WNCR Ransomware attacks target Windows users

The recent "WannaCrypt" ransomware attack turned out to be a small global disaster.

The malicious software (malware) in question is first initiated remotely by an attacker, using an application-layer protocol called the SMB (Server Message Block). The protocol runs on Windows computers, but other popular operating systems (MacOS, Linux, Unix) support it too.

The SMB gives shared access to files, printers, serial ports and miscellaneous communications between nodes on a network.

Earlier on April 14, a particular exploit known as "EternalBlue" was published by a secretive hacker group who call themselves "Shadow Brokers." Last year, the same group had claimed to have stolen these files from another cyber-espionage group known as the "Equation Group," which many security firms claim is the Unite States' National Security Agency (NSA). The Shadow Brokers then put up the tools up for auction, but no one was interested in paying 1 million Bitcoin ($570 million at the time).

But, last week, the Shadow Brokers published the passwords to the files, which are now available in all popular repositories. Apparently, the Equation Group had been infiltrating banks and secretly keeping an eye on SWIFT transactions.

The files included in the dump indicate that Equation Group had targeted and successfully infiltrated the SWIFT Service Bureau of the Middle East (EastNets), one of the SWIFT departments managing and monitoring transactions across Middle East banks. What is really remarkable, the U.S. already had access to the SWIFT network for terrorism investigation purposes. Minutes after the EternalBlue passwords were available, security researchers started tweeting that "any attacker can download this simple toolkit to hack into Microsoft based computers around the globe," and that is exactly what happened.

The WannaCrypt ransomware started appearing and spreading in desktop computers globally and affecting more than 200,000 computers around 150 countries, according to the EU officials. Among them were corporate giants like FedEx, Renault, Telefonica (a Spanish telecommunications company) as well as services providers like the NHS, and German railway. However, the majority of the computers were in Russia and even though Microsoft published a patch for Windows, not every computer user has applied the security update. Moreover, legacy versions such as Windows 8 and Windows XP, which are commonly used in Europe and Asia, are vulnerable. No attacks on MacOS or Linux have so far been reported.

Once infected, the computer displays a message, where the hackers demand $300 worth of bitcoin within three days to unlock the files and threaten to double the fine, before permanently preventing access after seven days. Very few have paid the ransom. Apparently, $51,300 in 193 transactions was sent to the three bitcoin addresses connected to the malware. Then, the blame game started: The U.S. government, so to speak, the NSA has been blamed for developing tools and attacking computers used for banking and commerce.

Eventually, these tools fell into the hands of the attackers. We do not know and will very likely never know who these attackers were. At the same time, Microsoft has taken its share of the blame for not supporting the legacy versions of their software and operating systems. What was interesting is that the attackers demanded the ransom to be paid in Bitcoin; a vast majority the affected users probably did not even know what Bitcoin is or how to get one. Bitcoin is a distributed electronic currency protocol that allows its users to remain anonymous. We can safely guess that many governments around the world will try to make Bitcoin exchanges illegal in order to make it very difficult to change real money into Bitcoins. In fact, Bitcoin plunged more than $200 last week.

Now, we can only wait and see what the future brings.