You would WannaCry: What is the malware that’s holding the world to ransom?

13 May 2017

Image: Gal Leshem/Shutterstock

The WannaCry virus that has shut down the computer systems of NHS hospitals in the UK is spreading, and has so far taken hold in almost 100 countries worldwide. What is WannaCry?

In the UK, 16 hospitals and 40 NHS organisations are offline, the NHS is being held to ransom and the problem is widespread in what is one of the biggest ransomware attacks in history.

WannaCry, or WanaCrypt0r 2.0, is a devastating malware attack that has so far hit in 45,000 instances and counting.

In the UK, National Cyber Security Centre teams are working around the clock to restore order to the NHS systems and bring them back online.

The ransomware attacked hospital computer systems across the UK yesterday, blocking access to files by encryption unless a ransom was paid.

If demands are not met, the malware threatens that data will be destroyed.

At first, the ransomware demands $300 in bitcoin to unlock the virus, but this rises to $400, $500 and $600 after a few hours.

Almost 100 countries have been hit by the attack and Russia appears to be the worst affected.

“This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors,” the NHS said in a statement.

“At this stage, we do not have any evidence that patient data has been accessed.”

Hospitals have been diverting patients requiring emergency treatment away from the hospitals, and the public are being advised to seek medical care only in acute situations.

What you need to know:

Nobody knows for certain how WannaCry is being disseminated

The attack appears to be manifesting itself on vulnerable Windows machines, especially on devices and networks where security software hasn’t been kept up to date. One theory is that WannaCry is spreading in the form of a phishing attack, where users click on a link in an email, compromising any elaborate security measures in place.

According to Krebs on Security, Spain’s national computer emergency response team (CCN-CERT) has suggested that the reason for the rapid spread of WannaCry is that it is leveraging a software vulnerability in Windows computers that Microsoft patched in March.

In the case of the NHS, The Guardian reported that nearly all NHS trusts are using an obsolete version of Windows that Microsoft stopped providing security updates for in 2014. According to software firm Citrix, 90pc of NHS trusts are still using Windows XP.

It has hit almost 100 countries so far

The NHS is the flagship victim of the attack but other large organisations including Telefónica, Portugal Telecom, logistics firm FedEx, Swedish local authorities and Russia’s second biggest mobile phone network, MegaFon, have been affected.

Russia is understood to have seen more infections than any other single country. The country’s interior ministry claims to have localised the virus but that seems unlikely, as it continues to manifest. China is keeping quiet about the extent of the attack there, but it is believed to have been spotted in universities, according to the BBC.

So far, Russia, Ukraine and Taiwan are leading the world in new infections, according to AVG Avast’s Jakub Kroustek.

It is understood to be a cyber weapon that originated with the NSA

This is a chilling development. The attack is believed to be one of the US National Security Agency’s (NSA) stockpile of secret cyber weapons, which has managed to get loose in the wild. Last year, a group calling itself the Shadow Brokers began posting software tools that came from the NSA’s arsenal of cyber weapons.

If this is the case, then a computer virus – funded by American taxpayers and stolen by adversaries – is now being turned back against the US and countries around the world, impacting hospitals, governments, universities and ordinary people.

This is not the first time something like this has happened. Several years ago, a virus jointly developed by the US and Israel called Stuxnet – designed to take down Iranian nuclear facilities– went rogue and began attacking programmable logic controllers (PLCs) and SCADA systems used to control factories, energy plants, hydro dams, nuclear power facilities and more.

It had been lurking in cyberspace for a fortnight

According to Brian Krebs, the WannaCry virus surfaced roughly two weeks ago. It lurked quietly on the radar of security researchers such as Kaspersky Lab and BleepingComputer for the past fortnight before going nuclear in the last 24 hours.

What can you do about it?

You have very few options. If you have not been a victim, then make sure your antivirus software is up to date and that you are running a version of Windows that is still supported by updates from Microsoft. According to the company, users who have Windows Updates enabled and are running Windows Defender should be protected.

If you have been hit, the prognosis is dire. Scrubbing malware from systems is difficult and to most ordinary users, impossible. Unless the perpetrators hand over the keys themselves, the impact of WannaCry will leave most users and CIOs in tears for a long time to come.

Update, 12.50pm, 13 May 2017: Microsoft has released an out-of-bounds patch for Windows XP, with more details here. A cybersecurity researcher called Darien Huss claims to have slowed down the spread of the virus by identifying a domain name in the malware code and buying the domain, according to The Guardian. However, this may only be a temporary reprieve as hackers will most likely find a way around it. Huss advises all Windows users to ensure their systems are patched and up to date.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com