It exploits supposedly NSA-developed vulnerabilities on unpatched Windows systems.

England's healthcare system came under a withering cyberattack Friday morning, with "at least 25" hospitals across the country falling prey to ransomware that locked doctors and employees out of critical systems and networks. It's now clear that this is not a (relatively) isolated attack but rather a single front in a massive digital assault.

Organizations in dozens of countries have all been hit with the same ransomware program, a variant of "WannaCrypt," spouting the same ransom note and demanding $300 for the encryption key, with the demand escalating as time passes.

Screenshot of live-updating map of WCrypt infections

The infection vector appears to work through a known vulnerability, originally exploited as "ETERNALBLUE" and developed by the National Security Agency. That information was subsequently leaked by the hacking group known as The Shadow Brokers which has been dumping its cache of purloined NSA hacking tools onto the internet since last year.

The virus appears to have originally spread via email as compressed file attachment so, like last week's Google Docs issue, make sure you confirm that you email's attachments are legit before clicking on them. Once it's on one system, it can easily spread across private networks using a flaw in the Windows SMB Server.

Also, make sure your computers are using software that's still receiving security updates, and that you've installed the latest updates available. Microsoft released a fix for the exploit used as a part of its March "Patch Tuesday" release, but unpatched Windows systems remain vulnerable.

Update: In a statement, Microsoft indicated that engineers have added detection and protection against the "Ransom:Win32.WannaCrypt" malware, so make sure your Windows Defender or other antivirus is updated before logging on to any corporate networks that may be infected.

A FedEx representative confirmed its systems are being impacted, saying "Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware. We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers."

For now, new infections will not continue to lock systems, since the person behind @MalwareTechBlog registered a domain the software checks before proceeding. Now that the site is active, it's acting as a killswitch, however as they've noted, someone could easily modify the code and begin infecting computers all over again.

Source:
courtesy of ENGADGET

by Andrew Tarantola, @terrortola

If you have any stories or news that you would like to share with the global online community, please feel free to share it with us by contacting us directly at [email protected]