WannaCry ransomware is Still There and Caused Global Chaos

The WannaCry incident is indeed going to be remembered in history as one of the most devastating and dreadful ransomware attacks. Not only did it affect the victims shortly after its release, but its self-spreading mechanism is still causing havoc.

In the latest report, it has been revealed the ransomware has attacked a Honda plant in Sayama, located northwest of Tokyo. As a result, the automobile giant was forced to shut down its operations on the 19th of June, to avoid any further accidents.

The ransomware was found in Honda’s systems on the 18th of June and as expected, the entire network was affected severely.

As you may already know, the WannaCry ransomware was created as a result of NSA-based hacking tools being leaked out by a hacking group called the Shadow Brokers.

The tools included EternalBlue and DoublePulsar which were used to install the malware in the system and allow it spread to computers running on Windows operating systems. The malware essentially exploited a vulnerability existing in Windows’ Server Message Block (SMB) protocol.

Once the ransomware is loaded into the system, it encrypts all the files and the user can only access them if he/she pays a certain amount of ransom in Bitcoins. It was reported that the ransomware amounted to USD 300.

“It takes just one vulnerable system to leave the door open. Having been hit in other plants during May, Honda took steps to protect themselves at the time; but as most of us are now aware it is a continuing battle against emerging threats.

“Microsoft, for example, on their regular patch Tuesday update in June patched 96 security vulnerabilities and continued to resolve issues in Windows XP. It is important in industrial plants, where there are often embedded computer systems, that patches are applied promptly and across all systems.

“Often, due to the complexity of change, it takes some weeks or months to bring all systems up to date. And of course it is not just Microsoft that needs patching, all manner of systems need to be assessed and updated.

“Some communication protocols have proven to be very insecure, such as the file sharing server message block SMBV1 which was exploited by the WannaCry ransomware and in fact is being disabled totally from windows 10 later this year. Elsewhere it is recommended that the SMBV1 protocol be disabled if it is not used operationally.

“This latest incident reminds us that our efforts to defend our organisations against emerging threats is continuous. Regular review of all systems and their communication protocols is necessary and, more importantly, a thorough analysis of access controls. Ask who has access; what can they access and why do they access? Often, in organisations individuals are provisioned to access systems for short periods and are never deprovisoned, which means over time they get excessive access that can be damaging to the business if misused.

“Tools to control and manage overall access are critical. Malware such as WannaCry takes advantage of gaps in security so to be truly safe requires a continuous and thorough approach which embraces the multiple aspects of cyber security.”

This map shows the spread of WannaCry within 24 hours of its first infection on May 12

Some of Hitachi’s computers were also infected by the ransomware which made it difficult for the affected employees to receive and send emails.

It was reported that 2,000 of the trust’s 6,000 computers were infected as well as the central system.

It’s thought up to 70,000 devices — including computers, MRI scanners, blood-storage refrigerators and theatre equipment — may have been affected.

Foreign companies we know that have been affected include:

  • Honda — Japan
  • Telefonica — Spain
  • Iberdrola — Spain
  • Gas Natural — Spain
  • FedEx Corp — US
  • Renault — France
  • Hitatchi — Japan
  • Nissan — Japan
  • CJ CGV Co — South Korea
  • Telecom — Portugal

It is thought about 40 NHS trusts were affected by the cyber attack including:

  • Northumbria Healthcare
  • North Cumbria Hospitals
  • Morecambe Bay Hospitals
  • Blackpool Hospitals
  • Southport Hospital
  • East Lancashire Trust
  • Barts Health
  • East and North Hertfordshire
  • Derbyshire Community Health
  • University Hospitals North Midlands
  • North Essex Partnership University FT
  • London North West Healthcare Trust
  • York Hospitals
  • East Cheshire Trust
  • Aintree University Hospitals
  • The Royal Liverpool and Broadgreen Hospitals Trust
  • Liverpool Community Trust
  • United Lincolnshire Hospitals
  • James Paget University Hospital FT
  • Basildon And Thurrock University Hospitals NHS Foundation Trust
  • Mid Essex Hospital Services NHS Trust
  • Colchester Hospital University NHS Foundation Trust
  • George Eliot Hospital NHS Trust
  • Wrightington, Wigan And Leigh NHS Foundation Trust
  • Cheshire and Wirral Partnership NHS Foundation Trust
  • Nottinghamshire Healthcare NHS Trust
  • Burton Hospitals NHS Foundation Trust
  • Birmingham Community Healthcare Trust
  • Sherwood Forest Hospitals
  • Ipswich Hospital
  • West Herfordshire Hospitals
  • Barnsley Hospital
  • Central Manchester University Hospitals

In Scotland the following health boards confirmed a cyber attack:

  • NHS Ayrshire and Arran
  • NHS Borders
  • NHS Dumfries and Galloway
  • NHS Grampian
  • NHS Greater Glasgow and Clyde
  • NHS Fife
  • NHS Highland
  • NHS Forth Valley
  • NHS Western Isles
  • NHS Tayside
  • NHS Lanarkshire