WannaCry Ransomware Wrecks Havoc

What Is It?

As May 12, 2017 dawned, healthcare staff and patients began arriving at the U.K.’s National Health System (NHS) facilities for what many expected to be a routine day of medical treatments for conditions ranging from common colds to serious surgeries.

But by mid-morning, NHS was in a state of “chaos.” Major IT systems and some networked medical devices were unusable. Patients were turned away from pre-scheduled procedures, and only the direst of cases could be admitted to emergency rooms for treatment. Medical staff resorted to pens and paper to record notes on patients’ symptoms, diagnoses and treatments.

The NHS had become one of 300,000 victim systems across 95 countries infected by WannaCry, the largest ransomware attack to date.

WannaCry has become a real-life case study for what security researchers have been warning is possible in attacks on healthcare networks. Other notable victims included FedEx in the US, Telefonica in Spain and Nissan factories in Japan.

The ransom demand was initially $300 via BitCoin. Three days later, that demand increased to $600.

Healthcare environments are particularly well- suited to newer security technologies, such as

supervised machine learning used at the network edge to analyze content. BluVector’s supervised machine learning detects malware threats like WannaCry at its initial breach, based on malicious traits that make it both similar to and different from previous ransomware.

Security researchers discovered the malware contained a “kill switch.” This took the form of a hardcoded domain name, which if it existed would cause the malware to exit without encrypting files or attempting to propagate. When researchers registered this domain the spread of the malware was effectively halted, this occurred before the malware had established significant infections in the US and the Pacific region.

How Does It Propagate?

The rapid spread of WannaCry can be attributed to its use of the ETERNALBLUE exploit for Windows SMB and the DOUBLEPULSAR backdoor, both developed by the NSA and leaked by the Shadow Brokers group in April 2017. It was also distributed via malicious spam.

When/How Did BluVector Detect It?

BluVector’s patented machine learning malware detection engine detects the WannaCry malware as malicious. Regression testing on a number of samples has shown the files would have been detected by BluVector five months prior to their release.

About Threat Report

BluVector’s Threat Report is written by BluVector’s expert security team, tasked with identifying the latest cybersecurity threats in the wild and when our solution would protect customers from those threats. Read more Threat Reports here.

All Threat Reports