WannaCry: more details about the ransomware attack

Meanwhile, the major attack of WannaCry aka WanaDecrypt0r 2.0 has been stopped. As I noted in my previous post, some  stop switch was found by accident when an expert noticed that a special domain gets addressed from WannaCry. As the domain was available, he registered it hoping to collect more information and data sent out from the ransomware.

Image from malwaretech.com

After the domain was online, the automatic spreading of WannaCry stopped. However, this does not affect already infected systems. Also there are rumors that some Antivirus Programs currently block access to that domain because of unsuspicious data. This would mean in fact that those programs would allow WannaCry to spread more and more.

“EternalBlue”-issue known by NSA for years

The security issue used by WannaCry is called EternalBlue and was part of a leak of NSA documents, spread by The Shadow Brokers in April this year. If they would have noticed Microsoft for that issue, we would not have those massive problems today.

Due to the seriousness of the attack, Microsoft released a patch even for older Windows Versions that are usually not supported anymore.