Skip to main content

Massive worldwide ransomware attack hits more than 200,000 victims, and climbing

New WannaCry ransomware tool Wanakiwi can save more people's data

Close-up of hands on a laptop keyboard in a dark room.
Dmitry Tishchenko/123RF
On Friday, May 12, 2017, cybersecurity firm Avast reported on a massive ransomware attack that hit more than 75,000 victims in 99 countries and that had risen to over 126,000 in 104 countries by Saturday afternoon. While most of the targets were located in Russia, Ukraine, and Taiwan, other victims have been identified in Europe.

Most notably, Spanish telecommunications company Telefonica was a victim, as were hospitals across the United Kingdom. According to The Guardian, the U.K. attacks hit at least 16 National Health System (NHS) facilities and directly compromised the information technology (IT) systems that are used to ensure patient safety.

Avast
Avast
Recommended Videos

The WanaCryptOR, or WCry, ransomware is based on a vulnerability that was identified in the Windows Server Message Block protocol and was patched in Microsoft’s March 2017 Patch Tuesday security updates, reports Kaspersky Labs. The first version of WCry was identified in February and has since been translated into 28 different languages.

Microsoft has responded to the attack with its own Windows Security blog post, where it reinforced the message that currently supported Windows PCs running the latest security patches are safe from the malware. In addition, Windows Defenders had already been updated to provide real-time protection.

“On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed,” Microsoft’s summary of the attack began. “While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the malware, known as WannaCrypt, appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install MS17-010 if they have not already done so.”

The statement continued: “Microsoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing Windows Defender Antivirus to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.”

Avast further speculated that the underlying exploit was stolen from the Equation Group, which has been suspected of being tied to the NSA, by a hacker group calling themselves ShadowBrokers. The exploit is known as ETERNALBLUE and named MS17-010 by Microsoft.

When the malware strikes, it changes the name of affected files to include a “.WNCRY” extension and adds a “WANACRY!” marker at the beginning of each file. It also places its ransom note into a text file on the victim’s machine:

Avast
Avast

Then, the ransomware displays its ransom message that demands between $300 and $600 in bitcoin currency and provides instructions on how to pay and then recover the encrypted files. The language in the ransom instructions is curiously casual and seems similar to what one might read in an offer to purchase a product online. In fact, users have three days to pay before the ransom is doubled and seven days to pay before the files will no longer be recoverable.

Avast
Avast

Interestingly, the attack was slowed or potentially halted by an “accidental hero” simply by registering a web domain that was hard-coded into the ransomware code. If that domain responded to a request from the malware, then it would stop infecting new systems — acting as a sort of “kill switch” that they cybercriminal could use to shut off the attack.

As The Guardian points out, researcher, known only as MalwareTech, registered the domain for $10.69 was unaware at the time of the kill switch, saying, “I was out having lunch with a friend and got back about 3 p.m. and saw an influx of news articles about the NHS and various UK organisations being hit. I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”

MalwareTech registered the domain on behalf of his company, which tracks botnets, and at first, they were accused of initiating the attack. “Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realized it was actually the other way around and we had stopped it,” MalwareTech told The Guardian.

That likely won’t be the end of the attack, however, as the attackers might be able to alter the code to omit the kill switch. The only real fix is to make sure that machines are fully patched and are running the right malware protection software. While Windows machines are the targets of this particular attack, MacOS has demonstrated its own vulnerability and so users of Apple’s OS should make sure to take the appropriate steps as well.

In much brighter news, it now appears that there is a new tool that can determine the encryption key used by the ransomware on some machines allow users to recover their data. The new tool, called Wanakiwi, is similar to another tool, Wannakey, but it offers a simpler interface and can potentially fix machines running more versions of Windows. As Ars Technica reports, Wanakiwi uses some tricks to recover the prime numbers used in creating the encryption key, basically by pulling those numbers from RAM if the infected machine remains turned on and the data has not already been overwritten. Wanawiki leverages some “shortcomings” in the Microsoft Cryptographic application programming interface that was used by WannaCry and various other applications to create encryption keys.

According to Benjamin Delpy, who helped develop Wanakiwi, the tool was tested against a number of machines with encrypted hard drives and it was successful in decryption several of them. Windows Server 2003 and Windows 7 were among the versions tested, and Delpy assumes Wanakiwi will work with other versions as well. As Delpy puts it, users can “just download Wanakiwi, and if the key can be constructed again, it extracts it, reconstructs it (a good one), and starts decryption of all files on the disk. In bonus, the key I obtain can be used with the malware decryptor to make it decrypt files like if you paid.”

