On Friday, May 12, 2017, a ransomware attack known as “WannaCry” or “WannaCryptor” (detected by ESET as Win32/Filecoder.WannaCryptor.D) began to spread across the globe at an unprecedented scale and speed, misusing the leaked US National Security Agency (NSA) exploit EternalBlue.
The most dangerous of all is not the WannaCryptor ransomware itself, but the EternalBlue exploit, which is misusing a vulnerability in unpatched Microsoft systems, allowing for the infection to spread to other unpatched computers.
While the WannaCryptor ransomware remains the most visible, the exploit can still be used in the wild by any other malware – not only ransomware.
For our customers: Yes, ESET detects and blocks the WannaCryptor.D threat and its variants as well as detects and blocks the EternalBlue exploit. None of our customers using current product versions with proper settings has reported an infection related to the WannaCry attack.
ESET security solutions use multiple protective technologies:
ESET Network Attack Protection constitutes an important layer of protection against WannaCryptor. The technology blocks the NSA-originated exploit (known as EternalBlue) used to spread WannaCryptor.D at the network level.
ESET DNA Detections can identify specific known malware samples and their variants or even previously unseen or unknown malware which contains genes that indicate malicious behavior. In this case, the DNA Detection technology identifies and blocks WannaCryptor.D files.
ESET Advanced Memory Scanner steps in to detect and block activity of WannaCryptor.D at the memory level.
Attempts to exploit the leaked vulnerability had been detected, reported on, and stopped well before the outbreak of WannaCry – ESET’s network detection of the EternalBlue exploit was added on April 25. On Friday, May 12, ESET increased the protection level for the WannaCry threat via updates to the detection engine. (For more information on ESET products that prevent a WannaCry infection, view our Customer Advisory.)
How does the attack work?
When WannaCry infiltrates a user’s computer, it encrypts its files and instructs the victim to pay in Bitcoin in order to retrieve those files. The ransom demanded for decryption of the files appears to be about $300. It then uses the EternalBlue exploit to access other unpatched machines in the network as well as online. (For a real-time check of the amounts that the malicious actors have received in Bitcoin funds, go here.)
Reports of WannaCry started in Spain’s telecom sector and quickly spread from that point to healthcare organizations in the U.K., various commercial websites, entire enterprise sites, and just about every type of network in between. People from around the world posted screenshots of the malware from computers in offices, to hospitals and schools.
What should you do to stay protected?
Attacks using the EternalBlue exploit had been appearing even before the surge of WannaCry – spreading an off-the-shelf cryptocurrency mining software – and as far as we can tell, these threats are still very much real. Please follow these steps to help keep your business protected in the wake of WannaCry.
- Ensure your Windows machines are up to date: Patches can be difficult to deploy across the entire network. However, you’ll want to install this one. It has been available since mid-April and actually stops the exploit from gaining a foothold in your environment. The patch listing for the entire listing of the Equation Group files can be located here.
- Use anti-malware software: This is a basic but critical component. Just because it’s a server, and it has a firewall, does not mean it does not need anti-malware: it does. Always install a reputable anti-malware program. (And one that protects against the EternalBlue exploit.)
- Back up files: For companies hit by ransomware that do have current backups, the attack is not nearly as damaging. Make sure you always back up data, and regularly check to make sure your backup systems are working properly.
- Don’t pay up: We recommend that users don’t pay the ransom – be it in the case of WannaCry or any other ransomware. The much-repeated advice is now even more convincing seeing as there appears to be no reliable way for the attackers to match victims to payments and decrypt their files.
ESET has also been using Threat Intelligence, which worked to identify the characteristics pertaining to the NSA’s leaked exploitation files. There have been many detections of these objects. Within the last few weeks, we have seen increased activity, and do not expect it to stop anytime soon.
Our security research teams around the globe are working 24/7 and are continuing to track, monitor (both EternalBlue and WannaCry) and report on what we find. We are releasing our most up-to-date research on Welivesecurity.com, and sharing via our social channels.
Follow @ESET on Twitter and/or Facebook for updates on this topic.