Information on the WannaCry Ransomware
There has been a lot of media coverage recently regarding the WannaCry Ransowmare. WannaCry, which is said to have impacted over 100,000 organization (including hospitals, utility providers, etc.) in over 150 countries, spreads using the Microsoft Windows 'Eternal blue' exploit, and uses worm-like behavior to affect vulnerable systems on the network. 'Eternal blue' is a leaked Microsoft Windows exploit stolen from the U.S. National Security Agency. Microsoft released patch MS17-010 (ETERNALBLUE and DOUBLEPULSAR) back in March, 2017. However, the vulnerability- affecting most desktop and server Microsoft Windows editions- was made public by the notorious Shadow Broker group on April 14th, 2017.
All Thirtyseven4 customers were proactively protected against this Ransomware via our Behavior Detection System and Anti-Ransomware detection modules.
How WannaCry Ransomware works?
An attack is carried out when systems are connected to a network using SMB services. These services are attacked and exploited utilizing the “EternalBlue” exploit, planting the WannaCry Ransomware causing the file encryption after a successful execution. When files are encrypted, it appends the “.WNCRY” extension to all encrypted files.
After successful exploitation, it adds the following files to the system:
C:\ProgramData\<random_alphanumeric>\tasksche.exe (example detection below)
WannaCry adds the following malicious registry entries in order to launch the infection after each system reboot:
After successful encryption, it shows the following warning message containing instructions to follow to recover the files. The countdown timer is shown to create panic so as to make the victim pay the demanded ransom. Otherwise, it threatens that all encrypted data will be deleted. WannaCry shows the ransomware warning message in the language of the current region.
How Thirtyseven4 protects against WannaCry Ransomware?
Thirtyseven4 Virus Protection successfully detects and cleans the malicious files responsible for the file encryption as “TrojanRansom.Wanna”
The ransomware itself is detected as “Ransom.WannaCry.A4”
The Thirtyseven4 Advanced Behavior Detection System (Next-Generation engine) proactively detected this ransomware activity successfully based on its coded behavior. Once detected, the user must click the BLOCK button to stop the encryption activity.
Additionally, the integrated Thirtyseven4 Anti-Ransomware feature (free for all customers) also successfully detected the file encryption activity of the WannaCry Ransomware.
Thirtyseven4 Recommends the Following Steps to Reduce your WannaCry Ransomware Risk
1. Apply the Microsoft patch that covers the vulnerabilities used by WannaCry
2. Take regular backups of your important data and periodically check the backup restoration process to make sure files are getting properly restored.
3. Ensure that you have a security solution installed on all endpoints on the network. Thirtyseven4 Endpoint Security offered 3 LEVELS of proactive protection.
4. Always keep your security software up-to-date with the latest signature updates.
5. Perform a Full System Scan on your system using your installed security software.
6. Avoid clicking on links and opening attachments in emails from unknown and suspicious sources