WannaCry ransomware attack: Difference between revisions
Quasispace (talk | contribs) No edit summary |
Quasispace (talk | contribs) mNo edit summary |
||
Line 9: | Line 9: | ||
On 15 April 2017 Shadow Brokers released the code for ETERNALBLUE.<ref name="Ars Technica">{{Cite news|url=https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/|title=NSA-leaking Shadow Brokers just dumped its most damaging release yet|work=Ars Technica|access-date=2017-04-15|language=en-us}}</ref><ref>{{Cite web|url=https://medium.com/@networksecurity/latest-shadow-brokers-dump-owning-swift-alliance-access-cisco-and-windows-7b7782270e70|title=Latest Shadow Brokers dump — owning SWIFT Alliance Access, Cisco and Windows|date=2017-04-14|website=Medium|access-date=2017-04-15}}</ref><ref>{{Cite web|url=https://github.com/misterch0c/shadowbroker|title=misterch0c|last=|first=|date=|website=GitHub|language=en|archive-url=|archive-date=|dead-url=|access-date=2017-04-15}}</ref> |
On 15 April 2017 Shadow Brokers released the code for ETERNALBLUE.<ref name="Ars Technica">{{Cite news|url=https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/|title=NSA-leaking Shadow Brokers just dumped its most damaging release yet|work=Ars Technica|access-date=2017-04-15|language=en-us}}</ref><ref>{{Cite web|url=https://medium.com/@networksecurity/latest-shadow-brokers-dump-owning-swift-alliance-access-cisco-and-windows-7b7782270e70|title=Latest Shadow Brokers dump — owning SWIFT Alliance Access, Cisco and Windows|date=2017-04-14|website=Medium|access-date=2017-04-15}}</ref><ref>{{Cite web|url=https://github.com/misterch0c/shadowbroker|title=misterch0c|last=|first=|date=|website=GitHub|language=en|archive-url=|archive-date=|dead-url=|access-date=2017-04-15}}</ref> |
||
On 12 May 2017, WannaCry began affecting computers worldwide. After gaining access to the computers, the ransomware called WannaCrypt or WannaCry [[Disk encryption|encrypts]] the computer's [[hard disk drive]],<ref name=":1">{{Cite news|url=http://www.telegraph.co.uk/news/2017/05/12/russian-linked-cyber-gang-shadow-brokers-blamed-nhs-computer/|title=Russian-linked cyber gang blamed for NHS computer hack using bug stolen from US spy agency|work=The Telegraph|access-date=2017-05-12|language=en-GB}}</ref><ref>{{Cite news|url=https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html|title=Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool|last=Bilefsky|first=Dan|date=2017-05-12|work=The New York Times|access-date=2017-05-12|last2=Perlroth|first2=Nicole|issn=0362-4331}}</ref> then uses ETERNALBLUE code to spread "laterally" between computer on the same [[LAN]] |
On 12 May 2017, WannaCry began affecting computers worldwide. After gaining access to the computers, the ransomware called WannaCrypt or WannaCry [[Disk encryption|encrypts]] the computer's [[hard disk drive]],<ref name=":1">{{Cite news|url=http://www.telegraph.co.uk/news/2017/05/12/russian-linked-cyber-gang-shadow-brokers-blamed-nhs-computer/|title=Russian-linked cyber gang blamed for NHS computer hack using bug stolen from US spy agency|work=The Telegraph|access-date=2017-05-12|language=en-GB}}</ref><ref>{{Cite news|url=https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html|title=Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool|last=Bilefsky|first=Dan|date=2017-05-12|work=The New York Times|access-date=2017-05-12|last2=Perlroth|first2=Nicole|issn=0362-4331}}</ref> then uses ETERNALBLUE code to spread "laterally" between computer on the same [[LAN]].{{cn}} |
||
Leading up to the attack, the U.S. intelligence community had warned repeatedly about increasing cyber threats.<ref>{{cite news|last1=Townsend|first1=Kevin|title=U.S. Intelligence Community Highlights Cyber Risks in Worldwide Threat Assessment|url=http://www.securityweek.com/us-intelligence-community-highlights-cyber-threats-worldwide-threat-assessment|accessdate=13 May 2017|work=Security Week|date=12 May 2017}}</ref><ref>{{cite web|last1=Newman|first1=Lily Hay|title=The Ransomware Meltdown Experts Warned About Is Here|url=https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/|website=Wired.com|accessdate=13 May 2017}}</ref> |
