show image

Oscar Williams

News editor

A year after WannaCry, the EternalBlue exploit is rearing its head again

It’s nearly a year since WannaCry ransomware forced doctors to cancel thousands of operations around the country. While detections of the virus declined shortly after the attack, the exploit it leveraged re-emerged in high profile variants of malware later in the year.

According to researchers at ESET, the exploit – dubbed EternalBlue – is now rearing its head again. The security firm’s telemetric data suggests detections are soaring, with one spike last month surpassing the peaks linked to WannaCry and the later NotPetya strike.

“Since September last year, the use of the exploit has slowly started to gain pace again, continually growing and reaching new heights in mid-April 2018,” writes ESET’s Ondrej Kubovič. “One possible explanation for the latest peak is the Satan ransomware campaign seen around those dates, but it could be connected to other malicious activities as well.”

The data suggests that despite the prominence of the two Windows viruses and the fact that Microsoft shipped patches before they started spreading, many computers around the world remain unpatched and unprotected.

A recent survey conducted by Webroot suggests that organisations may feel more prepared for ransomware than they really are. While 88 per cent of IT leaders feel better equipped to deal with an attack following WannaCry, 45 per cent have suffered a ransomware attack and 23 per cent paid up. More than a third don’t have a regular back-up system, 40 per cent haven’t invested more money in defences and 46 per cent haven’t held staff training on ransomware.

David Kennerley, director of threat research at Webroot, warned that while awareness of ransomware has risen, “organisations still aren’t investing the necessary time and resources in risk mitigation and recovery processes, leaving them with limited options in case of a successful attack”.

In the months following WannaCry and NotPetya, US and UK intelligence agencies linked North Korea and Russia to the two attacks respectively. However, EternalBlue, one of the exploits common to both viruses, had been developed and stockpiled not by hackers in Pyongyang and Moscow, but America’s National Security Agency.

In an interview with Spotlight published earlier this month, Robert Hannigan, the former director of GCHQ, described the development of exploits by intelligence agencies as a “genuinely difficult” ethical issue.

“If you want agencies to do difficult things you have to have some tools to do it,” he said. “But I agree that in most cases [vulnerabilities] should be reported because certainly for GCHQ, the first responsibility is the safety of the public.”