Friday’s massive ransomware attack in Europe is spreading at a record pace. The ransomware, a variant of the WannaCry, was centered in Russia but quickly spread to over 74 countries. Prime targets such as health care facilities, banks and corporate entities have been paralyzed in some of the hardest hit areas.
The WannaCry ransomware (identified by the NSA as Wanna Decryptor) was spread through a Windows exploit known as EternalBlue. The exploit was part of an NSA project that was recently leaked by a hacking group that call themselves the “Shadow Brokers.” EternalBlue is a RCE (remote code execution) attack that uses a vulnerability in the SMBv1 (Server Message Block version 1).
To simplify; Once the malware has infected a computer, it runs the EternalBlue attack to seek out networked file sharing. It then spreads to anything connected to the network that uses the same features. This method is highly effective in that it only needs one person to make a mistake (open an email, click a link, or open a file) to infect everything on a network. However, it has not been established how the infection began, as there have been no examples of malicious emails or trigger code found, to this point.
It is highly recommended that anyone running Windows to be up-to-date on their patches. And visit Microsoft’s security bulletins for more information. You can find that here MS17-010.