On Friday, computer systems across the world were attacked by hackers in an attack dubbed "WannaCry," which uses an NSA exploit codenamed EternalBlue that was one of several tools leaked by the Shadow Brokers last month.
The tool exploits a vulnerability in Microsoft's Server Message Block which allows attackers to crash systems with a denial of service attack. After scrambling computer files, the malware demands upwards of $300 in Bitcoin to restore documents.
The cyber-attack hit nearly 100 countries, with Russia and the UK being among the most affected. The infections disabled at least 16 hospitals in the UK, Spain's main telecommunication services provider Telefonica, the Russian telecommunications provider Megafon, some Italian universities and the international shipper FedEx. It also attacked but was contained in other systems, among them the Russian Interior Ministry.
Security expert John Safa, founder of Pushfor, a secure messaging and content sharing platform for businesses, told Radio Sputnik that the hackers who devised the WannaCry virus probably didn't expect it to wreak as much damage as it has done.
"It just went wild, this is a big one. We've seen other ones that have had this sort of impact before but this is probably the biggest and had the largest impact. My view is that the hackers didn't actually anticipate it being this big," Safa said.
"Then what happens is, it looks for files, not only on your machine but also shares what you have with your network server and starts encrypting files. Obviously, it's very difficult to decrypt them because you don't know the key."
The virus was able to spread so rapidly because although Microsoft quickly patched the vulnerabilities exposed in the Shadow Brokers leak, many organizations hadn't yet upgraded their software. Larger organizations tend to stagger their updates over several weeks as they are tested by administrators for compatibility with intranets and other internal systems.
"Someone's developed a Windows malware that basically exploits a hole that was in Windows. Microsoft had patched it fairly quickly but a lot of companies hadn't upgraded their machines so this vulnerability then spread."
"The first lesson is that you have to be careful what you email, click on and receive. But I think it also shows that leaking information in this manner to show vulnerabilities in operating systems or applications can then be used for a bad cause. So, with this information the NSA have actually trained the virus and hacking community to do significant damage."
"The biggest issue will be for organizations, because content drives businesses nowadays and they have to make sure they can have a layer of security between that content because if ransomware does attack, and it can't have access to your actual, genuine files, then it's going to limit the damage it can actually cause. So, that's what we are trying to educate people, email and content are typically the biggest risks and it's best to put a layer between those two," Safa said.
On Saturday, a security researcher tweeting as @MalwareTechBlog, registered a domain name connected to the malware, thus activating a secret "kill switch" that can prevent the malware from spreading.
Unfortunately, the solution won't help fix systems already infected by the malware, and @MalwareTechBlog also warned that even though the breakthrough halted the unfolding epidemic, more attacks may soon follow.
The researcher explained that the attackers may still rewrite the code and relaunch the cycle and urged everyone to promptly patch their systems.
Have you heard the news? Sign up to our Telegram channel and we'll keep you up to speed!