Leading up to the attack, the U.S. intelligence community had warned repeatedly about increasing cyber threats.<ref>{{cite news|last1=Townsend|first1=Kevin|title=U.S. Intelligence Community Highlights Cyber Risks in Worldwide Threat Assessment|url=http://www.securityweek.com/us-intelligence-community-highlights-cyber-threats-worldwide-threat-assessment|accessdate=13 May 2017|work=Security Week|date=12 May 2017}}</ref><ref>{{cite web|last1=Newman|first1=Lily Hay|title=The Ransomware Meltdown Experts Warned About Is Here|url=https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/|website=Wired.com|accessdate=13 May 2017}}</ref> |
Revision as of 04:03, 13 May 2017
This article documents a current event. Information may change rapidly as the event progresses, and initial news reports may be unreliable. The latest updates to this article may not reflect the most current information. |
WannaCry, also known as WanaCrypt0r 2.0,[1] is a ransomware software package. In May 2017, a large-scale cyber attack started affecting Telefónica and several other large companies in Spain, as well as parts of the British National Health Service (NHS),[2], FedEx and Deutsche Bahn. Many other countries were attacked by WanaCrypt0r 2.0.[3][4][5] Other targets in at least 99 countries were also reported to have been attacked around the same time.[6][7] Over 1,000 computers at the Russian Interior Ministry, the Russian Emergency Ministry and the Russian telecommunications company MegaFon, have been reported as infected.[8]
WannaCry is believed to use the ETERNALBLUE exploit, which was allegedly developed by the U.S. National Security Agency, to attack computers running Microsoft Windows operating systems. However, this has not yet been publicly confirmed by any malware analysts.[1][9] ETERNALBLUE exploits vulnerability MS17-010[10] in some versions of Microsoft's implementation of the SMB server protocol. A patch to remove that vulnerability had been issued on March 14, 2017,[11] but the delay in applying updates has left some users and organisations vulnerable.[12]
Background
The purported infection vector, ETERNALBLUE was initially revealed as a part of the United States National Security Agency (NSA) Equation group[13][14] toolkit by the hacker group, The Shadow Brokers on April 14, 2017. On 14 March 2017 Microsoft released a "Critical" advisory, along with an update patch to plug the vulnerability.[11]
On 15 April 2017 Shadow Brokers released the code for ETERNALBLUE.[15][16][17]
On 12 May 2017, WannaCry began affecting computers worldwide. After gaining access to the computers, the ransomware called WannaCrypt or WannaCry encrypts the computer's hard disk drive,[18][19] then uses ETERNALBLUE code to spread "laterally" between computer on the same LAN.[citation needed]
Leading up to the attack, the U.S. intelligence community had warned repeatedly about increasing cyber threats.[20][21]
The Windows vulnerability is not a zero-day flaw, but one for which Microsoft had made available a security patch on 14 March 2017[11] - almost exactly two months before. The patch was to the Server Message Block protocol used by Windows.[22]
Organisations that lacked this security patch were affected for this reason, and there is so far no evidence that any were specifically targeted by the ransomware developers.[22] Any organisation still running the end-of-life Windows XP,[23] would be particulary at risk, as no security patches for that have been issued by Microsoft since April 2014.[24]
Impact
The ransomware attack impacted many NHS hospitals in UK.[25] On 12 May in the United Kingdom, some sites of the NHS had to turn away non-critical emergencies, and some ambulances were diverted.[3] Upon hearing this news, former Central Intelligence Agency (CIA) employee Edward Snowden said that the NSA should have responsibly disclosed the vulnerability when they discovered it, and that this would have prevented the attack.[26] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[23] Over 1,000 computers at the Russian Interior Ministry, the Russian Emergency Ministry and the Russian telecommunications company MegaFon, have been infected.[8]
Reactions
- British Prime Minister Theresa May said the cyber attack initially believed to be targeting only hospitals in the UK has now gone beyond, involving potentially dozens of countries.[27]
See also
References
- ^ a b Fox-Brewster, Thomas. "An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak". Forbes. Retrieved 2017-05-12.
