WannaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain
EternalBlue now an eternal headache
Updated Workers at Telefónica's Madrid headquarters were left staring at their screen on Friday following a ransomware outbreak.
Telefónica was one of several victims of a widespread file-encrypting ransomware outbreak, El Pais reports. Telefónica has confirmed the epidemic on its intranet while downplaying its seriousness, saying everything was under control. Fixed and mobile telephony services provided by the firm have not been affected.
Other Spanish targets of the attack reportedly include Vodafone and energy suppliers Iberdrola, though the extent of the damage caused at each is unclear. Spanish banks quizzed by El Pais all denied difficulties despite rumors to the contrary.
The strain of ransomware at the centre of the outbreak is a variant of WannaCrypt aka Wcry aka WanaCrypt aka Wanna Decryptor. Spain's CERT put out an alert saying that the outbreak had affected several organizations.
Indeed, the malware is ransacking systems across the globe, including the UK public health service. It scrambles files and demands $300 in Bitcoin to restore documents.
The malware is installed by a worm that infects Windows systems and spreads across networks by exploiting various unpatched vulnerabilities. It's understood the software nasty is wielding the leaked NSA cyber-weapon EternalBlue, which attacks SMB file-sharing services. "[The] infection vector is unknown but suspect internet facing machines are spreading infections exploiting a Samba vulnerabilities, MS17-010 and CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148," a source told El Reg. MS17-010 is the SMB vulnerability exploited by EternalBlue.
Spanish security expert Luis Corrons confirmed the unusual – for ransomware – worm-like spreading mechanism.
"It seems that this ransomware has network worm capabilities, and it is taking advantage of a recently patched Windows vulnerability to spread within the local network where it is being executed," Luis Corrons, PandaLabs Technical Director at Panda Security told El Reg. "That means that only having one computer exposed to this ransomware, it could potentially infect with the ransomware all the others computers in the same network."
"As the patch for this vulnerability is recent (March 14th), many enterprises have not applied it and therefore they are at risk," he added. ®
Now read our analysis of the WannaCrypt epidemic.