The biggest cyber attack of all times which took place on May 12 across the globe was a new variant of WannaCryptor, also known as WannaCry or WannaCrypt which was detected by ESET as Win32/Filecoder.WannaCryptor.D. It has characteristics of a worm, capable of compromising other computers on the network.
ESET clients were already protected by ESET’s network protection module. This had been blocking attempts to exploit the leaked vulnerability at the network level well before this particular malware was even created.
Since the first news broke out on Friday, broadcasters, journalists, bloggers, commentators, experts and security vendors have reported on, discussed and analysed this global threat with a level of attention unseen before. For those of you who did had your heads in the sand, a massive ransomware attack paralyzed almost 150 countries leaving more than 220, 000 victims. The malicious software deployed by cybercriminals involved the illegal encryption of files and devices. A ransom was demanded for the ‘safe recovery’ of said files and devices.
The English version of the ransomware message, which can be displayed in several languages based on geolocation, appeared on infected computer screens, read: “Ooops, your files have been encrypted!” The authors of the malware added that it was futile to look for a way to access the files, without their assistance. Which, of course, comes with at a cost – about R 4,000 in bitcoin per infected computer.
This milestone attack, which is still ongoing, although with less impact than before occurred due to a combination of factors and some negligence.
It spread quickly in the starting four days. One reason for the speed at which this malware spread was the way it utilized the eternalblue SMB exploit, part of a large collection of files that leaked from America’s National Security Agency (NSA).
Spain’s telecom sector first experienced the attack. Reports of healthcare related organizations being affected in the UK began to appeared, plus various commercial websites, entire enterprise sites, and just about every type of network in between. People from around the world posted screenshots of the malware from computers in offices, hospitals, and schools.
NSA’s cyberweapons were allegedly stolen by the Shadow Brokers group. The group unsuccessfully tried to auction cyberweapons; they changed their minds, however, as the endeavor was not proving profitable and decided to sell the NSA tools individually.
It’s important for users to check their Windows PC if it is patched against EternalBlue.
For local verification, a security expert developed a simple script that fetches the list of installed KBs from the system and searches for those that patch EternalBlue.
The script is available on GitHub and is very easy to use: one executes the script, wait for about a minute while the script uses WMCI to fetch the list of installed KBs and finally get the EternalBlue patch status.
Ultimately, patching is the best countermeasure against EternalBlue, since it addresses the root-cause of the vulnerability targeted by the exploit.