Jump to content

WannaCry ransomware attack: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Quasispace (talk | contribs)
m Spelling.
lead section "software package" -> "malware tool"
Line 1: Line 1:
{{current}}
{{current}}
'''WannaCry''', also known as '''WanaCrypt0r 2.0''',<ref name=":0">{{Cite news|url=https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/|title=An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak|last=Fox-Brewster|first=Thomas|work=Forbes|access-date=2017-05-12}}</ref> is a [[ransomware]] software package. In May 2017, a large-scale [[cyber attack]] started affecting [[Telefónica]] and several other large companies in Spain, as well as parts of the British [[National Health Service]] (NHS),<ref>{{cite web|url=https://www.theguardian.com/society/2017/may/12/global-cyber-attack-nhs-trusts-malware|title=The NHS trusts hit by malware – full list|first=Sarah|last=Marsh|date=12 May 2017|publisher=|accessdate=12 May 2017|via=The Guardian}}</ref>, [[FedEx]] and [[Deutsche Bahn]]. Many other countries were attacked by WanaCrypt0r 2.0.<ref name="BBC news">{{Cite news|url=http://www.bbc.co.uk/news/health-39899646|title=NHS cyber-attack: GPs and hospitals hit by ransomware|date=2017-05-12|work=BBC News|access-date=2017-05-12|language=en-GB}}</ref><ref>{{Cite news|url=https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20|title=What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS?|last=Hern|first=Alex|date=2017-05-12|work=The Guardian|access-date=2017-05-12|last2=Gibbs|first2=Samuel|language=en-GB|issn=0261-3077}}</ref><ref>{{Cite web|url=https://digital.nhs.uk/article/1491/Statement-on-reported-NHS-cyber-attack|title=Statement on reported NHS cyber attack|website=digital.nhs.uk|language=en-GB|access-date=2017-05-12}}</ref> Other targets in at least 99 countries were also reported to have been attacked around the same time.<ref>{{Cite web|url=https://motherboard.vice.com/en_us/article/a-massive-ransomware-explosion-is-hitting-targets-all-over-the-world|title=A Massive Ransomware 'Explosion' Is Hitting Targets All Over the World|website=Motherboard|first=Joseph|last=Cox|date=2017-05-12|language=en-us|access-date=2017-05-12}}</ref><ref name="cnn99countries">{{Cite news |url=http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/ |title=Massive ransomware attack hits 99 countries |last=Larson |first=Selena |date=2017-05-12 |work=CNN |access-date=2017-05-12}}</ref> Over 1,000 computers at the [[Ministry of Internal Affairs (Russia)|Russian Interior Ministry]], the [[Ministry of Emergency Situations (Russia)|Russian Emergency Ministry]] and the Russian telecommunications company [[MegaFon]], have been reported as infected.<ref name=":2">{{Cite news|url=https://www.rt.com/news/388153-thousands-ransomeware-attacks-worldwide/|title=Ransomware virus plagues 75k computers across 99 countries|work=RT International|access-date=2017-05-12|language=en-US}}</ref>
'''WannaCry''', also known as '''WanaCrypt0r 2.0''',<ref name=":0">{{Cite news|url=https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/|title=An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak|last=Fox-Brewster|first=Thomas|work=Forbes|access-date=2017-05-12}}</ref> is a [[ransomware]] malware tool. In May 2017, a large-scale [[cyber attack]] started affecting [[Telefónica]] and several other large companies in Spain, as well as parts of the British [[National Health Service]] (NHS),<ref>{{cite web|url=https://www.theguardian.com/society/2017/may/12/global-cyber-attack-nhs-trusts-malware|title=The NHS trusts hit by malware – full list|first=Sarah|last=Marsh|date=12 May 2017|publisher=|accessdate=12 May 2017|via=The Guardian}}</ref>, [[FedEx]] and [[Deutsche Bahn]]. Many other countries were attacked by WanaCrypt0r 2.0.<ref name="BBC news">{{Cite news|url=http://www.bbc.co.uk/news/health-39899646|title=NHS cyber-attack: GPs and hospitals hit by ransomware|date=2017-05-12|work=BBC News|access-date=2017-05-12|language=en-GB}}</ref><ref>{{Cite news|url=https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20|title=What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS?|last=Hern|first=Alex|date=2017-05-12|work=The Guardian|access-date=2017-05-12|last2=Gibbs|first2=Samuel|language=en-GB|issn=0261-3077}}</ref><ref>{{Cite web|url=https://digital.nhs.uk/article/1491/Statement-on-reported-NHS-cyber-attack|title=Statement on reported NHS cyber attack|website=digital.nhs.uk|language=en-GB|access-date=2017-05-12}}</ref> Other targets in at least 99 countries were also reported to have been attacked around the same time.<ref>{{Cite web|url=https://motherboard.vice.com/en_us/article/a-massive-ransomware-explosion-is-hitting-targets-all-over-the-world|title=A Massive Ransomware 'Explosion' Is Hitting Targets All Over the World|website=Motherboard|first=Joseph|last=Cox|date=2017-05-12|language=en-us|access-date=2017-05-12}}</ref><ref name="cnn99countries">{{Cite news |url=http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/ |title=Massive ransomware attack hits 99 countries |last=Larson |first=Selena |date=2017-05-12 |work=CNN |access-date=2017-05-12}}</ref> Over 1,000 computers at the [[Ministry of Internal Affairs (Russia)|Russian Interior Ministry]], the [[Ministry of Emergency Situations (Russia)|Russian Emergency Ministry]] and the Russian telecommunications company [[MegaFon]], have been reported as infected.<ref name=":2">{{Cite news|url=https://www.rt.com/news/388153-thousands-ransomeware-attacks-worldwide/|title=Ransomware virus plagues 75k computers across 99 countries|work=RT International|access-date=2017-05-12|language=en-US}}</ref>


