WannaCRY ransomware is spreading like wildfire across the globe
A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'. What makes it so dangerous is its capacity to spread over the internet, like worms such as Conficker or Blaster did back in the day, exploiting a recently patched SMB vulnerability.
Additionally, researchers from Talos Intelligence have observed WannaCry samples making use of DOUBLEPULSAR, which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010, also known as "Eternal Blue". If you seem to recognize those name, it's because they all come from the recent ShadowBroker leak regarding the NSA.
Don't think it is over as we've discovered and activated a "kill switch". At the time of this newsletter, the malware is still active and things may continue to change. While the initial version contained indeed a killswitch (the malware looked up a specific domain and, if it was registered, would exit without doing any harm), some samples have been founds with this kill-switched hexedited-out of the binary. Moreover, organizations that use proxies will not benefit from the killswitch.
Organizations should ensure that devices running Windows are fully patched and deployed in accordance with best practices. Microsoft released a patch for vulnerable systems, including the out-of support Windows XP and Vista. Additionally, organizations should have SMB ports (139, 445) blocked from all externally accessible hosts.