The highly publicized WannaCry ransomware attack that was unleashed last week is the biggest of its kind ever recorded.

The large-scale attack initially infected a significant number of the UK’s National Health Service (NHS) trusts before spreading rapidly to other organizations across 150 countries worldwide.
The frightening thing is the organizations that have been hit are completely random giving away no signs of where it could move to next.
It’s fair to say many IT teams have entered panic mode as they rush to update their software and backup their data.
So what exactly happened, what makes this mega ransomware attack so brutal and what can you do to stay safe? Read on to find out.

What happened?

The attack came to life on the 12th of May when roughly 40 NHS organizations including hospitals and GP practices across the UK were hit.
While patient records reportedly weren’t compromised, medical practitioners were unable to access them leading to massive disruption across the healthcare system, including cancelled operations.
Over the following 48 hours the malware spread to a number of other organizations across the globe.
These included Germany’s rail network Deutsche Bahn, Spanish telecommunications operator Telefonica, French carmaker Renault, US logistics giant FedEx and Russia’s Interior Ministry.
The spread of the WannaCry ransomware attack was then confined by a UK security researcher known as “MalwareTech”.
This leaves the latest count of infected computers at an estimated 200,000, but the number may continue to rise as variants of the malware are repackaged and launched.
As we’ve seen from our recent discovery of SLocker’s return, new variations of ransomware can be easily redesigned and deployed or packaged up with other pieces of malware to execute further attacks.
In the case of SLocker, the new variants discovered by MI:RIAM use a wide variety of disguises including altered icons, package names, resources and executable files in order to evade signature-based detection.

Who’s responsible for the WannaCry attack?

There is no indication of who is behind the attack yet. The hackers demanded their payment in Bitcoin, which is harder to trace.
Unlike most ransomware, WannaCry’s architecture is modular; a feature known to be used in complex malware projects like banking Trojans.
With this knowledge, we can suspect that the authors behind WannaCry are more likely to be a group of people rather than just one developer.

How WannaCry works

The virus exploits a flaw in Microsoft Windows called “Eternal Blue” which was reportedly identified by (and stolen from) US intelligence before being revealed in the Shadowbrokers leak on April 14.
Once inside the system, the attackers install a rootkit, which enables them to download the software to encrypt the data.
A request for $600 in Bitcoin is displayed along with the wallet. The victim is given a deadline to make the payment. If they fail to do so, the ransom demand increases.

What can we learn from the attack?

This ransomware attack is a reminder of security basics. Firstly, keep software up to date, whether it’s desktop or mobile.
Those who applied critical Microsoft Windows patches released in March were protected against this attack. Many organizations had failed to keep their systems up to date, allowing the virus to spread.
Secondly, always keep offline backups of important data. For ransomware attacks like this one, having a viable backup will enable a simple incident response, which should leave the attacker with no bargaining chips.
Finally, this acts as a critical reminder that even ‘minor’ threats like ransomware can be crippling if delivered in a certain way. What’s particularly interesting about this attack is that it’s deliberately targeting businesses, with members of the public seemingly not the intended target by its creators. This combination of corporate-targeted ransomware is exactly what we saw last week with SLocker. Our recommendation is to keep all potential avenues for delivery as secure as possible – of course with mobile security, but also with traditional entry points.
[text-blocks id=”3610″]