I have heard about this threat from colleagues who had a lot of overtime in the last week. Well, IT work entails some consequences, and availability appreciated by employers. The cause of all the confusion is ransomware, which attacks the unprotected Windows machines. All versions of this operating system are at risk. The worst case is with the machines with no longer supported Windows XP and Vista.
I never liked the so called Network Neighborhood, i.e. Samba protocol. Already in the time of Windows 98, I considered it as an inefficient way to exchange data between computers on the local network. It is true that on Windows computers it is very convenient to use, so this method is very popular in efficient local area network infrastructures. However, the implementation of this protocol in Windows was not secure. This vulnerability was discovered by the NSA (National Security Agency of the United States). Agents have developed from their discovery exploit called EternalBlue. Initially, no one was aware of this, but the hacker group Shadow Brokers stole it from the NSA servers on 14th April this year.
Microsoft patched the vulnerability on 14th March as part of security bulletin MS17-010.
The hole is very serious because it allows attacker for remote execution of any code. Users of Windows versions supported by Microsoft (i.e. Windows 7, 8.1 and 10) should already have the patch installed. Of course, here are those who did not disable automatic update installation. Those who know better and specifically excluded this function themselves are at risk for ransom. Well, he’s paying for stupidity. This time it’s $300, or rather a loss of valuable data. However, security experts advise to follow American film strategy and to not negotiate with terrorists. If you pay tribute for decrypting your files, you will be on the proverbial black list of cybercriminals. For hackers, you will be potential victim of the next attack.
Microsoft released a patch even for Windows XP.
Statistics show that Internet users use mainly supported versions of Microsoft operating system. The triumvirate is already in the minority, with the most popular being Windows XP (5.26% of market share). Unfortunately, Windows XP, 8 and Vista received a critical patch after the wave of attacks. WannaCry mainly attacked computers that worked in various public facilities. The police stations, hospitals, airports, ATMs, and wherever it was thought that Windows devices did not have direct access to the Internet and were safe. If you want to install the patch required for your system, you will find all the details on Microsoft’s blog.
WannaCrypt virus has been disabled, but version 2.0 has been released.
It turned out that the first version of WannaCry had a hidden switch. It turned out that before attempting to encrypt files and infecting neighbouring computers, the worm attempted to connect to several domains, including iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, which did not exist. One security specialist has decided to register this address to monitor the scale of the phenomenon. As it turned out, it activated a hidden switch, because ransomware deactivated itself when connected to the iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain. However, hackers quickly modified the virus and removed this mechanism. After the weekend the victims of the attack were computers from around 150 countries. It is said to be 10,000 organizations and businesses and 200,000 home users were infected. The worm paralysed the work of many companies, currently known among others are giants like Renault, Nissan, Frankfurt Sbahn, Fedex, Telefonica (Spanish operator), Megafon (Russia) and Portugal Telecom.
Here is a video showing a machine on the left infected with MS17-010 worm, spreading WCry ransomware to machine on the right in real time. pic.twitter.com/cOIC06Wygf
— Hacker Fantastic (@hackerfantastic) May 13, 2017