- ^ Marsh, Sarah (12 May 2017). "The NHS trusts hit by malware – full list". Retrieved 12 May 2017 – via The Guardian.
- ^ a b "NHS cyber-attack: GPs and hospitals hit by ransomware". BBC News. 2017-05-12. Retrieved 2017-05-12.
- ^ Hern, Alex; Gibbs, Samuel (2017-05-12). "What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS?". The Guardian. ISSN 0261-3077. Retrieved 2017-05-12.
- ^ "Statement on reported NHS cyber attack". digital.nhs.uk. Retrieved 2017-05-12.
- ^ Cox, Joseph (2017-05-12). "A Massive Ransomware 'Explosion' Is Hitting Targets All Over the World". Motherboard. Retrieved 2017-05-12.
- ^ Larson, Selena (2017-05-12). "Massive ransomware attack hits 99 countries". CNN. Retrieved 2017-05-12.
- ^ a b "Ransomware virus plagues 75k computers across 99 countries". RT International. Retrieved 2017-05-12.
- ^ Larson, Selena (2017-05-12). "Massive ransomware attack hits 74 countries". CNNMoney. Retrieved 2017-05-12.
- ^ "Microsoft Security Bulletin MS17-010 - Critical". Microsoft TechNet. Microsoft. Retrieved 13 May 2017.
- ^ a b c "Microsoft Security Bulletin MS17-010 - Critical". technet.microsoft.com. Retrieved 13 May 2017.
- ^ 15:58, 12 May 2017 at; tweet_btn(), John Leyden. "WanaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain". theregister.co.uk. Retrieved 12 May 2017.
{{cite web}}
:|last1=
has numeric name (help)CS1 maint: numeric names: authors list (link) - ^ Fox-Brewster, Thomas (February 16, 2015). "Equation = NSA? Researchers Uncloak Huge 'American Cyber Arsenal'". Forbes. Retrieved November 24, 2015.
- ^ Menn, Joseph (February 17, 2015). "Russian researchers expose breakthrough U.S. spying program". Reuters. Retrieved November 24, 2015.
- ^ "NSA-leaking Shadow Brokers just dumped its most damaging release yet". Ars Technica. Retrieved 2017-04-15.
- ^ "Latest Shadow Brokers dump — owning SWIFT Alliance Access, Cisco and Windows". Medium. 2017-04-14. Retrieved 2017-04-15.
- ^ "misterch0c". GitHub. Retrieved 2017-04-15.
{{cite web}}
: Cite has empty unknown parameter:|dead-url=
(help) - ^ "Russian-linked cyber gang blamed for NHS computer hack using bug stolen from US spy agency". The Telegraph. Retrieved 2017-05-12.
- ^ Bilefsky, Dan; Perlroth, Nicole (2017-05-12). "Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool". The New York Times. ISSN 0362-4331. Retrieved 2017-05-12.
- ^ Townsend, Kevin (12 May 2017). "U.S. Intelligence Community Highlights Cyber Risks in Worldwide Threat Assessment". Security Week. Retrieved 13 May 2017.
- ^ Newman, Lily Hay. "The Ransomware Meltdown Experts Warned About Is Here". Wired.com. Retrieved 13 May 2017.
- ^ a b "WannaCry Ransomware Attack Hits Victims With Microsoft SMB Exploit". eWeek. Retrieved 13 May 2017.
- ^ a b "NHS Hospitals Are Running Thousands of Computers on Unsupported Windows XP". Motherboard. Retrieved 13 May 2017.
- ^ "Windows XP End of Support". www.microsoft.com. Retrieved 13 May 2017.
- ^ "Global cyberattack strikes dozens of countries, cripples U.K. hospitals". cbsnews.com. Retrieved 13 May 2017.
- ^ Wong, Julia Carrie; Solon, Olivia (12 May 2017). "Massive ransomware cyber-attack hits 74 countries around the world". Retrieved 12 May 2017 – via The Guardian.
- ^ CNN, Laura Smith-Spark, Milena Veselinovic and Hilary McGann. "UK prime minister: Ransomware attack is global". CNN. Retrieved 13 May 2017.
{{cite web}}
:|last=
has generic name (help)CS1 maint: multiple names: authors list (link)