Site icon Sophos News

See WannaCry ransomware in action

Organizations continue cleaning up from last week’s WannaCry ransomware worm outbreak, and are still trying to make sense of how this thing became such a monster. In the following video, we break down the process, including how it spread and how Sophos Intercept X protects against it.

Outbreak updates

Four days since WannaCry hijacked 200,000 computers in 150 countries, SophosLabs have determined that this probably didn’t start the way a typical ransomware attack does – as a phishing email carrying a malicious attachment or link that the user is tricked into opening. It also appears the first infections were in south-east Asia.

Researchers assumed early on that the outbreak began with an email link or attachment, but SophosLabs VP Simon Reed identified it as a worm from start to finish.

In other words, this outbreak was a throwback to the early 2000s. Only this time, instead of mere noise and network downtime, a much more damaging payload of ransomware ground many organizations to a halt.

Analysis seems to confirm that Friday’s attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It used a variant of the Shadow Brokers’ APT EternalBlue Exploit (CC-1353), and used strong encryption on files such as documents, images, and videos.

More malware using leaked NSA tools

Weeks before the WannaCry ransomware worm tore up the internet, another strain of malware was doing it. That malware, Adylkuzz, is a cryptocurrency miner that, like WannaCry, has likely infected hundreds of thousands of computers across the globe. It wasn’t previously discovered because, unlike WannaCry, it allows computers to operate while creating the digital cash in the background. SophosLabs has been detecting and protecting customers from the malware.

Defensive measures

Whether it’s WannaCry or Adylkuzz, the best advice, especially given the wormy nature of these malware families, is to:

And since these malware families are all about collecting cryptocurrency, it’s worth repeating our ransomware advice:

Exit mobile version