A highly virulent new strain of self-replicating ransomware is shutting down computers all over the world, in part by appropriating a National Security Agency exploit that was publicly released last month by the mysterious group calling itself Shadow Brokers.
As Ars reported earlier, the malware known as wanna, wannacry, or wcry, is causing disruptions at banks, hospitals, telecommunications services and other mission-critical organizations in multiple countries, including the UK, Spain, Russia, Germany, and Turkey. The UK government’s National Health Service and Spanish telecom Telefonica have both been hit extremely hard. The Spanish CERT has called it a “massive ransomware attack” that is encrypting all the files of entire networks and spreading laterally through organizations.
Remember Code Red?
Another cause for concern: wcry copies a weapons-grade exploit codenamed Eternalblue that the NSA used for years to remotely commandeer computers running Microsoft Windows. Eternalblue, which works reliably against computers running Microsoft Windows XP through Windows Server 2012, was one of several potent exploits published in the most recent Shadow Brokers release in mid-April. The Wcry developers have combined the Eternalblue exploit with a self-replicating payload that allows the ransomware to spread virally from vulnerable machine to vulnerable machine, without requiring operators to open e-mails, click on links, or take any other sort of action.