WannaCry is believed to use the [[The_Shadow_Brokers#Fifth_Leak:_.22Lost_in_Translation.22|ETERNALBLUE]] [[Exploit (computer security)|exploit]], which was allegedly developed by the U.S. [[National Security Agency]], to attack computers running [[Microsoft Windows]] operating systems. However, this has not yet been publicly confirmed by any malware analysts.<ref name=":0" /><ref>{{Cite web|url=http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html|title=Massive ransomware attack hits 74 countries|last=Larson|first=Selena|date=2017-05-12|website=CNNMoney|access-date=2017-05-12}}</ref> ETERNALBLUE exploits vulnerability MS17-010<ref>{{cite web|title=Microsoft Security Bulletin MS17-010 - Critical|url=https://technet.microsoft.com/library/security/ms17-010|website=Microsoft TechNet|publisher=Microsoft|accessdate=13 May 2017}}</ref> in some versions of [[Microsoft]]'s implementation of the [[Server Message Block|SMB]] server protocol. A patch to remove that vulnerability had been issued on March 14, 2017,<ref name="microsoft.com">{{cite web|url=https://technet.microsoft.com/en-us/library/security/ms17-010.aspx|title=Microsoft Security Bulletin MS17-010 - Critical|website=technet.microsoft.com|accessdate=13 May 2017}}</ref> but the delay in applying updates has left some users and organisations vulnerable.<ref>{{cite web|url=https://www.theregister.co.uk/2017/05/12/spain_ransomware_outbreak/|title=WanaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain|first1=12 May 2017 at|last1=15:58|first2=John Leyden|last2=tweet_btn()|website=theregister.co.uk|accessdate=12 May 2017}}</ref>
WannaCry is believed to use the [[The_Shadow_Brokers#Fifth_Leak:_.22Lost_in_Translation.22|ETERNALBLUE]] [[Exploit (computer security)|exploit]], which was allegedly developed by the U.S. [[National Security Agency]], to attack computers running [[Microsoft Windows]] operating systems. However, this has not yet been publicly confirmed by any malware analysts.<ref name=":0" /><ref>{{Cite web|url=http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html|title=Massive ransomware attack hits 74 countries|last=Larson|first=Selena|date=2017-05-12|website=CNNMoney|access-date=2017-05-12}}</ref> ETERNALBLUE exploits vulnerability MS17-010<ref>{{cite web|title=Microsoft Security Bulletin MS17-010 - Critical|url=https://technet.microsoft.com/library/security/ms17-010|website=Microsoft TechNet|publisher=Microsoft|accessdate=13 May 2017}}</ref> in some versions of [[Microsoft]]'s implementation of the [[Server Message Block|SMB]] server protocol. A patch to remove that vulnerability had been issued on March 14, 2017,<ref name="microsoft.com">{{cite web|url=https://technet.microsoft.com/en-us/library/security/ms17-010.aspx|title=Microsoft Security Bulletin MS17-010 - Critical|website=technet.microsoft.com|accessdate=13 May 2017}}</ref> but the delay in applying updates has left some users and organisations vulnerable.<ref>{{cite web|url=https://www.theregister.co.uk/2017/05/12/spain_ransomware_outbreak/|title=WanaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain|first1=12 May 2017 at|last1=15:58|first2=John Leyden|last2=tweet_btn()|website=theregister.co.uk|accessdate=12 May 2017}}</ref>

