Telefónica has become clear that this was only the beginning of the WannaCry ransomware attack, which ended up affecting almost a hundred countries around the world, but which has not achieved its objective, since there are hardly a handful of payments.
Yesterday we witnessed a hectic day in terms of computer security and it all started with Telefónica and an attack that we thought in the first instance was local to Telefónica, but that quickly jumped to other companies or at least that is what has been speculated, causing that many for security disconnected their access to the internet and leaving only the internal network. This attack by means of a ransomware called WannaCry is not a localized thing and it is that it has affected all types of companies and has spread throughout the world, causing companies and institutions to be affected and kidnapped.
After receiving the first data, as we said, some companies in our country have begun to take measures to avoid being affected. In the afternoon we began to receive the first data that this was not a local thing, but that it was global and that it was growing exponentially. The attack is indiscriminate and has no borders, so much so that it has affected several hospitals in the United Kingdom, institutions in Russia, there are cases in Ukraine, Taiwan and in so many countries that fingers are missing.
Device and data hijacking
Kaspersky Lab's director of global research, Costin Raiu, is saying that at 19:00 p.m., Spanish time, there would have been more than 45.000 ransomware attacks in at least 74 countries. Two hours later, at 21:00 p.m. (Spanish time), the Avast company expanded the figure to more than 75.000 affected devices in 99 countries, which is said soon. The most affected countries have been Spain, Russia and Taiwan and many speak that they have begun to make payments in Bitcoins to the kidnappers.
MalwareTech has issued a report would be based on EthernalBlue, which is an exploit used by the NSA that was leaked by Shadow Brokers in March of this year and that only affects Windows devices. In April Microsoft published a patch to solve the problem, but as always happens with these things, there are many computers without updating.
FedEx has confirmed that they have been victims of WannaCry and that they have a large number of Windows-based computers in their UK offices, hijacked, implementing measures to contain the attack. There is no data on the measures taken, but the SwiftOnSecurity Twitter account says that all FedEx workers in the United States have been ordered to shut down and disconnect from the network all computers that use Windows and are not essential, to avoid the spread.
Russia has also been affected, with at least XNUMX teams from the Interior Ministry infected by the attack. The Kremlin assures that everything is under control and they have managed to contain the attack successfully and they would not have lost information (they could say how they have done it, because everyone is crazy about this issue).
Those who want to see how the situation is, there are an interactive map available for all that allows you to see how the situation is in real time (really scary). The map shows activity in many parts of the globe, although very few companies or institutions have officially confirmed the attack on their devices. Mexico has several marked attacks, but there is no official data on whether they have actually suffered an attack.
Chema Alonso's explanations
Chema Alonso, the largest security expert in Spain who curiously works at Telefónica has already commented on Twitter that he is not responsible and it is true, since no matter how good you are, it is enough for someone to skip a security protocol and madness breaks out maximum, as it seems to be happening in this case, since it could be random users who have inadvertently started the tsunami in their companies or institutions.
En his blog 'The side of evil', comments that the objective of the ransomware is to encrypt the content and not steal it and that it would be distributed through a dropper via an email that would not be detected by many antimalware engines. Chema says that antimalware already detects it because they have been collaborating with the companies that develop them, both himself and other colleagues who have been affected.
Chema's explanation of how it happened is quite simple and enlightening:
- Infection phase: massive spam to email addresses around the world with a link to download the dropper (which downloads the playload). This translated is that a kind of automatic installer is downloaded that starts the party.
- When it is downloaded from the dropper, the machine is infected with ransomware.
- The infected machine performs a scan of the local network in search of computers vulnerable to MS17-10 to carry out the infection on that computer and spread the infection. MS17-10 is the Windows vulnerability that has opened the door to this monumental mess.
The information provided by Chema Alonso shows that the digital Bitcoin wallet that the software incorporates carries only eight transactions in total through the three transactions used by this equipment. According to a report, they would have only raised $ 6000, a rather ridiculous figure, if we are honest, for the number of machines affected.
And this happens by not worrying about having the equipment updated and in constant maintenance and thus the company save a few dollars, just as they should train workers who work on computer equipment, such as a basic class of network security and Identification of malicious emails. Windows already solved this problem for 2-3 years by creating a shadow of Windows, so that you can see how long the pc will have without updating and would put the hand in the fire that most computers were running Windows XP. (If I know, companies are very careful about costs, but if your business is 100% computerized, there is no expense to spare)