'WannaCry' ransomware attack spreads worldwide (update)

It exploits supposedly NSA-developed vulnerabilities on unpatched Windows systems.

BeeBright via Getty Images

England's healthcare system came under a withering cyberattack Friday morning, with "at least 25" hospitals across the country falling prey to ransomware that locked doctors and employees out of critical systems and networks. It's now clear that this is not a (relatively) isolated attack but rather a single front in a massive digital assault.

Update 2 (5/13): In response to infections like the ones that crippled parts of the NHS system, Microsoft is releasing a patch for unsupported systems including Windows XP, Windows 8 and Windows Server 2003.

Organizations in dozens of countries have all been hit with the same ransomware program, a variant of "WannaCrypt," spouting the same ransom note and demanding $300 for the encryption key, with the demand escalating as time passes.

Screenshot of live-updating map of WCrypt infections

The infection vector appears to work through a known vulnerability, originally exploited as "ETERNALBLUE" and developed by the National Security Agency. That information was subsequently leaked by the hacking group known as The Shadow Brokers which has been dumping its cache of purloined NSA hacking tools onto the internet since last year.

The virus appears to have originally spread via email as compressed file attachment so, like last week's Google Docs issue, make sure you confirm that you email's attachments are legit before clicking on them. Once it's on one system, it can easily spread across private networks using a flaw in the Windows SMB Server.

Also, make sure your computers are using software that's still receiving security updates, and that you've installed the latest updates available. Microsoft released a fix for the exploit used as a part of its March "Patch Tuesday" release, but unpatched Windows systems remain vulnerable.

Update: In a statement, Microsoft indicated that engineers have added detection and protection against the "Ransom:Win32.WannaCrypt" malware, so make sure your Windows Defender or other antivirus is updated before logging on to any corporate networks that may be infected.

A FedEx representative confirmed its systems are being impacted, saying "Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware. We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers."

For now, new infections will not continue to lock systems, since the person behind @MalwareTechBlog registered a domain the software checks before proceeding. Now that the site is active, it's acting as a killswitch, however as they've noted, someone could easily modify the code and begin infecting computers all over again.


Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt. In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software or have Windows Update enabled, are protected. We are working with customers to provide additional assistance.