In recent years, the cyber world witnessed an increase in the number and sophistication of cyber attacks.
However, all these attacks pale in comparison to the ongoing ransomware campaign by malware called WannaCry that has taken the entire world by surprise. This cyber attack is being observed worldwide since May 12, and is unprecedented in scale.
Europol reported 150 countries had been affected just two days after the ransomware was first observed.
Currently, over 200,000 parties worldwide using Microsoft Windows operating systems have been directly impacted by the WannaCry ransomware.
The discovery of an effective kill switch by an internet security researcher slowed the virus significantly, but it seems that the ransomware attack may be an escalating threat, with similarly sophisticated attacks in the near future highly likely.
About WannaCry Ransomware
The WannaCry payload is a variation of a ransomware crypto worm, which exploits vulnerabilities in the implementation of Server Message Block (SMB) and Microsoft Remote Desktop Protocol (RDP) in Windows.
WannaCry ransomware spreads laterally between computers on the same LAN and through malicious email attachments and websites. The exploits employed in this cyber attack include EternalBlue and DoublePulsar.
These tools were dumped online by a hacker group called Shadow Brokers on April 14. Reports, including one by Forbes, indicate that EternalBlue is a leaked National Security Agency tool and was utilized to some degree as the ransomware’s main infection method.
It is part of a number of tools leaked from Equation Group, which is believed to be related to the NSA.
There is currently no conclusive information about the initial infection vector, although evidence points to an initial infection in Asia.
Once the ransomware infects an operating system, it encrypts the files then requests $300 in Bitcoin for a decryption key.
This ransom is raised to $600 if the victim fails to pay within three days.
A number of factors contributed to the widespread nature of this ransomware attack. Microsoft had released patches for supported versions of its operating systems on March 14.
However, patches were not available for legacy Windows XP, Windows Server 2003 and Windows 8. Compounding the situation is the fact that very many organizations had not yet installed the patched versions.
According to Kaspersky Lab’s Global Research and Analysis Team, the ransomware attack affected Russia the most out of all the other impacted countries.
Ukraine, India, Taiwan, China and Romania were also among the worst hit. The organizations impacted include hospitals in the U.K., FedEx, Spanish organizations, German railway transport networks and universities among others.
National Health Service (NHS) hospitals in England were among the most significantly affected institutions of the ransomware attack.
On May 12, some hospitals had to turn away non-critical patients and divert ambulances. Several automobile manufacturers including Nissan and Renault were forced to halt production following the ransomware infection of their systems.
Although the scale of WannaCry ransomware was gargantuan, security experts say that its impact is relatively low considering the worst case scenarios had the kill switch not been discovered.
One that immediately comes to mind is the possibility of the ransomware targeting critical infrastructures such as nuclear power plants and railway systems.
This ransomware attack has definitely awakened the world to the importance cyber security. It is bound to lead to some reforms in areas such as governments’ handling of exploits as well as individual and organizational web security implementation.
Not Over Yet
However, experts warn that ransomware like WannaCry may just be the beginning of sophisticated cyber attacks to come.
With monetary gain as the main motivating factor and the recently demonstrated ability to compromise entities around the globe, ransomware attacks look attractive to malicious actors now more than ever.
In fact, there are already several versions of the crypto worm that are not susceptible to the aforementioned kill switch.
These versions are still infecting systems that lack the patches. The kill switch is only applicable to SMB worm variant.
Computers can still be infected in a number of scenarios. These include vectors other than SMB protocol such as emails or torrents, sinkhole domain blockage, internet access requiring a proxy and the event whereby the sinkhole domain is made unavailable (DDoS).
It looks like the malicious actors behind WannaCry ransomware still have a way around the current proposed measures.
There remains the possibility of more malicious variants of the ransomware surfacing in the near future. The direction that any new developments will take is anyone’s guess.