The global ransomware attack that caused chaos could spring back to life again as workers return to the office, experts have warned.
While ransomware has been a growing menace for some time, this particular attack is without parallel, largely because the ransomware was combined with a worm-like functionality that allowed the infection to spread rapidly from PC to PC.
The lightning spread of the WannaCrypt ransomware attack was felt worldwide last week, causing problems for thousands of private and public sector organisations across dozens of countries on Friday, and forced hospitals in the UK to cancel treatment and resort to pen and paper. The ransomware has also caused problems in Germany, Russia, the US, and Spain.
After the impact of the first ransomware attack waned, a second variation was launched that increased the impact further.
And now, because the attack started on a Friday afternoon, there is concern that more PCs worldwide may have become infected over the weekend — which means companies could have problems to face when they return to work.
The UK’s National Cyber Security Centre, the organisation tasked with keeping the UK’s critical infrastructure safe from cyber attacks, said that since what it described as the “global coordinated ransomware attack” on Friday there have been no sustained new attacks of that kind.
“It is important to understand that the way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks,” it warned.
“This means that as a new working week begins it is likely, in the UK and elsewhere, that further cases of ransomware may come to light, possibly at a significant scale.”
The NCSC said there had been attempts to attack organisations beyond the NHS and that it was “absolutely imperative” any organisation that believes it may be affected follows and implements the correct guidance.
Companies should makes sure that software patches are up to date and that they are using proper antivirus software services. The agency also said companies should back up the data that matters because “you can’t be held to ransom for data you hold somewhere else”.
Home users and small businesses should run Windows Update, ensure their antivirus software is up to date and runs a scan, and to also consider backing up data.
Microsoft said that the exploit code used by WannaCrypt is designed to work only against unpatched Windows 7 and Windows Server 2008, or even earlier systems such as Windows XP.
This exploit, codenamed “EternalBlue”, had been made available on the internet by so-called Shadowbrokers who dumped what were apparently hacking tools, including this exploit, which had been developed by the NSA.
A fix for the vulnerability had been posted by Microsoft back in March, but many organisations had either failed to update their systems or were using operating systems like Windows XP, which were not patched as Microsoft no longer issues security patches for such old software. Following the massive ransomware attack, Microsoft has now extended the security update to include Windows XP.