Global ransomware attack "may be coming under control"

15 May 2017

It is difficult to estimate the total number of infections but Kaspersky Labs says its telemetry indicates that more than 45,000 users have been attacked.

It is difficult to estimate the total number of infections but Kaspersky Labs says its telemetry indicates that more than 45,000 users have been attacked.

Kaspersky Lab believes the the ransomware attacks that started hitting the NHS and other organisations across the world on Friday may be coming under control.

Since six o’clock this morning, the security expert says it noted around 500 new attempted ‘WannaCry’ attacks across its customer base. By comparison, it says that on Friday there were six times as many attempts during the first hour alone.  

Costin Raiu, director of global research and analysis at Kaspersky Lab, says this suggests the infection may be coming under control.

He adds: “We do not believe any of these variants were created by the original authors – most likely they were patched by others keen to exploit the attack for their own ends.”

According to Kaspersky, the first attack started spreading on Sunday morning, at around 02.00 UTC/GMT, and was patched to connect to a different domain. The firm says it has so far noted three victims for this variant, located in Russia and Brazil.

The second variation that appeared during the weekend appears to have been patched to remove the kill switch discovered by ‘MalwareTech’, a 22-year-old cyber security researcher from south-west England who reportedly works for LA-based intelligence firm Kryptos Logic. Raiu says this variant does not appear to be spreading, possibly due to the fact it has a bug.

He goes on to says that it is difficult to estimate the total number of infections. “Our own telemetry indicates that over 45,000 users have been attacked but this represents a fraction of the total number of attacks (reflecting Kaspersky Lab’s customer share).

“A more accurate picture of the world situation can be drawn from the sinkhole for the kill switch hardcoded in most versions of WannaCry: Currently the MalwareTech sinkhole, which is collecting redirections from the ‘kill switch’ code, has registered about 200,000 hits.”

Raiu points out that this number does not include infections inside corporate networks where a proxy server is required for connecting to the internet, meaning that the real number of victims might easily be larger.

The WannaCry ransomware attacks exploited a Microsoft Windows vulnerability that has now been patched. 

It has been allleged that the virus (also known as WCry, WanaCryptor, WannaCrypt or Wana Decryptor) was an NSA exploit. It was leaked by hacker group Shadowbrokers on 14 March.

Kaspersky Lab recommends the following to reduce the risk of infection:

  • Install the patch from Microsoft that closes the vulnerability used in the attack
  • Ensure that security solutions are switched on all nodes of the network
  • If Kaspersky Lab’s solution is used, ensure that it System Watcher, a behavioural proactive detection component, and that it is switched on
  • Run the Critical Area Scan task in Kaspersky Lab’s solution to detect possible infection as soon as possible (otherwise it will be detected automatically, if not switched off, within 24 hours)
  • Reboot the system after detecting MEM: Trojan.Win64.EquationDrug.gen

The company warns that WannaCry is also targeting embedded systems. It therefore recommends ensuring that solutions for embedded systems are installed, and that they have both anti-malware protection and Default Deny functionality enabled.

A detailed description of the WannaCry attack method, and Indicators of compromise can be found on Securelist.