SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and cyber-attack news
Story image

In-depth: Security experts explain the WannaCry ransomware's world domination

By Sara Barker
Mon 15 May 2017
FYI, this story is more than a year old

The world’s cybersecurity experts have been quick to comment on the Wannacry ransomware attack that hit the UK’s National Health Service (NHS), Telefonica, FedEx, KPMG and organisations in other countries over the weekend.

Latest reports suggest there is a 'kill switch' in the ransomware's code, which is slowing down its spread.

Experts say that the damage highlights the danger such attacks can do to not only critical healthcare verticals, but to all businesses. And it seems like many are paying the ransom.

The ransomware is a new variant of the Ransom.CryptXXX family. It goes by the names Wanacry, Wannacry, WanaCryt0r, WannaCrypt, WanaDecryptor, or Wana. It is spread through a malicious PDF document that downloads and infects a computer within a business. 

It then uses the unpatched SMBv1 vulnerability, also referred to as the MS17-010, to spread through all networked Windows machines.

The cybercriminal group Shadow Brokers is suspected to be behind the attack, which uses a vulnerability originally discovered by the NSA.

We’ve compiled a list of some of the top comments from security experts including LogRhythm, Digital Shadows, Malwarebytes, Tenable Network Security, and MailGuard.

Craig McDonald, CEO, MailGuard:

The body of the email contains no information other than an instruction to ‘Please open the attached file’. The ransomware encrypts data on the computers, demanding payments of $300 to $600 to restore access – a relatively small amount, most likely chosen to entice some victims to pay up. The amount doubles if the ransom isn’t paid within 72 hours, and the criminals warn the files will be deleted if the ransom isn’t paid within one week.”

Kasper Lindgaard, senior director of Secunia Research at Flexera Software:

“Frankly, if you wait two months to apply a critical Microsoft patch, you’re doing something wrong. This time, we even had a warning in April that this could very likely happen, so businesses need to wake up and start taking these types of threats and risks seriously. There is simply no excuse.”

Jim Cook, Regional Director – ANZ, Malwarebytes:

“Wana Cryptor is another example of a known, patched vulnerability causing tremendous issues for people and businesses around the world. If possible apply MS17-010 Microsoft patch to all PCs immediately.  If you have windows XP machines in your network we recommend disconnecting them until this wave has passed. 

"Our research shows the encryption is done with RSA-2048 encryption, which means that it is near impossible to decrypt unless the coders have made an error somewhere.”

Adam Meyers, VP of intelligence, CrowdStrike:

“The attack vector has all the hallmarks of a traditional computer worm. We’ve not seen a large-scale ransomware campaign that uses self-propagating technique at this scale before, which makes it really unique.

“Organisations must act quickly to ensure they are not impacted. Early analysis of the worm is that it is taking advantage of a very recent Microsoft Windows exploit called EternalBlue, which is the enabler for how files get shared.  Swift action to patch against this update is critical. Whilst ensuring that back-up data files are disconnected from the core network, as this ransomware has the potential to encrypt back-up files.”

Rick Holland, VP of Strategy, Digital Shadows: 

“Keeping up-to-date with ransomware is not easy, there are many variants. Many do get shut down and their encryption cracked, only for another version to spring up – therefore it’s a constant game of constant cat and mouse. Those within the NHS will now be looking to contain the threat. We can only hope that adequate back up measures have been put in place so that vital data can be restored and systems cleaned. Most ransomware locks data rather than steals it – if that is the case here then the threat can be somewhat contained."

Gerrit Lansing, chief architect, CyberArk:

“We are now seeing instances where attackers can use privileged credentials to find and destroy data backups, which have been typically relied on by organisations to recover from the attack and avoid paying the ransom. Back-ups alone are no longer enough, especially if organisations are exposing privileged credentials to attackers.

This means organisations may have to choose between complete data loss and paying the ransom. Eliminating the attacker’s ability to access  administrative credentials to propagate ransomware beyond the initially compromised machine is an essential action to defend against future ransomware attacks and limit damage.”

Gavin Millard, EMEA technical director, Tenable Network Security:

Whilst this isn’t the first time the National Health Service has been hit with Ransomware, it seems like this particular attack has affected more trusts than before. Until the NHS speak publicly about how the ransomware entered their systems and started encrypting crucial files, we can only guess that it was successful due to lax security practices like insufficient patching, poor configuration, and effective filtering of internet communications.

Symantec Security Response: 

“Decryption is not available at this time but Symantec is investigating. Symantec does not recommend paying the ransom. Encrypted files should be restored from back-ups where possible.”

Raj Samani and Christiaan Beek, McAfee:

“By remotely gaining control over a victim’s PC with system privileges without any user action, the attacker can spray this malware in the local network by having control over one system inside this network (gaining control over all systems that are not fixed and are affected by this vulnerability), and that one system will spread the ransomware to all vulnerable Windows systems not patched for MS17-010.”

Karl Sigler, Trustwave SpiderLabs: 

"Since the exploit capitalises on a vulnerability in the SMB, disabling SMB or blocking SMB at your perimeter firewall is a good proactive measure to stop spreading to vulnerable systems."

