WannaCry ransomware: worst yet to come, experts say
Hackers likely to release a WannaCry version 2 as early as today
The WannaCry ransomware is expected to continue spreading today as much of the world returns to work after the weekend.
Already Reuters reports from Asia indicate widespread attacks as the region opens for business.
Further, there are fears that the original hackers, or copy cats, will release a second version of the ransomware as early as today. The second will most likely be altered version that will be even harder to contain, experts contend.
Rick Holland, vice president, strategy for Digital Shadows observes that keeping up-to-date with ransomware is not easy, as there are many variants. “Many do get shut down and their encryption cracked, only for another version to spring up – therefore it’s a constant game of constant cat and mouse.”
WannaCry ransomware was released on Friday, causing havoc all over the world, from disrupting public healthcare in the UK to affecting information displays at German train stations.
The Middle East seemed to have escaped the brunt of the initial attack, most likely because it struck during the weekend in much of the Arab World. The region may not be so lucky second time out, unless organisations take urgent measures to patch vulnerable Windows systems.
WannaCry exploited vulnerabilities on Windows, using hacking tools apparently stolen from America’s NSA.
The tools that were dumped by a group known as Shadow Brokers use private/undiscovered vulnerabilities that allowed NSA to exploit and break-in to any organisation worldwide. However, Bilal Baig, technical lead Middle East, Mediterranean, Africa, Russia & CIS at Trend Micro says it’s likely ShadowBrowkers still have tools that were not released to the public. “These tools still have the ability to break-into systems without being discovered, which is scary,” Baig warns.
Microsoft had released a patch in March to protect users against the ransomware, but many users were yet to run it. It released a new patch on Friday as the malware spread globally.
Jimmy Graham, director of product management, AssetView at security firm Qualys says because this exploit took only 28 days to go from the from the initial zero day leak to a fully functional global assault, companies that rely on monthly scan cycles may not have even detected, let alone patched, the MS17-010 vulnerability.
The ransomware is a worm, allowing it to propagate itself through the network, hence its ability to spread far and wide.
The attack began on Friday, when cybercriminals tricked victims into opening malicious malware attachments to spam emails that appeared to contain legitimate invoices, job offers, security warnings etc., or what is known as social engineering.
The ransomware encrypted data on victim computers, demanding payments of $300 to $600 to restore access. A number of victims are known to have paid via the digital currency bitcoin.