On Friday May 12 2017 ransomware known as WannaCry began spreading globally and completely changed view on the cyber-threats to enterprises.
While still spreading rapidly, we can now confirm that ESET has been detecting and protecting against this threat as Win32/Filecoder.WannaCryptor.D even prior to the outbreak.
Detected & Protected, but still a threat?
The apparent contradiction of the malware still wreaking havoc across the globe, while simultaneously ESET and other cybersecurity vendors’ products are able to detect and protect against WannaCry can be explained by the fact that this malware leverages an exploit developed by United States National Security Agency (NSA) known as EternalBlue, which aids in spreading Win32/Filecoder.WannaCryptor.D at the network level.
Significantly, criminal attempts to weaponize the previously leaked exploit, first shared publicly last month by the hacker collective Shadow Brokers, had already been detected, reported on, and stopped by the cybersecurity community prior to this malware being created. However, due to the fact that large numbers of PC’s affected, reports numbering in the hundreds of thousands, have not been patched to cover the EternalBlue exploit, WannaCry has taken a significant toll on IT infrastructure globally.
With certainty of its global impact, ESET further increased its protection level for this threat Friday. This was done via updates to our detection engine. (For more information on ESET products that prevent a WannaCry infection, view Customer Advisory.)
How WannaCry does its damage
Once WannaCry interacts with a user’s computer, it encrypts files, and notifies the victim to pay ransom in Bitcoin to retrieve them. The ransom for decryption of the files appears to be about $300. As alluded to before, what separates WannaCry from other ransomware and encrypting malware is that it has wormlike capabilities, allowing it to spread by itself at the network level.
Reports of WannaCry started in Spain’s telecom sector and quickly spread from that point to healthcare organizations in the U.K. This is particularly worrisome as the worst issue being dealt with are the dire consequences to organizations, especially in the healthcare and other essential service sectors. Encrypted patient records, doctor’s files and other items may not be usable or accessible unless there is a good backup to restore from.
Thus the true costs extend far beyond the funds collected via the ransom, but instead will be counted in lost time, lost files, and potentially lives lost via this malware.
Fortunately, to protect yourself against this latest threat, there is a lot that you can do:
- Install Anti-malware software – Whatever protection you use, specifically install or set up a reputable Anti-malware software. Give yourself a fighting chance at stopping this and future attacks before you are affected. As noted earlier, the ESET network protection module was already blocking attempts to exploit the leaked vulnerability at the network level before this particular malware was even created.
- Update Your Windows Machines – While patches can be hard to deploy across an entire network this one is critical. Available since mid-April, it stops the exploit from gaining a foothold in your environment. The entire patch listing of Equation Group files is located here.
- Back up files – For companies hit by ransomware that do have current backups, the attack is not nearly as damaging. Make sure you always back up data, and regularly check to make sure your backup systems are working properly.
- Be Intelligent! – Follow research on infections, exploits and various other information security related items, knowing is half the battle. Critical items and technologies are being leaked, created and shared globally, knowledge is power.