Ryan Kalember, SVP of Cybersecurity Strategy, Proofpoint:

t’s troubling that this worm has proven so problematic for large organisations that are part of critical infrastructure and impact people’s health and wellbeing. We believe it was just a matter of time for an attack like this to occur because this Microsoft exploit was tailor made for malware to spread within an organisation’s network—and ransomware is so profitable for cybercriminals."

CERT NZ advisory:

"It is also important to ensure that staff are aware of this campaign, and reminded to be extremely vigilant with incoming emails containing links and attachments."

Michael Bosnar, area vice president ANZ, Ivanti:

“Right now, Australian businesses are opening up for the working week facing the potential impact of the WannaCry ransomware which has hit so many institutions around the world.  Organisations should move quickly to patch their systems to avoid being a victim of this attack but also look to implement strategies such as application whitelisting and privilege management to remove the impact of this attack but future attacks."

Steven Malone, director of security product management at Mimecast:

"The repercussions of Wcry will be with us for the foreseeable future. As less sophisticated attackers take the original malware code and morph it, waves of variants will continue to plague the organisations who are still lagging behind in locking down their systems."

Nick Savvides, Symantec Security Expert:

"Symantec and Norton protect millions of users in Australia and the telemetry has shown that Australians have been targeted with most attacks being blocked."

