The cyber attack that already affects more than 230,000 computers in 179 countries according to data begins to mutate and researchers have not yet found a trace of the culprits or if there is a relationship between the cybercriminals who designed the “ransomware” and those who programmed the computer worm that exploits the vulnerabilities found by the NSA.
This is the chronology of WannaCry, one of the most serious computer viruses in recent history:
Friday, May 12: A cyber attack is reported
- The first sign of the virus comes from the headquarters of the operator Telephone. Its employees confirmed to various media that the management asked them to immediately turn off the computer equipment: their internal network had been compromised.
- The first information pointed to only the last point of the chain, a program that hijacked the files of the victim machine and requested an economic rescue, to pay in bitcoins, to recover them. Soon it was detected that this executable was distributed through a computer worm that took advantage of a vulnerability that the NSA stored, that Shadow Brokers leaked and that Microsoft patched.
- The National Cryptological Center quickly published a statement warning of the situation and clarifying basic concepts about the attack. The panic began to be planted in organizations and companies, which denied any incidence despite the fact that more than 1,000 cases have already been confirmed.
The virus spreads to hospitals in the United Kingdom and becomes a global threat
- The infection began to spread uncontrollably and the first cases were reported within at least 16 hospitals in the United Kingdom. The phenomenon became global. Theresa May, the prime minister, said that “there has not been an attack specifically directed against the National Health Service” and stressed that “there is no indication that patient information has been compromised.”
- I also arrived in the United States. The FedEx company issued a statement confirming that its systems were experiencing interference due to “malware”. The employees, through social networks and Reddit, commented how the infection had stopped numerous key tapes for the delivery of orders.
- Independent cybersecurity experts from around the world began to investigate the intricacies and enigmas of the attack. The big security companies warned of an alarming number of infections that continued to increase exponentially.
The “ransomware” was only part of the cyber attack,
- It was soon confirmed that the “ransomware” was only part of the cyber attack, a portable executable that encrypted the files in exchange for a ransom. The infection was spread through a computer worm that exploits a vulnerability in the Samba network sharing protocol.
- The vulnerability was exploited by the NSA for its own purposes. Shadow Brokers managed to access its documentation and filtered it with the help of Wikileaks as a speaker. The cybercriminals behind this massive attack used this information.
- The young Briton known by the pseudonym ” MalwareTech ” became the hero of the night stopping the spread of the virus. The researcher discovered that the propagation could be stopped by controlling the server that the malicious program calls. So it was, for just 10 dollars, MalwareTech managed to activate the “kill switch”; the emergency shutdown button of the massive cyberattack.
- This switch could be interpreted as a failure in the attack, although the hypothesis that gains more strength right now is that the criminals did it on purpose to control its spread or as a simple experiment. The “amateur” way of sending money to bitcoin portfolios increases the value of it.
Saturday, May 13: Tthe cyber attack continued to devastate
- The French vehicle manufacturer Renault, the Japanese Nissan and the Russian Ministry of Interior were affected. The virus had already spread through a hundred countries affecting more than 90,000 computers, according to computer security companies.
- Microsoft, in an unprecedented maneuver, decided to publish a patch to resolve the vulnerability in Samba for operating systems no longer supported as Windows XP.
- The attack left in evidence to the companies and organizations that did not install a critical security patch published two months before the expansion of the attack.
- Some companies, such as Telefónica, took refuge in the importance of ensuring that a patch does not interrupt the operation of equipment and businesses. Chema Alonso gave his version in his blog .
Sunday, May 14: Microsoft denounces the role of governments in cyber attacks
- Brad Smith, president of Microsoft, said the attack provides another example of why it is a problem for governments to store software vulnerabilities for their own interests . He called for cooperation between companies, consumers and governments. He clearly pointed to the NSA as one of those responsible for the disaster.
- Experts began to detect attack variables. Most of them quite “amateurs” editing the hexadecimal code of the portable executable editing the information of the file or the domain that acted as “kill switch”.
- The National Cryptological Center launched a preventive tool for numerous versions of Windows.
Monday, May 15: China detects a new virus mutation
- China discovered a new version of the virus that has bypassed the security measures implemented after the first attack.
- Europol increased the number of victims to 230,000 in 179 countries.
- Independent researchers found similarities between “ransomware” and the codes used by the group of cybercriminals Lazarous Group linked to North Korea. All part of an enigmatic public tweet by a Google security engineer. Symantec and Kaspersky found these similarities, and although they can not certify the authorship of the group, they believe that it is enough to open a deeper investigation.