A Massive Ransomware 'Explosion' Is Hitting Targets All Over the World
Targets include a Spanish telco, and recent disruption of UK hospitals may be connected too.
On Friday, multiple organizations, including hospitals and telecommunications companies, reported falling victim to ransomware, and researchers said a worldwide campaign of attacks was ongoing. However, the full extent of the hacks, and whether all of them were connected to one another, is unclear.
"WanaCrypt0r 2.0 ransomware (the new WCry/WannaCry) is spreading like hell," the researchers behind the MalwareHunterTeam Twitter account tweeted on Friday morning. WannaCry acts like a typical piece of ransomware, locking down computers and demanding bitcoin in exchange for decrypting the files.
But the speed at which WanaCrypt0r has spread is alarming. In a few hours, the malware had already infected victims in 11 countries, including Russia, Turkey, Germany, Vietnam, and the Philippines, according to MalwareHunterTeam.
One was those victims was seemingly Telefónica, a large Spanish telecommunications company, according to Spanish publication El Mundo. Judging by the report, Telefónica told employees to shut down their computers, and 85 percent were allegedly infected with a version of WannaCry.
"Ooops, your files have been encrypted!" the message on Telefónica machine's allegedly reads, according to a photo published by El Mundo.
That warning is largely identical to one allegedly presented on screens in at least one UK hospital on Friday.
"You only have 3 days to submit the payment. After that the price will be doubled. Also if you don't pay in 7 days, you won't be able to recover your files forever," the message, provided to Motherboard, reads.
A second National Health Service (NHS) Trust confirmed to Motherboard in a statement it had been the victim of what it described as a "cyber attack."
"Immediately on discovery of the problem, the Trust acted to protect its IT systems by shutting them down; it also meant that the Trust's telephone system is not able to accept incoming calls," the statement from East and North Hertfordshire NHS Trust reads. The Trust would not confirm whether this attack did concern ransomware, so the exact connection to the wider attacks remains murky.
Motherboard has contacted several other NHS Trusts that have allegedly been targeted with ransomware, but did not receive a response in time for publication. Later on Friday, NSH Digital released a statement saying 16 organizations have been hit.
On Friday, CN-CERT, the Spanish computer emergency response team, published an advisory linked to the ransomware attacks.
"The ransomware, a version of WannaCry, infects the machine by encrypting all its files and, using a remote command execution vulnerability through SMB, is distributed to other Windows machines on the same network," a translated version of the announcement reads. The post then points to MS17-010, a security update for Windows SMB Server published by Microsoft on March 14.
These vulnerabilities related to exploits released by a group known as The Shadow Brokers. The group has repeatedly dumped working hacking tools stolen from the NSA.
Although Microsoft did issue a patch for attacks related to MS17-010, it appears end-users have likely not installed the fixes. Indeed, a Motherboard investigation found that the UK's National Health Service is running thousands of computers still running the Windows XP operating system.
Subscribe to Science Solved It, Motherboard's new show about the greatest mysteries that were solved by science.