TO BE ATTRIBUTED TO ADAM MEYERS, VICE PRESIDENT, INTELLIGENCE AT CROWDSTRIKE
“The NHS is being held to ransom by Wanacry. The attack is not isolated to the NHS, it is spreading aggressively across the globe. The group behind the attack does not appear to be picky about the nation or sector it is targeting. Early reports show it originating in Europe and impacting healthcare organisations, hospitals, doctors’ surgeries, telecommunication systems as well as gas and electricity utilities. And across the United Kingdom, Spain, Russia, Pakistan, and potentially more.
“The attack vector has all the hallmarks of a traditional computer worm. We’ve not seen a large-scale ransomware campaign that uses self-propagating technique at this scale before, which makes it really unique.
“Targeting is likely in bulk, via massive phishing campaigns delivering .zip archives with themes such as fake invoices, job offers, security warnings, undelivered email. Once an infection takes place, Wana encrypts victim files using the AES-128 cipher, and demands a Bitcoin ransom of increasing value as time passes. Files encrypted by Wana are appended with a file extension of .wncry. Observed ransom demands require victims to pay either $300 or $600 USD worth of BTC for a decryption key.
“Organisations must act quickly to ensure they are not impacted. Early analysis of the worm is that it is taking advantage of a very recent Microsoft Windows exploit called EternalBlue, which is the enabler for how files get shared. Swift action to patch against this update is critical. Whilst ensuring that back-up data files are disconnected from the core network, as this ransomware has the potential to encrypt back-up files.”