The downside is that neither Wanakiwi nor Wannakey works if the infected PC has been restarted or if the memory space holding the prime numbers has already been overwritten. So it is definitely a tool that should be downloaded and held at the ready. For some added peace of mind, it should be noted that security firm Comae Technologies assisted with developing and testing Wanakiwi and can verify its effectiveness.

You can download Wanakiwi here. Just decompress the application and run it, and note that Windows 10 will complain that the application is an unknown program and you will need to hit “More info” to allow it to run.

Mark Coppock/Digital Trends
Mark Coppock/Digital Trends

Ransomware is one of the worst kinds of malware, in that it attacks our information and locks it away behind strong encryption unless we pay money to the attacker in return for a key to unlock it. There is something personal about ransomware that makes it different from random malware attacks that turn our PCs into faceless bots.

The single best way to protect against WCry is to make sure that your Windows PC is fully patched with the latest updates. If you have been following Microsoft’s Patch Tuesday schedule and running at least Windows Defender, then your machines should already be protected — although having an offline backup of your most important files that can’t be touched by such an attack is an important step to take. Going forward, it is the thousands of machine that have not yet been patched that will continue to suffer from this particular widespread attack.

Updated on 5-19-2017 by Mark Coppock: Added information on Wanakiwi tool.

Mark Coppock
Mark Coppock is a Freelance Writer at Digital Trends covering primarily laptop and other computing technologies. He has…
ADP Workforce Now goes beyond an HR solution, it’s your next administrative companion
ADP Workforce Now branded piece: Man in business suit featured image.

If you're running a small business, your time is pretty much spoken for. You spend most of it, well, running the business and handling administrative and employee-related duties. For example, checking on and maintaining payroll, screening for and hiring new talent, generating income and profit reports, reviewing those reports, inventory, and much more. Needless to say, you need all the help you can get, and any kind of time saver that you can take advantage of -- especially with automation -- is going to be a game changer. Cue ADP Workforce Now, an excellent HR and payroll platform for . It doesn't matter whether you have 50 employees or 1,000, ADP Workforce Now is a big help.

If you've never heard of it before, or have heard of it but aren't familiar with its capabilities, here's just some of what ADP Workforce Now has to offer: Easier HR management with automation features, faster, more convenient payroll management, accurate timekeeping, talent acquisition tools, employee management support, benefits administration simplification, and much, much more. All you need to know is that it makes your job easier -- and HR's, too. But most importantly, and perhaps the best benefit, it saves you lots of time so you can focus on more essential tasks.

Read more
How to create a new team in Microsoft Teams
Example of Teams chat.

Few communication applications are as versatile as Microsoft Teams. Along with allowing you to send quick messages to teammates or launch a video chat, the software is fully integrated with Office 365 so you can optimize its performance. If you know how to use Microsoft Teams, you'll know that one of its most useful features is the ability to create a new team.

Knowing how to make a new team and how to properly organize teams makes it easy for a company to enhance productivity and streamline communication. When used effectively, Microsoft Teams is useful for both in-office and remote workers, ensuring everyone stays on the same page regardless of location.

Read more
Timekettle W4 Pro AI interpreter earbuds: Your personal global business assistant
Timekettle W4 Pro AI interpreter earbuds worn during international diplomatic meeting

Picture this. You're about to sit down in a huge international business meeting. This could make or break your company and put your team on the map. There's just one problem. Your clients don't speak the same language as you. Even with an interpreter in the room that's going to make things quite a bit more challenging. But also difficult, you have a small team so you won't have anyone with you to jot down notes, look up or research various topics, and just generally provide some support. It's all you. The good news is that modern technology has you covered. Timekettle is introducing its W4 Pro AI interpreter earbuds that are more than just a pair of wireless headphones -- they are designed to be your next personal global assistant.

Starting with quick and private one-on-one communication support with real-time interpretations, to noise-cancelation features, audio, and text transcription, you'll have everything you need to overcome those challenges and win the client. Of course, it's much more complex than that with a variety of features and internal tech that makes it all work. Unveiled at IFA 2024 in Berlin, let's take a closer look at this impressive wearable. Prepare to be amazed, I certainly was.

Read more