A cybersecurity bomb unleashed a massive ransomware campaign affecting 200,000 computers, and numerous organizations, with thousands of infections in more than 150 countries including the United States, United Kingdom, and Russia.

The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, discovered May 12, 2017, by an independent security researcher, spread quickly and led to ransom demands of .1781 bitcoins or roughly $300 U.S.

The worm attacks Windows vulnerabilities including medical devices and ATMs still using Windows XP. Among the organizations reportedly hit were FedEx in the United States, the Spanish telecom giant Telefónica, French automaker Renault, Chinese universities, the Germany’s railway system, Russia’s interior ministry, and ATMs in India. The most disruptive attacks targeted Britain’s public health system, resulting in rescheduled surgeries and some patients declined emergency room care.

The software, which can run in as many as 27 different languages, prompted an alert from the Department of Homeland Security through the United States Computer Emergency Readiness Team.

According to DHS and CERT, reports indicated the hacker or hacking group behind the campaign gained access to enterprise servers either through Remote Desktop Protocol compromise or through the exploitation of a critical Windows Server Message Block vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017.

Report placed attack responsibility with The Shadow Brokers, which reportedly obtained and dumped National Security Agency spyware over the past year.

"The latest Shadow Broker's release was probably the most high-impact exploit drop we've seen in the last several years,” Mike Cotton, vice president, research and development for cybersecurity firm Digital Defense, suggested. “While earlier leaks from the Shadow Brokers focused on less common device services and third-party software, the exploit drop released in the April targeted core Windows operating system services and were likely among the crown jewels of the NSA toolkits.”

Cotton explained the ETERNALBLUE exploit developed by the NSA allows for reliable remote compromise of a wide variety of Windows server and client systems using nothing but network access as a precondition. “It will remain one of the most heavily used exploits in attacker toolkits for years to come."

Phillip Hallam-Baker, principal scientist, global cybersecurity firm Comodo, said, “Ransomware is following the same trajectory as phishing. The criminals have worked out how to monetize the crime, and they know which types of business are likely to pay up, and how to collect the money without being caught.”

Hallam-Baker added it appears that the CIA breach accelerated the process. “Instead of having to develop their own zero-day attacks, the criminals have use of an arsenal developed by experts at developing cyber-weapons.”

“The U.S. government clearly had its priorities wrong,” Hallam-Baker, exclaimed. “Whether or not you think the U.S. government should be spending a fortune developing such cyberweapons, surely it is obvious that the weapons they develop should be properly secured.”

Ransomware exists for the same reason other viruses exist, money, John Christly, Global CISO, Netsurion, a provider of remotely-managed security services and EventTracker, a SIEM provider, expressed. “It is designed to prey upon the unsuspecting, but rather than suck data out of a network, it cuts to the chase and asks for the cash up front.”

Christy also suggested, “We know that hackers are in constant pursuit of highly sensitive, personal data and that they are equipped with sophisticated methods to gain access to it. We also know that ransomware is now an unfortunately uncommon attack trend that cripples systems, even critical ones in hospitals, solely so the hackers can collect a profit with minimal effort.”

“And then there is victim blaming, because auto-updates were turned off which would have fixed this two months ago. Enough blame to go around for everyone. Ultimately this is a shared responsibility, but IT people are carrying the heavy load here and often do not get enough budget to get the job done right,” Stu Sjouwerman, founder and CEO of the Tampa Bay, Fla.-based cybersecurity firm KnowBe4, noted.

Sjouwerman said, “Predictions are the infection is going to get worse, because now machines will be turned on that aren't patched.”

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).