Earlier today,
Kaspersky Labs products detected and successfully blocked a large number of ransomware attacks around the world. In these attacks, data is encrypted with the extension '.WCRY' added to the filenames. My analysis indicates the attack, dubbed 'WannaCry', is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed 'EternalBlue') has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and
patched by Microsoft on March 14. Unfortunately, it appears that many organizations have not yet installed the patch. The malware used in the attacks encrypts the files and also drops and executes a decryptor tool. The request for $600 in Bitcoin is displayed along with the wallet. It's interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands. Note that the 'payment will be raised' after a specific countdown, along with another display raising urgency to pay up, threatening that the user will completely lose their files after the set timeout. Not all ransomware provides this timer countdown.
Updates:
- Frankfurt Airport in Germany has now been hit with the WannaCry ransomware. Details coming.
- FedEx (FDX ) here in the United States has now been impacted by the WannaCry ransomware. FedEx has not determined exactly how it is spreading, but it is. Virtual Machines currently seem to be the most vulnerable on its network. FedEx is currently shutting down its PCs and taking its ESX servers offline as well. FedEx has instructed approximately 80,000 employees, via email, to turn off their computers till Monday while it tries to deal with the WannCry ransomware.
- Russian Ministry of the Interior (Police) network has now been taken down by WannyCry ransomware.
Microsoft has taken the extraordinary step of providing an emergency update for unsupported Windows XP and Windows 8 machines in the wake of Friday's WannaCry ransomware outbreak.