After the outbreak started on Friday, the global cyber attack has raged throughout the weekend. It's now affected over 150 countries and 10,000 organizations, according to European officials. Microsoft has attempted to patch it, but unless people install this update it's not going to do anything. (see NHS England Hit by a 'Large-Scale' Cyberattack).
In fact, Microsoft patched this exploit last month, after it was revealed by the Shadow Brokers group. However, in an attempt to stop the ransomware from spreading, Microsoft took the "highly unusual" step of patching unsupported systems, including Windows XP, Windows 8, and Windows Server 2003. This is significant, because while other more recent systems, such as Windows 10, has already been patched, the older operating systems were left unprotected. Despite the risks of using old, outdated software, many organizations continue to use Windows XP; it's been reported that 90% of NHS trusts are still using the 16-year-old OS.
The attack supposedly started at around 8:00 a.m. UTC. NHS systems started going down at 11:30 (12:30 BST) and by 1:30 (2:30 BST) the ransomware was in full flow. The ransomware used in the attack is known as "WannaCrypt" (but has been widely referred to as "WannaCry"). If a computer was infected, it would lock the entire system down, displaying a message asking for $300 in Bitcoin, the peer-2-peer currency, which is hard to trace. It's thought that the virus infected computers through an email attachment. CEO of Glasswall Solutions, Greg Sims, told TechX365, "It is likely to have been started in the same way that more than 90% of these attacks start –- by tricking employees to open email attachments that contain hidden code. Anti-virus defenses are useless against these attacks because they only search for known threats -- not the new threats and zero-day attacks being devised by criminals on a daily basis."
The WannaCrypt Screen
The screen shown when WannaCrypt has infected your computer.
For the moment, the attack has been halted, as UK-based security researcher MalwareTech registered a domain used in the ransomware's code which acts as a kill switch. If the domain, iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, is unoccupied -- unregistered -- the attack proceeds and holds the infected computer to ransom. However, if the domain is registered, the attack stops and the computer is left largely unaffected by the ransomware.
This isn't to say that computers are safe. A new version of WannaCrypt could appear at any moment, with updated code which randomizes the domain used, making it a lot harder to crack, or alternatively with no domain used at all. The speculation on why WannaCrypt has this domain feature is varied; MalwareTech thinks it is because it stopped the malware getting noticed by security researchers. Researchers run virus-infected code in virtual "sandbox" environments so they can examine it without infecting their own computers. Because of the limitations of these virtual environments, the software would be able to notice this and make the domain appear to be occupied, quitting the installation process immediately.
For now, it is incredibly important all systems are updated to patch the exploit. WannaCrypt could come back at any time, and if computers are not patched, Friday's carnage could happen all over again.
— Phil Oakley, Site Editor, TechX365