Security Alert
Jonathan Crowe
May 2017

Alert: Massive WannaCry Ransomware Outbreak is Causing Global Havoc Using Leaked NSA Exploit

The UK's largest hospital group and one of Spain's largest telecom companies are just two of the victims of a large-scale ransomware campaign that rapidly spread to 150 countries. Watch how Barkly blocked WannaCry from the outset.

Key Details

  • What's happening: On Friday, a huge wave of ransomware infections were reported, starting with the NHS hospital network in the UK and telecommunications company Telefónica in Spain. Within hours, an estimated 36,000 infections had spread across 11 countries, including Russia, Turkey, Germany, Japan, and the Philippines.
  • UPDATE: As of late Friday night, the outbreak has been temporarily shut down thanks to the efforts of a security researcher who triggered a kill switch. New estimates suggest nearly 200,000 infections were suffered. A live infection tracker can be found here.
  • How victims are being infected: The ransomware has been confirmed as Wannacry aka WanaCrypt0r, Wcry, Wana Decryptor. Several sources have also confirmed it is utilizing the leaked NSA exploit ETERNALBLUE, which targets servers using the SMBv1 protocol.
  • What to do: If you haven't already, apply critical Microsoft update MS17-010, which renders the exploit ineffective. Microsoft has also released an update for older operating systems that are no longer officially supported, such as Windows XP, Windows 8, and Windows Server 2003.
  • Additional protection: Barkly's runtime malware defense blocks Wcry ransomware before it can encrypt files.
  • empty
  • empty
  • empty

Barkly's runtime malware defense stops Wannacry automatically.
See it in action

On Friday, a sudden outbreak of ransomware attacks claimed victims in at least 11 countries, including NHS hospitals in England and Spanish telecom company Telefónica. The attacks caused widespread disruption, with IT staff scrambling to shut down systems to isolate the infections.

Screenshots of the ransom screens taken by NHS and Telefónica employees indicated the ransomware responsible for the infections is Wannacry, also referred to as WCry, WanaCrypt0r 2.0, and WannaDecrypt0r.


WCry ransom screen on an infected Telefonica employee computer. / El Mundo

The identification was later confirmed in alerts issued by Spain's CERT team and NHS. The former also confirmed the attacks were utilizing the ETERNALBLUE exploit included in the Shadow Brokers leak of NSA hacking tools on April 14, 2017.

Tracking the infections: Nearly 200,000 detected, but attack temporarily stopped

Update: Late Friday night security researcher MalwareTech was able to inadvertently halt the outbreak when he registered a domain the ransomware was attempting to call to as part of its pre-infection process. 

Before executing the ransomware payload, WannaCry was programmed to connect to an unregistered domain. If the connection was actually successful, the attack was coded to suspend. MalwareTech and other researchers theorize this was either a kill switch or an anti-sandbox technique the attackers were utilizing. In either case, it backfired when MalwareTech registered the domain. 

The attackers can of course change their code and ramp up the attack again, but at the very least this momentary outage provides companies another chance to patch and protect themselves from the ETERNALBLUE exploit.
Thanks to the exploit, which allows attackers to gain remote access to Windows servers via server message block (SMB) protocol, the criminals behind Wannacry were able to infect an estimated 36,000 victims in the first few hours of the attack.

According to Bleeping Computer, other victims of the attack include the Russian Interior Minister, Santandar bank, and a large number of universities in China.

Security researcher MalwareTech also created a live map that tracks infections in real time.



Update: The number of infections is now estimated to be more than 300,000

The Register has also provided a link to the Blockchain tracker for the Bitcoin address shown in the ransom note, which shows how many victims have paid the ransom so far.


The ransomware is using the NSA's leaked ETERNALBLUE exploit

This isn't the first time ETERNALBLUE has been connected to ransomware activity. In April, the attacker behind AES-NI ransomware claimed he was using the exploit to infect Windows servers, but after a brief flury of activity over the course of one weekend, AES-NI wasn't seen again.

Like many of the other exploits included in the NSA leak, ETERNALBLUE targets vulnerabilities in server message block (SMB) protocol (used primarily for providing shared access to files, printers, and serial ports, etc.). It is specifically addressed by critical Microsoft update MS17-010. Organizations that haven't patched are vulnerable to this attack and should prioritize doing so ASAP.

Update: Microsoft has also released an update for older operating systems that are no longer officially supported, such as Windows XP, Windows 8, and Windows Server 2003.

Fallout from the attacks is severe

According to the Guardian, several NHS hospitals have lost access to patient record systems, causing them to postpone non-urgent activity and procedures and advise people not to come to the hospitals unless it's an emergency.

Reports on the Telefónica infection also indicate that once the ransomware has infected a server it appears it may be able to spread rapidly throughout an organization. Up to 85 percent of the telecom's computers were allegedly infected with Wannacry.

How to protect your organization from Wannacry and ETERNALBLUE

  • Patch ASAP: While patching isn't always easy to do or expedite in an enterprise environment, organizations should prioritize applying update MS17-010. An update for outdated operating systems including Windows XP, Windows 8, and Windows Server 2003 can be found here.
  • Address open SMB and RDP ports: If feasible, block external traffic to these ports.
  • Deploy runtime malware defense to block Wannacry and other malware at runtime: While attacks that target SMB and RDP ports may bypass other security, they can still be stopped at runtime with security software that recognizes and blocks malicious system activity.

Watch the video below to see how Barkly stops Wannacry ransomware before any damage is done:

Find out more about how RMD works in our Complete Guide to Runtime Malware Defense.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends stright to your inbox.