Global ransomware outbreak

You will have noticed significant media coverage of an outbreak of ransomware globally which impacted 10,000 organisations in over 150 countries including Britain’s National Health Service and automaker Renault.

To provide more insight, this is ransomware (named WannaCry) spreading through MS17-010, which is a set of vulnerabilities for which the hacking group, The Shadow Brokers, released working exploits less than a month ago. RSM US prepared a white paper on the release of the information from the breach.

WannaCry is not just a ransomware program, it’s also a worm.

This means that it gets into your computer and looks for other computers to try and spread itself as far and wide as possible.

The vulnerabilities have been deeply studied and understood and several working exploits and Proof of Concepts are available online.

Ransomware has a habit of mutating and changes over time in order to find different ways to access computers or to get around patches (ie operating system updates that often include security updates). Many security firms are already aware of WannaCry in past forms and most are looking at this one right now to see how it might be stopped.

Microsoft released patches for this set of vulnerabilities a month ago, so any patched system should be safe from WannaCry. Conversely, any system that has not been patched is vulnerable to it, and to many more risks.

The spread seems to have originated from China, and is rapidly spreading through Spain and the UK, and into other countries quickly.

Examples of the attack’s impact include, but are not limited to:

UK Hospital meltdown after ransomware worm uses NSA vuln to raid IT: CLICK HERE
Global infection map: CLICK HERE

The following are other Indicators of Compromise (IoCs) for WannaCry that may be useful to your IT department and/or provider:

Blueliv. - Threat exchange network: CLICK HERE
Alien Vault - Open threat exchange: CLICK HERE

This ransomware attack is also in some way being spread through a social engineering phishing/spear phishing campaign, and THEN using the vulnerability to move laterally on the client’s internal network. Therefore, companies should be on the lookout for social engineering attacks.

While there is anecdotal evidence that the attack is over, there is a risk that the virus may mutate and start re-infecting systems again.

At RSM we can help you stay on top of alerts and ensure you are kept up to date.

If you have any queries in relation to this article, please contact our cybersecurity expert Michael Shatter.

Learn more about cybersecurity

<< Defining cyber risk. A view from the directors chair