Kaspersky Lab has recorded as of Friday more than 45,000 attacks of ransomware in 74 countries around the world, mostly in Russia. The multinational cybersecurity and anti-virus provider's Global Research and Analysis Team said in these attacks, data is encrypted with the extension ".WCRY" added to the filenames.
The attack by the ransomware, dubbed "WannaCry," is initiated through an SMBv2 remote code execution in Microsoft Windows. The exploit, codenamed "EternalBlue," has been made available on the internet through the Shadowbrokers dump on April 14, 2017, and patched by Microsoft on March 14.
"It's important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the 'EternalBlue' exploit and infected by the WannaCry ransomware," Kaspersky Lab's Global Research and Analysis Team noted in a web posting.
"The lack of existence of this vulnerability doesn't really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak." The WannaCry malware encrypts the files and also drops and executes a decryptor tool. The request for $600 in Bitcoin, a cryptocurrency, is displayed along with the wallet.
As not all ransomware provides this timer countdown, said the team, the WannaCry attack shows computer users that "payment will be raised" after a specific countdown, along with another display raising urgency to pay up, threatening that the user will completely lose their files after the set timeout.
To make sure that the user doesn't miss the warning, the tool changes the user's wallpaper with instructions on how to find the decryptor tool dropped by the malware. While Spain's Computer Emergency Response Team CCN-CERT, posted an alert on its site about the attack affecting several Spanish organizations, the National Health Service (NHS) in Britain also issued an alert and confirmed infections at 16 medical institutions. Kaspersky Lab said its team has confirmed additional infections in additional countries, including Ukraine and India.