A highly virulent new strain of self-replicating ransomware is shutting down computers all over the world, in part by appropriating a National Security Agency exploit that was publicly released last month by the mysterious group calling itself Shadow Brokers.
As Ars reported earlier, the malware known as wanna, wannacry, or wcry, is causing disruptions at banks, hospitals, telecommunications services and other mission-critical organizations in multiple countries, including the UK, Spain, Russia, Germany, and Turkey. The UK government's National Health Service and Spanish telecom Telefonica have both been hit extremely hard. The Spanish CERT has called it a "massive ransomware attack" that is encrypting all the files of entire networks and spreading laterally through organizations.
Another cause for concern: wcry copies a weapons-grade exploit codenamed Eternalblue that the NSA used for years to remotely commandeer computers running Microsoft Windows. Eternalblue, which works reliably against computers running Microsoft Windows XP through Windows Server 2012, was one of several potent exploits published in the most recent Shadow Brokers release in mid-April. The Wcry developers have combined the Eternalblue exploit with a self-replicating payload that allows the ransomware to spread virally from vulnerable machine to vulnerable machine, without requiring operators to open e-mails, click on links, or take any other sort of action.
So-called worms, which spread quickly amid a chain of attacks, are among the most virulent forms of malware. Researchers are still investigating how Wcry takes hold. The awesome power of worms came into sharp focus in 2001 when Code Red managed to infect more than 359,000 Windows computers around the world in 14 hours.
More Blacklisted News...