Revision as of 04:04, 13 May 2017

WannaCry, also known as WanaCrypt0r 2.0,[1] is a ransomware malware tool. In May 2017, a large-scale cyber attack started affecting Telefónica and several other large companies in Spain, as well as parts of the British National Health Service (NHS),[2], FedEx and Deutsche Bahn. Many other countries were attacked by WanaCrypt0r 2.0.[3][4][5] Other targets in at least 99 countries were also reported to have been attacked around the same time.[6][7] Over 1,000 computers at the Russian Interior Ministry, the Russian Emergency Ministry and the Russian telecommunications company MegaFon, have been reported as infected.[8]

WannaCry is believed to use the ETERNALBLUE exploit, which was allegedly developed by the U.S. National Security Agency, to attack computers running Microsoft Windows operating systems. However, this has not yet been publicly confirmed by any malware analysts.[1][9] ETERNALBLUE exploits vulnerability MS17-010[10] in some versions of Microsoft's implementation of the SMB server protocol. A patch to remove that vulnerability had been issued on March 14, 2017,[11] but the delay in applying updates has left some users and organisations vulnerable.[12]

Background

The purported infection vector, ETERNALBLUE was initially revealed as a part of the United States National Security Agency (NSA) Equation group[13][14] toolkit by the hacker group, The Shadow Brokers on April 14, 2017. On 14 March 2017 Microsoft released a "Critical" advisory, along with an update patch to plug the vulnerability.[11]

On 15 April 2017 Shadow Brokers released the code for ETERNALBLUE.[15][16][17]

On 12 May 2017, WannaCry began affecting computers worldwide. After gaining access to the computers, the ransomware called WannaCrypt or WannaCry encrypts the computer's hard disk drive,[18][19] then uses ETERNALBLUE code to spread "laterally" between computer on the same LAN.[citation needed]

Leading up to the attack, the U.S. intelligence community had warned repeatedly about increasing cyber threats.[20][21]

The Windows vulnerability is not a zero-day flaw, but one for which Microsoft had made available a security patch on 14 March 2017[11] - almost exactly two months before. The patch was to the Server Message Block protocol used by Windows.[22]

Organizations that lacked this security patch were affected for this reason, and there is so far no evidence that any were specifically targeted by the ransomware developers.[22] Any organization still running the end-of-life Windows XP,[23] would be particularly at risk, as no security patches for that have been issued by Microsoft since April 2014.[24]

Impact

The ransomware attack impacted many NHS hospitals in UK.[25] On 12 May in the United Kingdom, some sites of the NHS had to turn away non-critical emergencies, and some ambulances were diverted.[3] Upon hearing this news, former Central Intelligence Agency (CIA) employee Edward Snowden said that the NSA should have responsibly disclosed the vulnerability when they discovered it, and that this would have prevented the attack.[26] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[23] Over 1,000 computers at the Russian Interior Ministry, the Russian Emergency Ministry and the Russian telecommunications company MegaFon, have been infected.[8]