Related stories
Top stories
Story image
Employment
Tech job moves - Forcepoint, Malwarebytes, SolarWinds & VMware
We round up all job appointments from May 13-20, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Migration
Let’s clear the cloud visibility haze with app awareness
Increasingly, organisations are heading for the cloud, initiating new born-in-the-cloud architectures and migrating existing applications via ‘lift and shift’ or refactoring.
Story image
Remote Working
Successful digital transformation in the hybrid work era is about embracing shifting goalposts
As organisations embraced remote working, many discovered they lacked the infrastructure needed to support history’s first global load test of remote work capabilities.
Story image
Vectra AI
Understanding the weight on security leader’s shoulders, and how to shift it
Millions of dollars of government funding and internal budgets are being funnelled into cybersecurity to build resilience against sophisticated threats, indicating how serious this issue has become.
Story image
Microsoft
PwC NZ unveils new Cloud Security Operations Center
PwC New Zealand has unveiled its new Cloud Security Operations Center for the entire Microsoft technology stack.
Story image
Cybersecurity
The 'A-B-C' of effective application security
Software applications have been a key tool for businesses for decades, but the way they are designed and operated has changed during the past few years.
Story image
Supply chain
Jetstack promotes better security with supply chain toolkit
The web-based resource is designed to help organisations evaluate and plan the crucial steps they need to establish effective software supply chain security.
Story image
Ransomware
Alarming surge in Conti Ransomware Group activity - report
A new report has identified a 7.6 per cent increase in the number of vulnerabilities tied to ransomware in Q1 2022.
Story image
Ransomware
Cybersecurity starts with education
In 2021, 80% of Australian organisations responding to the Sophos State of Ransomware study reported being hit by ransomware. 
Story image
BeyondTrust
BeyondTrust integrates Password Safe solution with SailPoint
BeyondTrust has announced the integration of BeyondTrust Password Safe with SailPoint identity security offerings.
Story image
Amazon Web Services / AWS
RedShield leverages AWS to scale cybersecurity services
"Working with AWS gives RedShield the ability to mitigate significant application layer DDoS attacks, helping leaders adopt best practices and security architectures."
Story image
Application Security
What are the DDoS attack trend predictions for 2022?
Mitigation and recovery are vital to ensuring brand reputation remains solid in the face of a Distributed Denial of Service (DDoS) attack and that business growth and innovation can continue.
Story image
Sift
Sift shares crucial advice for preventing serious ATO breaches
Are you or your business struggling with Account Takeover Fraud (ATO)? One of the latest ebooks from Sift can provide readers with the tools and expertise to help launch them into the new era of account security.
Story image
Cybersecurity
Managed service providers: effective scoping to avoid costly vendor pitfalls
Managed security services are outsourced services focusing on the security and resilience of business networks.
Story image
Cybersecurity
Hard numbers: Why ambiguity in cybersecurity no longer adds up
As cybersecurity costs and risks continue to escalate, CEOs continue to struggle with what their investment in cyber protection buys. Getting rid of ambiguity becomes necessary.
Story image
ChildFund
ChildFund launches new campaign to protect children online
ChildFund says WEB Safe & Wise aims to protect children from sexual exploitation and abuse online while also empowering them to become digitally savvy. 
Story image
SaaS
Rubrik Security Cloud marks 'next frontier' in cybersecurity
"The next frontier in cybersecurity pairs the investments in infrastructure security with data security giving companies security from the point of data."
Story image
Digital Transformation
How to modernise legacy apps without compromising security
At a time when digital transformation has become central to business, even the most important applications come with a ‘use-by’ date.
Story image
Tech job moves
Tech job moves - Datacom, Micro Focus, SnapLogic and VMware
We round up all job appointments from May 6-12, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Nozomi Networks
Nozomi Networks, Siemens reveal software integration
Nozomi Networks and Siemens have extended their partnership by embedding Nozomi Networks’ software into the Siemens Scalance LPE local processing engine.
Story image
Phishing
KnowBe4 celebrates reaching 50,000 customers worldwide
KnowBe4 has reached the milestone of 50,000 customers, adding nearly 2,500 in the first quarter of 2022 alone.
Booster
Booster Innovation Fund. A fund of Kiwi ingenuity – for Kiwi investors.
Link image
Story image
Cybersecurity
BlackBerry offers Kaspersky replacement cybersecurity for the channel
BlackBerry advises that users of Kaspersky software in Australia and New Zealand undertake a rigorous risk analysis of their current security posture.
Story image
Phishing
Google reveals new safety and security measures for users
Google's new measures include automatic two step verification, virtual cards and making it easier to remove contact information on Google Search results.
Story image
Data Protection
Barracuda launches new capabilities for API Protection
"Every business needs this type of critical protection against API vulnerabilities and automated bot attacks," Barracuda says.
Story image
VPN
Palo Alto Networks says ZTNA 1.0 not secure enough
Palo Alto Networks is urging the industry to move to Zero Trust Network Access 2.0 because previous versions have major gaps in security protection.
Story image
Customer experience
Gartner recognises Okta for abilities in Access Management
Okta has announced it has been recognised as a Customers' Choice for the fourth time in a row in the Gartner Peer Insights "Voice of the Customer" report.
Story image
Artificial Intelligence
How to ensure ethical deployment of AI implementations
The increase in automation and machine technology such as AI and machine learning has unlocked a whole new level of scale and service to organisations. 
Story image
Cybersecurity
A10 Networks finds over 15 million DDoS weapons in 2021
A10 Networks notes that in the 2H 2021 reporting period, its security research team tracked more than 15.4 million Distributed Denial-of-Service (DDoS) weapons.
Story image
Cybersecurity
Noname Security partners with Netpoleon to target API issues
Specialist API security firm Noname Security has appointed Netpoleon as its distributor in Australia and New Zealand.
Darktrace
Threat actors are exploiting weaknesses in interconnected IT/OT ecosystems. Darktrace illuminates your entire business and takes targeted action to stop emerging attacks.
Link image
Story image
Apricorn
Data backup plans inadequate, data still at risk - study
The Apricorn 2022 Global IT Security Survey revealed that while the majority organisations have data backup plans in place, data for many are at risk.
Story image
SaaS
Absolute Software expands Secure Access product offering
Absolute Software is enhancing its Secure Access product portfolio, enabling minimised risk exposure and optimised user experiences in the hybrid working environment.
Story image
Cybersecurity
More than 40% of banks worried about cloud security - report
Publicis Sapient's new report finds security and the lack of cloud skills and internal understanding of business benefits are big obstacles for banks moving to the cloud.
Story image
Qualys
Qualys updates Cloud Platform solution with rapid remediation
The new update is designed to enable organisations to fix asset misconfigurations, patch OS and third-party applications, and deploy custom software.
Story image
Digital Transformation
Physical security systems guide the hybrid workplace to new heights
Organisations are reviewing how data gathered from their physical security systems can optimise, protect and enhance their business operations in unique ways.
Story image
Ransomware
Ingram Micro Cloud adds Bitdefender solutions to marketplace
Ingram Micro Cloud has announced the expanded availability of Bitdefender solutions on the Ingram Micro Cloud Marketplace.
Story image
Artificial Intelligence
ForgeRock releases Autonomous Access solution powered by AI
ForgeRock has officially introduced ForgeRock Autonomous Access, a new solution that uses AI to prevent identity-based cyber attacks and fraud.
Story image
Artificial Intelligence
AI-based email security platform Abnormal Security valued at $4B
"A new breed of cybersecurity solutions that leverage AI is required to change the game and stop the rising threat of sophisticated and targeted email attacks."
Story image
Cybersecurity
Video: 10 Minute IT Jams - An update from IronNet
Michael Ehrlich joins us today to discuss the history of IronNet and the crucial role the company plays in the cyber defence space.
Story image
Cybersecurity
CyberArk launches $30M investment fund to advance security
CyberArk has announced the launch of CyberArk Ventures, a $30 million global investment fund dedicated to advancing the next generation of security disruptors.
Story image
SaaS
Maintaining secure systems with expectations of flexible work
Most office workers feel they've proved they can work successfully from home, and as much as employers try, things aren't going back to the way they were anytime soon.
Story image
Ivanti
Ivanti and Lookout bring zero trust security to hybrid work
Ivanti and Lookout have joined forces to help organisations accelerate cloud adoption and mature their zero trust security posture in the everywhere workplace.
Story image
Remote Working
How zero trust and SD-WANs can support productive remote working
The way people connect with applications and data has changed, users are remotely accessing resources that could be stored anywhere from a corporate data center to the cloud.