Exploiting the vulnerabilities in the software of the outdated windows operating systems like Windows XP or Windows Server 2003, cybercrimals created a ransomware that affected more than 250,000 computers over the last three days. The cyber attack called WannaCry was found to use the EternalBue tool, which was created by NSA to attack Windows systems. There have been many variations of the malware detected and the security researchers were afraid of the numbers to get increased when people go to their office today.
The hackers behind the WannaCry have used one of the vulnerabilities leaked by Shadow Brokers. The attack was spread through malware as computer worm, giving the ransomware the ability to spread between the vulnerable windows systems on the internet and encrypting the files of those systems. If a computer in a network has been attacked by the malware, it apparently compromises entire systems in that network. The malware contains an encryption patch that automatically downloads to infected systems, encrypting all files in the affected systems and demanding a payment of $300 to $600 in bitcoin.
The WannaCry hackers exploited the vulnerabilities in the outdated Windows XP systems for which Microsoft has stopped providing support since 2014. For later versions of the operating systems, Microsoft had released a patched update back in March to fight the attack, but those who haven’t applied the update are still open to the attack. The spread of attack is at unprecedented scale that affected several biggies including UK National Health Service trusts, FedEx, Telefonica, Renault and Nissan car manufacturing plants, U.S. universities, Russian governments and Chinese ATMs, amongst many other systems across 150 countries.
Microsoft has immediately a security patch for all of the systems, even to the legacy systems to avoid the spread of the malware. But enough damage has already been done. Hackers have modified the malware over these three days as different variants of the malware have been identified, after a security researcher found a ‘kill switch’ to curb the spread of the ransomware to other systems.
“The new variants appear to have been made by third parties modifying the initial malware. The changes are trivial and some do bypass the so called killswitch,” said Craig Williams, senior technical leader and global outreach manager at Cisco Talos.
As per sources, hackers are using around three wallets or bitcoin addresses to receive the payments from the victims. Though the wallet owners were unidentified, the transactions and balances can be publicly accessible and a Twitterbot has been created to track the payments in real time. Ransom payments of $33,320 had been paid until May 14th.