Reactions

See also

References

  1. ^ a b Fox-Brewster, Thomas. "An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak". Forbes. Retrieved 2017-05-12.
  2. ^ Marsh, Sarah (12 May 2017). "The NHS trusts hit by malware – full list". Retrieved 12 May 2017 – via The Guardian.
  3. ^ a b "NHS cyber-attack: GPs and hospitals hit by ransomware". BBC News. 2017-05-12. Retrieved 2017-05-12.
  4. ^ Hern, Alex; Gibbs, Samuel (2017-05-12). "What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS?". The Guardian. ISSN 0261-3077. Retrieved 2017-05-12.
  5. ^ "Statement on reported NHS cyber attack". digital.nhs.uk. Retrieved 2017-05-12.
  6. ^ Cox, Joseph (2017-05-12). "A Massive Ransomware 'Explosion' Is Hitting Targets All Over the World". Motherboard. Retrieved 2017-05-12.
  7. ^ Larson, Selena (2017-05-12). "Massive ransomware attack hits 99 countries". CNN. Retrieved 2017-05-12.
  8. ^ a b "Ransomware virus plagues 75k computers across 99 countries". RT International. Retrieved 2017-05-12.
  9. ^ Larson, Selena (2017-05-12). "Massive ransomware attack hits 74 countries". CNNMoney. Retrieved 2017-05-12.
  10. ^ "Microsoft Security Bulletin MS17-010 - Critical". Microsoft TechNet. Microsoft. Retrieved 13 May 2017.
  11. ^ a b c "Microsoft Security Bulletin MS17-010 - Critical". technet.microsoft.com. Retrieved 13 May 2017.
  12. ^ 15:58, 12 May 2017 at; tweet_btn(), John Leyden. "WanaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain". theregister.co.uk. Retrieved 12 May 2017. {{cite web}}: |last1= has numeric name (help)CS1 maint: numeric names: authors list (link)
  13. ^ Fox-Brewster, Thomas (February 16, 2015). "Equation = NSA? Researchers Uncloak Huge 'American Cyber Arsenal'". Forbes. Retrieved November 24, 2015.
  14. ^ Menn, Joseph (February 17, 2015). "Russian researchers expose breakthrough U.S. spying program". Reuters. Retrieved November 24, 2015.
  15. ^ "NSA-leaking Shadow Brokers just dumped its most damaging release yet". Ars Technica. Retrieved 2017-04-15.
  16. ^ "Latest Shadow Brokers dump — owning SWIFT Alliance Access, Cisco and Windows". Medium. 2017-04-14. Retrieved 2017-04-15.
  17. ^ "misterch0c". GitHub. Retrieved 2017-04-15. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)
  18. ^ "Russian-linked cyber gang blamed for NHS computer hack using bug stolen from US spy agency". The Telegraph. Retrieved 2017-05-12.
  19. ^ Bilefsky, Dan; Perlroth, Nicole (2017-05-12). "Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool". The New York Times. ISSN 0362-4331. Retrieved 2017-05-12.
  20. ^ Townsend, Kevin (12 May 2017). "U.S. Intelligence Community Highlights Cyber Risks in Worldwide Threat Assessment". Security Week. Retrieved 13 May 2017.
  21. ^ Newman, Lily Hay. "The Ransomware Meltdown Experts Warned About Is Here". Wired.com. Retrieved 13 May 2017.
  22. ^ a b "WannaCry Ransomware Attack Hits Victims With Microsoft SMB Exploit". eWeek. Retrieved 13 May 2017.
  23. ^ a b "NHS Hospitals Are Running Thousands of Computers on Unsupported Windows XP". Motherboard. Retrieved 13 May 2017.
  24. ^ "Windows XP End of Support". www.microsoft.com. Retrieved 13 May 2017.
  25. ^ "Global cyberattack strikes dozens of countries, cripples U.K. hospitals". cbsnews.com. Retrieved 13 May 2017.
  26. ^ Wong, Julia Carrie; Solon, Olivia (12 May 2017). "Massive ransomware cyber-attack hits 74 countries around the world". Retrieved 12 May 2017 – via The Guardian.
  27. ^ CNN, Laura Smith-Spark, Milena Veselinovic and Hilary McGann. "UK prime minister: Ransomware attack is global". CNN. Retrieved 13 May 2017. {{cite web}}: |last= has generic name (help)CS1 maint: multiple names: authors list (link)