This morning, a ransomware-type attack occurred on several companies in Europe. The systems at Telefónica's headquarters in Madrid appear to have been the initial targets of this attack and news reports indicate that 85% of the company's computers were infected and had their data encrypted.
According to the newspaper El Mundo, the perpetrators of the attack are demanding a redemption payment by May 19th equivalent to $300 in Bitcoins per machine under the threat of erasing all data encrypted by the malware to unblock access to the devices.
The origin of the attack has not yet been confirmed, but sources close to Telefónica are tracking it to an effort from China.
This attack is so critical because it has the ability to "worm", which can multiply through the environments and computers autonomously and with great ease. Today's attack was caused by a version of the ransomware WannaCrypt, which exploits a critical vulnerability in the Windows operating system and allows remote code execution.
The security flaw is in the malware protection service of the operating system, which allows you to intercept and inspect all read and write activity of files and system data. By exploiting the malware, malware gains access to the machine with administrative privileges.
The crash was published through CVE-2017-0144 and caused Microsoft to publish an emergency patch in Microsoft Security Advisory 4022344. Almost all versions of Windows can be affected and updates must be performed immediately. It is possible to monitor the spread of malware in real time through a website published by Intel.
CIPHER recommends to immediately apply the update on all Windows operating systems. In addition, apply and restart mission critical servers, as the operational impact of downtime will be less than that caused by the threat.
Furthermore, we also recommend to apply patches and updates on your systems as soon as possible and keep your users aware of the new ransomware campaign to prevent them from opening suspicious email and files. Finally, ensure that only the communication ports required on servers and computers are exposed on the internet.