The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
The attack began on Friday, 12 May 2017, and within a day was reported to have infected more than 230,000 computers in over 150 countries. Parts of the United Kingdom’s National Health Service (NHS) were infected, causing it to run some services on an emergency-only basis during the attack, Spain’s Telefónica, FedEx and Deutsche Bahn were hit, along with many other countries and companies worldwide.
Shortly after the attack began, Marcus Hutchins, a 22-year-old web security researcher from North Devon in England then known as MalwareTech discovered an effective kill switch by registering a domain name he found in the code of the ransomware. This greatly slowed the spread of the infection, effectively halting the initial outbreak on Monday, 15 May 2017, but new versions have since been detected that lack the kill switch.
Researchers have also found ways to recover data from infected machines under some circumstances.
- Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
- Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
- Ransom: between $300 to $600. There is code to ‘rm’ (delete) files in the virus. Seems to reset if the virus crashes.
- Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
- Kill switch: If the website
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comis up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).
Vulnerable/ Not Vulnerable
To be infected requires the SMB port (445) to be open, or the machine already infected with DOUBLEPULSAR (and killswitch not registered or somehow blocked, or the network accessing it through a proxy).
The MS17-010 patch fixes the vulnerability.
- Windows XP: Doesn’t spread. If run manually, can encrypt files.
- Windows 7,8,2008: can spread unpatched, can encrypt files.
- Windows 10: Doesn’t spread. Even though Windows 10 does have the faulty SMB driver.
- Linux: Doesn’t spread. If run manually with wine, can encrypt files.
Infections
- NHS (uk) turning away patients, unable to perform x-rays. (list of affected hospitals)
- Nissan (uk) http://www.chroniclelive.co.uk/news/north-east-news/cyber-attack-nhs-latest-news-13029913
- Telefonica (spain) (https://twitter.com/SkyNews/status/863044193727389696)
- power firm Iberdrola and Gas Natural (spain)
- FedEx (us) (https://twitter.com/jeancreed1/status/863089728253505539)
- University of Waterloo (ontario canada)
- Russia interior ministry & Megafon (russia) https://twitter.com/dabazdyrev/status/863034199460261890/photo/1
- VTB (russian bank) https://twitter.com/vassgatov/status/863175506790952962
- Russian Railroads (RZD) https://twitter.com/vassgatov/status/863175723846176768
- Portugal Telecom
- Сбербанк – Sberbank Russia (russia)
- Shaheen Airlines (pakistan, claimed on twitter)
- Train station in frankfurt (germany)
- Neustadt station (germany)
- the entire network of German Rail seems to be affected (@farbenstau)
- in China secondary schools and universities had been affected (source)
- A Library in Oman (@99arwan1)
- China Yanshui County Public Security Bureau (https://twitter.com/95cnsec/status/863292545278685184)
- Renault (France) (http://www.lepoint.fr/societe/renault-touche-par-la-vague-de-cyberattaques-internationales-13-05-2017-2127044_23.php) (http://www.lefigaro.fr/flash-eco/2017/05/13/97002-20170513FILWWW00031-renault-touche-par-la-vague-de-cyberattaques-internationales.php)
- Schools/Education (France) https://twitter.com/Damien_Bancal/status/863305670568837120
- University of Milano-Bicocca (italy)
- A mall in singapore https://twitter.com/nkl0x55/status/863340271391580161
- ATMs in china https://twitter.com/95cnsec/status/863382193615159296
- norwegian soccer team ticket sales https://www.nrk.no/telemark/eliteserieklubber-rammet-av-internasjonalt-dataangrep-1.13515245
- STC telecom (saudia arabia, more, more)
- All ATMs in india closed
- US radiology equipment https://twitter.com/Forbes/status/864850749225934852
- More at https://en.wikipedia.org/wiki/WannaCry_cyber_attack#List_of_affected_organizations they seem to be cataloguing the infections faster/better.