On Friday, 5th May 2017, a variant of WannaCrypt Ransomware (WannaCry) started spreading across the globe. It targeted a vulnerability in the SMB protocol, and leveraged an exploit stolen from the NSA (ETERNALBLUE) to do so. Variants were observed over the weekend, but they were either using the same kill switch domain, or a different one that was easily identified and purchased so the malware wouldn’t spread.
The report of this ransomware attack spread over the weekend and took less time than expected to get fame all over the world. Many have tweeted and spread awareness about this newly spread ransomware.
One particular vulnerability in Windows, leaked by a shady crew called Shadow Brokers, was used by the WannaCry hackers to give their ransomware a worm feature, allowing it to spread between vulnerable PCs silently and at speed. That flaw was exploited by a tool called EternalBlue and was patched by Microsoft in mid-March, but those who didn’t apply the update were still open to attack, resulting in affecting 48 UK National Health Service trusts, FedEx, Telefonica, Renault and Nissan car manufacturing plants, U.S. universities, Russian governments and Chinese ATMs, amongst many other systems across 150 countries.
However, a UK security researcher known as “MalwareTech“, who helped to limit the ransomware attack, had predicted “another one coming… quite likely on Monday”.
MalwareTech, whose name was revealed in UK media to be 22-year-old Marcus Hutchins, was hailed as an “accidental hero” after registering a domain name to track the spread of the virus, which actually ended up halting it.