More than 126 000 systems have been affected by the WanaCryptOr (WannaCrypt) ransomware that has erupted in 104 countries so far, bringing computers, including those of the UK’s National Health Service (NHS) and Spain’s Telefonica to a halt.
Avast’s Jakub Kroustek says the ransomware attack is active mostly in Russia, Ukraine and Taiwan although it is by no means limited to these countries.
Instances of the ransomware have been detected in South Africa.
WanaCryptOr was first spotted in February, and is now available in 28 different languages. From Friday, an increase in activity has been observed, and it has spread rapidly.
The ransomware changes the affected file extension names to “.WNCRY”, so an infected file will look something like: original_name_of_file.jpg.WNCRY, for example. The encrypted files are also marked by the “WANACRY!” string at the beginning of the file.
This ransomware drops a ransom note in a text file, demanding $300 in bitcoins to decrypt files that have been encrypted.
The ransomware is unusual, and more dangerous, because it appears to have worm-like capabilities, allowing it to spread on its own.
Kroustek believes that WanaCrypt0r 2.0 is most likely spreading on so many computers by using an exploit that the Equation Group, widely suspected of being tied to the NSA, used.
He says a hacker group called ShadowBrokers has stolen Equation Group’s hacking tools and has publicly released them.
Security researcher Kafeine confirms that the ETERNALBLUE or MS17-010 exploit, a Windows SMB (server message block) was probably used for WanaCrypt0r.
The malware spreads with the help of a file-sharing vulnerability in Windows. Microsoft issued a patch in March, but many systems have not been patched, including those running older versions of the operating system.
Today, Microsoft has issued security updates to Windows XP and Windows 8 in a bid to slow the spared of WanaCrypt.