This screenshot is just one example: The IT systems of around 40 National Health System hospitals across the UK have been affected by a ransomware attack. Non-emergency operations have been suspended and ambulances are being diverted as a result of the attack. Cybersecurity experts have long used the phrase "where bits and bytes meet flesh and blood," which signifies a cyberattack in which someone is physically harmed.

Mikko Hypponen, chief research officer at the Helsinki-based cybersecurity company F-Secure, called the attack "the biggest ransomware outbreak in history."  This is a cyber pandemic caused by a ransomware weapon of mass destruction.

Non-health focused organizations around the world are also being affected, including FedEx Corp, Renault, Russian banks, gas stations in China, and Spanish telecommunications firm Telefonica which reported 85% of their systems being down as a result of a cyberattack earlier today, and ironically the Russian Interior ministry has 1,000 machines encrypted. Even the German Railways were infected:

The strain is called "Wanna Decrypt0r" which asks $300 from victims to decrypt their computers. This monster has infected over 100,000 systems in more than 100 countries. Here is an animated map created by the NY Times. and the Wall Street Journal created an InfoGraphic:

Bleepingcomputer said: "Whoever is behind this ransomware has invested heavy resources into Wana Decrypt0r's operations. In the few hours this ransomware has been active, it has made many high-profile victims all over the world. “Affected machines have six hours to pay up and every few hours the ransom goes up,” said Kurt Baumgartner, the principal security researcher at security firm Kaspersky Lab. “Most folks that have paid up appear to have paid the initial $300 in the first few hours.”

The ransom starts at $300 for the first 6 hours, and you've got upto 3 days to pay before it doubles to $600. If you don't pay within a week then the ransomware threatens to delete the files altogether. Note the social engineering aspect here too: a sense of urgency is created to prompt people into action. A sense of hope is granted by virtue of the ability to decrypt a sample selection of the files

The ransomware's name is WCry, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or Wana Decrypt0r. As everybody keeps calling it "Wana Decrypt0r," this is the name we'll use in this article, but all are the same thing, which is version 2.0 of the lowly and unimpressive WCry ransomware that first appeared in March."

Kaspersky Lab also reports that the "Wana" ransomware has numerous languages available and was designed to affect multiple countries. 

Sky News Technology Correspondent Tom Cheshire described the attack as "unprecedented". The ransomware is using NSA 0-day ETERNALBLUE and DOUBLEPULSAR exploits  which were made public earlier this year by a group calling itself the Shadow Brokers. 

Former U.S. intelligence contractor Edward Snowden pointed the finger at the NSA, implying the agency was responsible for exploiting a weakness in Windows. “If NSA builds a weapon to attack Windows XP—which Microsoft refuses to patch—and it falls into enemy hands, should NSA write a patch?” he wrote on Twitter late Friday.

 Initial infection vector is a phishing email.

“The majority of ransomware is from phishing attacks, whether that’s a receptionist or a doctor on a smartphone,” said Emily Orton, founder of British cybersecurity company Darktrace.

According to CrowdStrike's vice president of intelligence Adam Meyers, the initial spread of WannaCry is coming through spam, in which fake invoices, job offers and other lures are being sent out to random email addresses. Within the emails is a password protected .zip file, so the email uses social engineering to persuade the victim to unlock the attachment with a password, and once clicked that initiates the WannaCry infection.

But the most concerning aspect of WannaCry is its use of the worm-like EternalBlue exploit. "This is a weapon of mass destruction, a WMD of ransomware. Once it gets into an unpatched PC it spreads like wildfire," CrowdStrike's Meyers told Forbes. "It's going through financials, energy companies, healthcare. It's widespread."

“We encourage all Americans to update your operating systems and implement vigorous cybersecurity practices at home, work, and school,” the U.S. Department of Homeland Security said in a statement released late Friday. “We are actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally.” Here is a technical nosedive of the Wana malware.

If you can, apply this patch immediately.

After the initial infection, the malware spreads like a worm via SMB, that is the Server Message Block protocol used by Windows machines to communicate with file systems over a network. According to Cisco's TALOS team:

The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as 'C:/', 'D:/' etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption.

From what we have beena ble to learn, Wana spreads through SMB so when we're talking about machines behind firewalls being impacted, it implies ports 139 and 445 being open and at-risk hosts listening to inbound connections. It'd only take one machine behind the firewall to become infected to then put all other workstations and servers at risk due to it being a true worm.

In the mean time, harden yourselves against this Windows Network Share vulnerability and ensure that all systems are fully patched with the "MS17-010" security update (link below) and remind all staff to Think Before They Connect when they receive any out of the ordinary emails.

Redmond issues emergency patch for WinXP

Microsoft has also released out-of-band patches for older versions of Windows to protect against Wana, because the original patch did not include XP/Win8.  "This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind," the company told customers in a blog post.

Besides installing these out-of-band updates — available for download from here — Microsoft also advises companies and users to disable the SMBv1 protocol, as it's an old and outdated protocol, already superseded by newer versions, such as SMBv2 and SMBv3. 

Customers can now download security updates for Windows Server 2003 SP2 x64 Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, and Windows 8 x64.

If your network has been infected, what do do?

This ransomware strain cannot be decrypted with free tools. Research shows the encryption is done with RSA-2048 encryption. That means that decryption will be next to impossible, unless the coders have made a mistake has not been found yet.

Your best bet is to pay or recover from backups, and if your backup failed or does not exist, try a program like Shadow Explorer to see if the ransomware did not properly delete your Shadow Volume Copies. If a user did not click Yes at the UAC prompt, then there is a chance those are still available to start the recovery.  Here is How to recover files and folders using Shadow Volume Copies. (UAC image courtesy Bleepingcomputer). 

What Can Be Done To Stop These Bad Guys?

It's possible but difficult. The money has reportedly been flooding into hackers' accounts already and investigators can track the money and see where the bitcoin ends up. “Despite what people tend to think, it's highly traceable,” Clifford Neuman, who directs the University of Southern California's Centre for Computer Systems Security. told the Washington Post.

“You can see the flow of funds through the bitcoin system.”  However, hackers are still able to hide anf launder the bitcoin in many different ways. Investigators will also examine the code itself as hackers often leave identifiable traces of their work. You can watch as some of these wallets are receiving money in real time.

Here Are 8 Things To Do About It (apart from having weapons-grade backup)

1. From here on out with any ransomware infection, wipe the machine and re-image from bare metal
   
2. If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it's tuned correctly
   
3. Make sure your endpoints are patched religiously, OS and 3rd Party Apps
   
4. Make sure your endpoints and web-gateway have next-gen, frequently updated  (a few hours or shorter) security layers
   
5. Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA)
   
6. Review your internal security Policies and Procedures, specifically related to financial transactions to prevent CEO Fraud
   
7. Check your firewall configuration and make sure no criminal network traffic is allowed out
   
8. Deploy new-school security awareness training, which includes social engineering via multiple channels, not just email
   

UPDATE [May 13, 2017, 3:57 PM EST]: It looks like the spread of the Wana Decrypt0r ransomware has been temporarily halted after security researcher MalwareTech has registered a hardcoded domain included in the ransomware's source code, which was functioning as a kill switch. Cisco Talos has confirmed the information.

“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,” MalwareTech tweeted late on Friday. “So I can only add ‘accidentally stopped an international cyber attack’ to my résumé.”

However, this is just a temporary measure. For the bad guys, it's just one line of code to fix this and the infection process starts again. You can hope that your endpoint protection blocks it, but do not count on that. The way to prevent this infection is the 8 steps above, and of course it helps to have your users trained within an inch of their lives to spot phishing red flags.