75,000 computers, 99 countries, 28 languages, 1 massive attack

It's been a hectic day in the world.  99 countries were hammered with a ransomware attack against industries of all kinds.  Over 75,000 machines were infected as of this afternoon. 

What's going on?

A relatively young piece of ransomware called WanaCrypt0r has been spreading rapidly since this morning.  A variant of WanaCrypt0r, named WeCry, was originally discovered in February of this year .

What makes this piece of ransomware so prolific today is that it is packaged as part of an exploit tool called ETERNALBLUE that leverages a known vulnerability in Windows that was patched in March as part of Windows Updates.  This was an SMB vulnerability (MS17-010), which allowed malicious code to travel from system to system.  Older Windows systems that are no longer supported would not have received a patch, and many supported systems were simply not updated.  Delays caused by compatibility testing and limited resources often leave systems unpatched and at risk.

The exploit is delivered via email attachment.  Once the exploit is detonated, the worm will spread the ransomware through RDP sessions and the SMB vulnerability referenced above.  The worm does the work of spreading the ransomware to as many systems as possible, as fast as possible.  The ransomware encrypts the target files and presents the ransom note to the victim.  This MalwareBytes thread has a detailed analysis of the code and the executable.

The attackers are charging up to $600 in bitcoin for the decryptor.

The exploit tool ETERNALBLUE was made public in the April 2017 Shadow Brokers leak.  This leak included hacking tools and exploits that the Shadow Brokers claim to have to have stolen from NSA.   As of this writing, the attacker[s] responsible for the attack remain unknown, and a 'kill switch' has been triggered which prevents new infections from this variant.  

What's next?

Multiple layers of Barracuda Advanced Threat Protection were detecting these executables early on, and Barracuda customers with an active Energize Updates subscription are protected from this exploit. 

Jonathan Tanner, Barracuda Software Engineer and security blogger, offers this advice on defending ourselves from these attacks:

•  Keep current on updates, especially on technologies that have a history of multiple vulnerabilities.  Maintain active subscriptions on your anti-virus solutions, and subscribe to Energize Updates if you're a Barracuda customer. 
•  End-of-Life Operating Systems should be replaced as soon as possible.  Operating systems that are beyond extended support should be removed from networks immediately, even if you can't replace it right away.
•  We cannot overstate the importance of vigilance when it comes to email and email attachments.  Email is the primary method of attack for almost everything.  In this attack, one person to open the exploit could lead to the infection of all other vulnerable devices on the network.
•  Shut down unused and unnecessary services on your systems.  Every service is a potential attack surface.
•  Deploy a powerful email defense, like Barracuda Email Protection to protect your systems from these attacks.  
•  Back up all of your data regularly. If you are looking for a comprehensive solution with flexible deployment options, get a free trial of Barracuda Backup or Barracuda Cloud-to-Cloud Backup to test in your environment.

What did we learn?

A multi-layer security solution and a data protection strategy are critical components of cybersecurity, but it's never been more important to help your colleagues and company leadership understand the risk of cyberattacks.  This understanding, combined with ongoing training and awareness initiatives, will help your users protect themselves. 

For information on how we can help protect your organization from this type of attack, visit the Barracuda ransomware solutions site at www.barracuda.com/ransomware

Barracuda Cybersecurity Platform

Only Barracuda provides multi-faceted protection that covers all the major threat vectors, protects your data, and automates incident response. Over 200,000 customers worldwide count on Barracuda to protect their email, networks, applications, and data.