WanaCrypt0r 2.0’ malicious software has hit Britain’s National Health Service, some of Spain’s largest companies including Telefónica, as well as computers across Russia, the Ukraine and Taiwan, leading to PCs and data being locked up and held for ransom.
The ransomware uses a vulnerability first revealed to the public as part of a leaked stash of NSA-related documents in order to infect Windows PCs and encrypt their contents, before demanding payments of hundreds of dollars for the key to decrypt files.
The co-ordinated attack had managed to infect large numbers of computers across the health service less than six hours after it was first noticed by security researchers, in part due to its ability to spread within networks from PC to PC
The ransomware has already caused hospitals across England to divert emergency patients – but what is it, how does it spread and why is this happening in the first place?
What is ransomware?
Ransomware is a particularly nasty type of malware that blocks access to a computer or its data and demands money to release it.
How does it work?
When a computer is infected, the ransomware typically contacts a central server for the information it needs to activate, and then begins encrypting files on the infected computer with that information. Once all the files are encrypted, it posts a message asking for payment to decrypt the files – and threatens to destroy the information if it doesn’t get paid, often with a timer attached to ramp up the pressure.
How does it spread?
Most ransomware is spread hidden within Word documents, PDFs and other files normally sent via email, or through a secondary infection on computers already affected by viruses that offer a back door for further attacks.
What is WanaCrypt0r 2.0?
The malware that has affected Telefónica in Spain and the NHS in Britain is the same software: a piece of ransomware first spotted in the wild by security researchers MalwareHunterTeam, at 9:45am on 12 May.
Less than four hours later, the ransomware had infected NHS computers, albeit originally only in Lancashire, and spread laterally throughout the NHS’s internal network. It is also being called Wanna Decryptor 2.0, WCry 2, WannaCry 2 and Wanna Decryptor 2.
How much are they asking for?
WanaCrypt0r 2.0 is asking for $300 worth of the cryptocurrency Bitcoin to unlock the contents of the computers.
Who are they?
The creators of this piece of ransomware are still unknown, but WanaCrypt0r 2.0 is their second attempt at cyber-extortion. An earlier version, named WeCry, was discovered back in February this year: it asked users for 0.1 bitcoin (currently worth $177, but with a fluctuating value) to unlock files and programs.
How is the NSA tied in to this attack?
Once one user has unwittingly installed this particular flavour of ransomware on their own PC, it tries to spread to other computers in the same network. In order to do so, WanaCrypt0r uses a known vulnerability in the Windows operating system, jumping between PC and PC. This weakness was first revealed to the world as part of a huge leak of NSA hacking tools and known weaknesses by an anonymous group calling itself “Shadow Brokers” in April.
Was there any defence?
Yes. Shortly before the Shadow Brokers released their files, Microsoft issued a patch for affected versions of Windows, ensuring that the vulnerability couldn’t be used to spread malware between fully updated versions of its operating system. But for many reasons, from lack of resources to a desire to fully test new updates before pushing them out more widely, organisations are often slow to install such security updates on a wide scale.
Who are the Shadow Brokers? Were they behind this attack?
In keeping with almost everything else in the world of cyberwarfare, attribution is tricky. But it seems unlikely that the Shadow Brokers were directly involved in the ransomware strike: instead, some opportunist developer seems to have spotted the utility of the information in the leaked files, and updated their own software accordingly. As for the Shadow Brokers themselves, no-one really knows, but fingers point towards Russian actors as likely culprits.
Will paying the ransom really unlock the files?
Sometimes paying the ransom will work, but sometimes it won’t. For the Cryptolocker ransomware that hit a few years ago, some users reported that they really did get their data back after paying the ransom, which was typically around £300. But there’s no guarantee paying will work, because cybercriminals aren’t exactly the most trustworthy group of people.
There are also a collection of viruses that go out of their way to look like ransomware such as Cryptolocker, but which won’t hand back the data if victims pay. Plus, there’s the ethical issue: paying the ransom funds more crime.
What else can I do?
Once ransomware has encrypted your files there’s not a lot you can do. If you have a backup of the files you should be able to restore them after cleaning the computer, but if not your files could be gone for good.
Some badly designed ransomware, however, has been itself hacked by security researchers, allowing recovery of data. But such situations are rare, and tend not to apply in the case of widescale professional hits like the WanaCrypt0r attack.
How long will this attack last?
Ransomware often has a short shelf life. As anti-virus vendors cotton on to new versions of the malware, they are able to prevent infections originating and spreading, leading to developers attempting “Big Bang” introductions like the one currently underway.
Will they get away with it?
Bitcoin, the payment medium through which the hackers are demanding payment, is difficult to trace, but not impossible, and the sheer scale of the attack means that law enforcement in multiple countries will be looking to see if they can follow the money back to the culprits.
Why is the NHS being targeted?
The NHS does not seem to have been specifically targeted, but the service is not helped by its reliance on old, unsupported software. Many NHS trusts still use Windows XP, a version of Microsoft’s operating system that has not received publicly available security updates for half a decade, and even those which are running on newer operating systems are often sporadically maintained. For an attack which relies on using a hole fixed less than three months ago, just a slight oversight can be catastrophic.
Attacks on healthcare providers across the world are at an all-time high as they contain valuable private information, including healthcare records.