Security experts are scratching their heads after ransomware identical to WannaCry was found on LG self-service kiosks in South Korea this week.
The kiosks, in LG service centers, seem to have first become affected on Monday morning, with the state-run Korea Internet & Security Agency (Kisa) called in to help.
“We found that samples of the malicious code were identical to the WannaCry ransomware attack. More investigation is still needed to determine the exact cause,” a Kisa spokesperson said.
LG maintained that the service center network was shut down before the ransomware even had a chance to encrypt key files or demand payment.
Security updates were applied to the affected kiosks, which seems to have done the job, according to The Korea Herald. That could indicate that in spite of the huge publicity surrounding WannaCry when it spread globally this May, they still hadn’t patched a key Microsoft SMB vulnerability the threat exploited.
WannaCry is thought to have hit over 200,000 computers in more than 150 countries when it landed on 12 May.
Jovi Umawing, malware intelligence researcher at Malwarebytes, argued that WannaCry is just one of several worms “constantly scanning the internet for vulnerable hosts.
“Therefore existing infected machines will continue to 'broadcast' to the outside until they are taken offline. In the meantime, any computer that has its SMB ports exposed and where the patches haven't been applied, will be compromised when it comes up online,” she added.
“Although ransomware is what most are focused on at the moment, remember that other malware can also take advantage of a number of vulnerabilities that WannaCry attacks. The worm, MicroBotMassiveNet, is one example. We cannot stress enough on the importance of keeping and maintaining an up-to-date system."
Tripwire EMEA manager, Dean Ferrando, likened the reappearance of the threat to Conficker.
“Conficker hit us in 2008 with a similar attack, causing an outbreak globally. Companies patched and secured their systems but months after the outbreak, Conficker was still infecting companies that hadn’t taken the necessary precautions,” he explained.