Wana Decryptor hits hard
The last 24 hours have been anything but exciting after country upon country have reported about massive ransomware attacks. Most notable are NHS (National Health Service), UK and Telefonica, Spain.
The sad part of the story is that this vulnerability was patched by Microsoft back in March…
The vulnerability in question, or rather the hack they used, is EternalBlue which was a part of the leaked NSA hack that The Shadow Brokers recently released. (see Vault 7, part 2 for some details) and it uses a bug in the SMBv1 protocol – that should’ve been patched.
One alarming issue is that ~90% of NHS computers are still running Windows XP – which is no longer supported. Not been for a few years actually… Pretty lousy IT strategy if you ask me… Others who are running still supported version of Windows and still have to roll out patches from March should be ashamed. If they take their IT security this badly, I’m not going to be surprised if many of these companies are without adequate backups either.
Luckily one engineer at MalwareTech discovered the URL that WCry (Wana Decryptor) will do a GET and check if it exists. If it doesn’t exist the ransomware will start to delete the encrypted files if no money has been transferred. This engineer registered the URL, not knowing at that time it would stop the files from being deleted, and I guess quite a lot of people are sending him “thank you!” emails right now… 😉
Not running the latest patches?
So what to do then if you suspect you aren’t running the latest patches?
Disable SMB. Read this on how to disable SMBv1 https://support.microsoft.com/kb/2696547
This should also give an idea of the shady business NSA, CIA, GCHQ etc are doing. This time we knew in advance and were trying to fix the vulnerabilities. Still so many got caught with their pants down… If The Shadow Brokers hadn’t released their NSA hack then we all would’ve still been vulnerable – and if these criminals had discovered this SMBv1 vulnerability themselves, then we all would’ve been surely fu….
This is why we report bugs when we find them!
If you’re still running Windows XP (or any other unsupported version) after this awakening and still haven’t found a way to secure your computer, look no further. Microsoft decided to help you.