread. To safeguard your system against TorrentLocker, avoid opening emails from unknown sources, and use an anti-ransomware program.

This feature includes information from articles that that originally appeared at IT Pro: NHS hospitals targeted by ransomware attack and How to beat ransomware.

Multi page
Copyright © ITPro, Dennis Publishing
Tags:

Most Read Articles

Poll

What would you like to see more of on BiT?
News
Reviews
Features
How To's
Lollies
Photo Galleries
Videos
Opinion
View poll archive

Log In

Email:
Password:
  |  Forgot your password?