If you didn’t get MS17-010 installed six weeks ago, you may be hurting now

On April 24, I warned everybody that y’all needed to install the March Windows patch MS17-010 right away.

I sure hope you did. Even those among you who never install patches – the Group W contingent.

There’s a huge wave of Ransomware attacks running through Europe, and it’s already been spotted in the US. Britain’s National Health Service and most of its broader healthcare system is on its knees, with medical caregivers greeted by ransomware demands.

The culprit is a ransomware package called “Wanna Cry” that’s using the Shadow Brokers exploit known as EternalBlue to infect — all created by the US’s very own NSA. (Gratuitous comment about tax dollars delete.)

Graham Cluley says:

it would be wrong to think that the NHS was targeted. They weren’t. This plain old extortion – 21st century style. The bad guys release ransomware (in this carried by a worm which exploits a vulnerability), and their intention is to infect as many PCs as possible to make as much cash as possible.

Hitting the NHS wasn’t necessarily their intention, but it is a soft target due to its poor defences. And, of course, the implications of a widespread NHS infection is felt by many people.

If you haven’t installed MS17-010, drop everything and do it. Make a full, clean backup while you’re at it.

UPDATE: Darien Huss reports that

#WannaCry propagation payload contains previously unregistered domain, execution fails now that domain has been sinkholed

Looks like the number of new infections has tapered off.

Nonetheless, get patched, folks.

PLEASE: If you’re going to manually install updates (“Group B” style), you have to keep up with the patching pace. Microsoft released this patch on March 14, without describing its genesis. On April 14, Shadow Brokers released the exploits. By April 24, it became apparent that the EternalBlue exploit was being used to infect normal machines. Prior to that, there was some doubt as to how many machines were infected, and whether the infections were geared toward non-military-grade targets.

Those in Group A were much less likely to get hit because each of the March and April Monthly Rollups had the patch. I gave the go-ahead for March Monthly Rollup on March 30 and the April Monthly Rollup on April 25. If you had applied patches either time, you’d be all clear right now.

If you’re in Group W and don’t install patches — well, now you know one reason why I don’t recommend Group W.

Good technical summary here on Github.

Into conspiracy theories? How about a weapons test that was intentionally disabled with a killswitch before the US woke up? Seems plausible. Cisco’s Talos blog has details.

Or this one, where the worm was released inadvertently by Shadow Brokers and Russian gov.