On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments ($300 worth in bitcoin) in the cryptocurrency bitcoin in 28 languages
The attack affected Telefónica and several other large companies in Spain, as well as parts of Britain’s National Health Service (NHS), FedEx, Deutsche Bahn, LATAM Airlines and many more. Other targets in at least 99 countries were also reported to have been attacked around the same time.
Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability.
In any case, organizations are advised to:
- Implement the necessary patches as soon as possible. This step is crucial, also because other criminals could start exploiting the same flaw at any given time – the EternalBlue exploit is out, and ready to be used.
- Disable SMBv1
- Consider adding a rule on their router or firewall to block incoming traffic on SMB and RDP ports
- Isolate unpatched systems from the internal network
- Make back-ups (and check that they can be restored!)
- Warn employees to be extra watchful about phishing emails.
- US-CERT offers more extensive advice against defending against ransomware generally, and recommended steps for remediation for those who have been affected.
- Microsoft also offered advice on protecting systems against this threat.