Massive Global Ransomware Attack Underway, patch available

This is a public service security announcement for all users of computers running any version of Windows.

We have confirmed that a serious virulent ransomware threat known as WannaCrypt0r/WannaCry has affected Windows computers on shared networks in at least 74 countries worldwide, with 57,000 reported individual cases being affected. And according to the analysis team at Kaspersky Lab, that number is growing fast.

The ransom demands $300 (£230) in Bitcoin in order for users to get their files back.

Once one computer on a network needs to be infected and the malware infection can easily and quickly spread to other Windows computers on the same network, shutting down entire government agencies and national infrastructure companies. Hospitals across the UK were being forced to divert patients and ambulance routes as of Friday afternoon, and several utility companies across Europe reported infection across their computer networks according to BBC News.

A major incident has been declared after NHS services across England and Scotland were hit by a cyber-attack.

The incident was part of a wider attack affecting organisations around the world. Some hospitals and GPs cannot access patient data, after their computers were apparently locked by a program demanding a payment worth £230. There is no evidence that patient data has been compromised, NHS Digital has said. The BBC understands up to 33 NHS organisations and some GP practices have been affected. Theresa May said that the National Cyber Security Centre (NCSC) was “working closely” with the NHS but that there was no evidence patient data had been compromised.

Latest update:

Within 12 hours, 81,000 infections were reported globally of the WanCrypt0r outbreak.

NHS reported 16 hospitals in the UK have been hit and can’t operate or admit patients because all data is encrypted and locked. Spanish telecom giant, Telefonica, was hit and responded by “desperately telling employees to shut down computers and VPN connections in order to limit the ransomware’s reach.” Banks, utilities, telecoms, healthcare and other industries are reporting similar experiences worldwide. At this time, this ransomware variant appears to be taking advantage of a known and patched Windows vulnerability.

What Is Ransomware?

Ransomware is a kind of malicious script or software that installs itself on your computer without your knowledge. It could come in via an email or from a website where you innocently click a link. The emails or website will more than likely look legitimate and even be from someone you know.

Once it’s installed and running, it will lock down your system and won’t allow you to access any files or programs on that computer. It will be easy to tell if you have been infected as it will alert you to the lockdown with an impossible-to-ignore pop-up screen which informs you that your computer is being held for ransom. To unlock your system and regain access to the computer being held hostage, the lock screen informs you that you must purchase an unlock tool or decryption key from the hacker. In this case, £230.

Where Did This Threat Originate?

In this case, Microsoft has been aware of the vulnerability since March 2017, when it published a Security Bulletin covering the potential risk. Apparently, according to the Spanish newspaper El Mundo, early indicators seem to point to the attack originating in China, but it is too early to fully confirm this.

How to Protect Yourself From the Vulnerability

According to Microsoft a fix for this vulnerability was released on March 14th for all affected versions of Windows. You can either download the patch directly or ensure that you have automatic Windows updates enabled and is actually up to date. You can normally run a manual scan to check your computer and install any outstanding critical patches.

It is important to note that unsupported versions of Windows, like XP, did not receive this security update. Those systems should either be isolated or shut down.

Please pass this along to your friends and family. Those that are less technical may not have updates auto-enabled, and may need a helping hand updating their operating system. Please feel free to get in touch with us.

Colins IT – 02476 960 946 – it-support@colins-it.co.uk

Vulnerability details: CVE-2017-0290
“A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file leading to memory corruption.
An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.