WannaCry is making headlines again, and this time it hit a major target: Boeing. The aerospace company quickly contained the infection, which only spread to a couple dozen computers.
“Our cybersecurity operations center detected a limited intrusion of malware that affected a small number of systems. Remediations were applied and this is not a production or delivery issue,” the company said in a statement.
Boeing isn’t offering details about the attack, but said initial reports about a devastating attack were “overstated and inaccurate.” Only computers with Boeing’s commercial airline business were affected; the company’s defense and services lines were not.
WannaCry originally appeared in May 2017, infecting unpatched Windows systems with the help of leaked NSA hacking tech. Over 200,000 machines were hit in what quickly became a computer worm. Fortunately, a security researcher activated a “kill switch” in the ransomware that effectively neutralized the attacks —but not completely
The kill switch has an important caveat: it can only stop new WannaCry infections when the target machine can go online to reach a special web domain. The ransomware will be told to stand down. What happens when a machine fails to reach the special web domain? Well, then there’s nothing to hold the infection back. Security researchers say the ransomware will attack the computer, encrypting all the data inside.
The threat is particularly relevant for enterprises that run Windows systems with limited or no internet access. “Most of the systems inside a manufacturing network are not configured to talk to the internet,” said Jake Williams, founder of IT security provider Rendition Infosec. “As a result, they can’t access the kill switch domain.”
How Boeing was infected with WannaCry isn’t clear. But the company isn’t alone. Williams said he knew of at least three other organizations hit with manufacturing stoppages from new WannaCry infections over the last six months. In one case, a vendor accidentally brought an unpatched laptop carrying a live WannaCry infection into a corporate network.
“We think it was infected at another client site the vendor was working at, hibernated, and then brought to the new site,” Williams said. The infection then “tore through the network like a hot knife through butter,” he added.
To this day, some computers remain live carriers of WannaCry. These machines likely became hosts of the ransomware before the kill switch was activated, but for whatever reason were never shut down. They continue to scan the internet for unpatched Windows systems in an attempt to spread. However, the infections are harmless, except when access to the kill switch is denied, said Salim Neino, CEO of security provider Kryptos Logic. “Systems which cannot connect or reach it directly are at serious risk,” he added.
Enterprises that want to eliminate any potential run-ins with the notorious ransomware should install Microsoft’s patches, which can stop the threat.