“It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher,” the researchers noted.
MalwareTech has published a live map tracking infections worldwide.
“Russia, Ukraine and Taiwan leading,” Avast researcher Jakub Kroustek tweeted on Friday. “This is huge.”
The Guardian reports that larger victims include FedEx, the Spanish phone company Telefonica, the Russian mobile phone operator MegaFon, and the UK’s National Health Service (NHS).
For information on removing and preventing ransomware, see our comprehensive article “How to Stop Ransomware.”
The NHS said at least 36 of its organizations had been affected by the ransomware, but added in a statement, “This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors.”
Human Safety at Risk
Joshua Douglas, chief strategy officer at Raytheon Foreground Security, told eSecurity Planet by email that by targeting networks supporting vital services like healthcare, cyber criminals are consciously putting human safety at risk for financial impact.
“Organizations are beginning to fully appreciate their exposure to risk, whether from negligent or malicious insiders, the growing attack surface are represented by the Internet of Things, or from the growing number of sophisticated attackers,” Douglas said.
“Healthcare, an industry with mountains of sensitive personal data and lives at stake, should consider security measures that take into account network users in addition to outside threats,” Douglas added. “When dealing with ransomware, advance security protections, basic cyber hygiene, tested disaster recovery plans and employee training are critical to protecting data.”
The malware leverages a remote code execution vulnerability in Windows that was among several stolen from the U.S. National Security Agency and leaked by the Shadow Brokers hacker group on April 14.
The Financial Times notes that while ransomware is usually spread via email, the NSA exploit, codenamed Eternal Blue, also spreads across internal networks via SMB file-sharing protocols.
Microsoft has released a patch for the flaw, but many organizations haven’t yet installed it.
“This is the first time that a worm-link tool has been used in conjunction with ransomware that has created devastating impact against entire organizations,” Fidelis Cybersecurity threat research manager John Bambenek said by email. “Strong and swift patching would have helped mitigate this threat. It has undoubtedly captured the imagination of criminals who don’t want to hold individual machines ransom but to take entire organizations hostage, and surely we will see much more of this in the coming weeks.”
“The fact that a vulnerability developed by the NSA was used in this attack shows the dangers that can happen when this knowledge gets out into the wild even after a patch has been developed,” Bambenek added. “Intelligence agencies will always be developing zero-days, but unlike traditional weapons, these tools can be repurposed quickly for devastating criminal attacks.”
“The intelligence community should develop strong procedures that when such tools leak, they immediately give relevant information to software developers and security vendors so protections can be developed before attacks are seen in the wild,” Bambenek said.