On Friday, May 12, 2017, a ransomware attack known as “WannaCry” (detected by ESET as Win32/Filecoder.WannaCryptor.D) began to spread across the globe at unprecedented scale and speed.
For our customers: Yes, ESET detects and blocks the WannaCryptor.D threat and its variants. ESET’s network protection module (in ESET Endpoint Security) also blocks the exploit (known as EternalBlue) used to spread it at the network level. Attempts to exploit the leaked vulnerability had already been detected, reported on, and stopped well before this particular malware was even created. On Friday, ESET increased the protection level for this particular threat via updates to our detection engine. (For more information on ESET products that prevent a WannaCry infection, view our Customer Advisory.)
The rapidly spreading WannaCry that utilizes the leaked United States National Security Agency (NSA) exploit, EnternalBlue, was released last month by a hacker collective known as Shadow Brokers.
When WannaCry touches a user’s computer, it encrypts its files, and tells the victim to pay in Bitcoin in order to retrieve those files. The ransom demanded for decryption of the files appears to be about $300. It then will use the EternalBlue exploit to access unpatched machines. (For a real-time check of the amounts that the malicious actors have received in Bitcoin funds, go here.)
Reports of WannaCry started in Spain’s telecom sector and quickly spread from that point to healthcare organizations in the U.K., plus various commercial websites, entire enterprise sites, and just about every type of network in between. People from around the world posted screenshots of the malware from computers in offices, hospitals and schools.
As far as we can tell, the attack is continuing to spread. Please follow these steps to help keep your business protected in the wake of WannaCry.
Ensure your Windows machines are up to date:
- Patches can be difficult to deploy across the entire network. However, you’ll want to install this one. It has been available since mid-April and actually stops the exploit from gaining a foothold in your environment. The patch listing for the entire listing of the Equation Group files can be located here.
- Use anti-malware software: This is a basic but critical component. Just because it’s a server, and it has a firewall, does not mean it does not need anti-malware: it does. Always install a reputable anti-malware program. (And one that protects against the EternalBlue exploit.)
- Back up files: For companies hit by ransomware that do have current backups, the attack is not nearly as damaging. Make sure you always back up data, and regularly check to make sure your backup systems are working properly.
ESET has been using its Threat Intelligence and appropriate YARA rules that identified the characteristics pertaining to the NSA’s leaked exploitation files. There have been many detections of these objects. Within the last few weeks, we have seen increased activity, and do not expect it to stop anytime soon.
Our security research teams around the globe are working 24/7 and continuing to track, monitor (both EternalBlue and WannaCry) and report on what we find. We are releasing our most up-to-date research on Welivesecurity.com, and sharing via our social channels.
Learn how ESET protects you against ransomware here. To see how ESET protects businesses, click here.
Follow @ESET on Twitter and/or Facebook for updates on this topic.
(Media requests, please contact PR@eset.com)