#AfrSS2017:A ransomware attack is spreading worldwide, using alleged NSA exploit

No photo availableByMichael Kan
2 min read

A ransomware attack appears to be spreading around the world, leveraging a hacking tool that may have come from the…

The Wanna Decryptor ransomware's ransom note. Credit: Michael Kan
The Wanna Decryptor ransomware's ransom note. Credit: Michael Kan

A ransomware attack appears to be spreading around the world, leveraging a hacking tool that may have come from the U.S. National Security Agency.

The ransomware, called Wanna Decryptor, struck hospitals at the U.K.’s National Health Service on Friday, taking down some of their network.

Spain’s computer response team CCN-CERT has also warned of  a “massive attack” from the ransomware strain, amid reports that local telecommunications firm Telefonica was hit.

The ransomware, also known as WannaCry, works by leveraging a Windows vulnerability that came to light last month when a cache of mysterious hacking tools was leaked on the internet.

The tools, which security researchers suspect came from the NSA, include an exploit codenamed EternalBlue that makes hijacking older Windows systems easy. It specifically targets the Server Message Block (SMB) protocol in Windows, which is used for file-sharing purposes.

Microsoft has already patched the vulnerability, but only for newer Windows systems. Older ones, such as Windows Server 2003, are no longer supported, but still widely used among businesses, according to security experts.

That may have painted a giant bulls-eye for hackers to target these systems. The developer of Wanna Decryptor appears to have added the suspected NSA hacking tools to the ransomware’s code, said Matthew Hickey, the director of security provider Hacker House, in an email.

Security firm Avast said it has detected the ransomware, largely attacking Russia, Ukraine and Taiwan.

Another security research firm, MalwareTech, has created a page monitoring the attacks. They appear to have gone worldwide.

The Wanna Decryptor ransomware strikes by encrypting all the files on an infected PC, along with any other systems on the network the PC is attached to. It then demands a ransom of about $300 to $600 in bitcoin to release the files, threatening to delete them after a set period of days if the amount is not paid.

Security experts are urging organizations to patch vulnerable systems, upgrading to the latest versions of OSes, and making backups of any critical files.

 

NB: Join us for the Africa Security Summit (#AfrSS2017) on the 14th-15th June 2017 in Nairobi Kenya. To register and learn more about the summit click here

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co