• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

WCry 2.0 (WannaCry, WanaCrypt0r) Ransomware Update

May 15, 2017 By The Editor

ransomware
On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 (also called WannaCry, WanaCrypt0r, and WannaCrypt) began to infect organizations across the world. Within several hours, over 75,000 victims were reported in 90+ countries, including hospitals in the UK, telcos in Spain and the Russian ministry, to name a few.

Initial analysis of the ransomware appears to show it spreading via MS17-010, a critical SMB vulnerability in the Microsoft Windows operating system that was recently disclosed as a part of the Shadow Brokers dump of NSA hacking tools. It is believed though, that the ransomware is first delivered via emails with a zip attachment.

As WatchGuard’s CTO, Corey Nachreiner details in this Daily Security Byte, implementing a layered approach to security is vital to stopping threats like this.

  • WatchGuard’s Gateway AntiVirus (GAV) does catch many variants of this new ransomware.
  • More importantly, our APT Blocker’s behavioral detection can catch all seen strains of WCry. APT Blocker’s sandbox-based detection will continue to detect and block future variants.
  • Finally, our Intrusion Prevention Service (IPS) can catch the NSA leaked vulnerability — the MS17-010 vulnerability (signatures: 1133635, 1133636, 1133637, 1133638) — that this ransomworm uses to spread internally.

IT administrators should install the latest Windows security updates to resolve the MS127-010 vulnerability. Additionally, WatchGuard customers should enable Gateway AntiVirus, APT Blocker, and IPS to stop the ransomware at their network perimeter.

Tips for ransomware targets/victims:

  • Patch as quickly as possible, so that you’re always up to date with the latest software.
  • Recognize that leveraging outdated systems and software that are no longer supported by the manufacturer poses a serious security threat since you can’t fix vulnerabilities. Some organizations are unable to replace or update legacy systems, but if you can’t get rid of it, realize you’ll have to do more to protect it. Also, despite being end-of-life, patches are available for Windows XP and Server 2003.

If you’ve fallen victim to WCry 2.0:

  • First, remove infected computers from your network as quickly as possible. This attack seems to leverage a Windows networking vulnerability to spread to many computers in a network. It is unclear if that capability is built directly into the ransomware itself, or if its built into an accompanying spreader file. In any case, you want to separate compromised computers from the rest of your network to avoid further infection.
  • Second, keep your encrypted files for a few weeks. If you don’t have backups, there is still a very small chance you can get your files back. A lot of modern ransomware uses solid encryption ciphers that the industry can’t break. However, there are still plenty of malware authors that mess up. At least one researcher has tweeted that Wcry 2.0 might have done its encryption in a way that researchers might be able to crack. Don’t bank on this, but keep your encrypted files around just in case a researcher does figure out a way to recover them.

Additional WatchGuard Info:

  • https://www.secplicity.org/2017/05/14/wcry-2-0-potential-ransomworm-daily-security-byte/
  • http://watchguardsupport.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000Ks7SAE&lang=en_US
  • Total Security Suite: https://www.watchguard.com/wgrd-resource-center/how-to-buy
  • Daily Security Byte, WCry 2.0: Potential Ransomworm: https://www.youtube.com/watch?v=-q5msulQDrg

For more information, see:

  • https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokers-is-on-a-rampage/
  • https://blog.malwarebytes.com/cybercrime/2017/05/wanacrypt0r-ransomware-hits-it-big-just-before-the-weekend/
  • https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • https://docs.microsoft.com/en-us/msrc/customer-guidance-for-wannacrypt-attacks

Share This:

Related

Filed Under: Editorial Articles, Featured

Comments

  1. Ste says

    May 16, 2017 at 10:58 pm

    Has WCry been spread via https and if so, are users vulnerable by not having DPI active on the appropriate firewall proxy?

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
  • TikTok is Banned, Kind Of
  • How Not to Update Software

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • How Not to Update Software
  • Naming APTs
  • TikTok is Banned, Kind Of
  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use