Twelve Australian businesses hit by WannaCrypt

Twelve small Australian businesses have reported falling victim to the WannaCrypt ransomware currently menacing the globe.

MalwareTech's global map of infections.

The federal government late this afternoon revealed reports of WannaCrypt/ WannaCry infections locally had grown from three to eight, as employees returned to work after the weekend and booted up vulnerable Windows PCs.

On Tuesday morning it upped the count to 12.

Cyber minister Dan Tehan said those reporting infections were all small businesses. He said no critical infrastructure operators or government agencies had been impacted.

Tehan urged organisations to be "proactive" about their IT security in the face of the WannaCrypt global ransomware campaign.

WannaCrypt ransomware: what you need to know

A global tracker of the malware built by UK researcher MalwareTech - who stopped the ransomware from spreading further over the weekend simply by buying a domain - indicates the rate of infection in Australia could be much higher than the confirmed eight reports.

The map suggests many dozens of businesses could be infected in Australia.

The ransomware tracker counts the volume of queries made to MalwareTech's registered domain, which is a fundamental part of WannaCrypt's operations; the ransomware abandons its attack if it can connect to the previously unregistered domain. 

It is unclear whether MalwareTech's tracker is counting each query to the domain - which would include people simply navigating to the website out of curiosity - or whether it has filtered for actual infections. MalwareTech has been contacted for comment.

Further research by Edward Farrell of Mercury Information Security Services indicates the victim count could be far higher.

The ransomware exploits a flaw in Microsoft's Server Message Block (SMB) v1 file sharing protocol to carry out its attack. Microsoft issued a patch to fix the flaw for its supported systems in March.

It quickly put out a "highly unusual" security patch for the out-of-support Windows XP, Windows 8, and Windows Server 2003 operating systems over the weekend to protect its customers.

Those struggling to patch have been advised to consider disabling SMBv1 altogether in the interim, and all organisations should block SMB ports (139,445) from all externally accessible hosts.

The government's Australian Cyber Security Centre is fielding calls on the ransomware through its 1300 CYBER1 hotline.

At current standing more than 200,000 computers across 150 countries have been attacked, with Russia and Britain among the worst hit.

"This ransomware attack is a wake-up call to all Australian businesses to regularly back-up their data and install the latest security patches," Tehan said in a statement.

Updated to reflect growing victim count and Farrell's research.