Beginning on Friday, May 12, a cyberattack of unprecedented size and scope was attributed to the malware called “WannaCry,” also known as Wannacryptor, WCry2, and so on.
Like other ransomware, WannaCry encrypts key user and operating system files, then demands a “ransom” denominated in the crypto-currency Bitcoin. Although paying the ransom has, in the past, sometimes resulted in the release of files, users are strongly advised against this course of action.
At this time, none of the infections appear to have been introduced by email. However, the capacity for this does exist, and there have been unconfirmed reports of the executable being encountered as a .zip-compressed .js file – potentially using password protection.
WannaCry’s unique feature and apparent source of intra-organizational spread is its ability to leverage the LAN to spread itself to other PCs.
Take the Following Steps Immediately to Protect Against WannaCry Variants
We strongly encourage users to verify the following on their systems:
- Ensure an .exe strip rule is enabled in your gateway to stop inbound raw executables;
- Enable blocking of password-protected compressed files during the outbreak period;
- Patch systems against the vulnerability described in Bulletin MS17-010.
In addition, deploy signatures for IDS – specifically, TOR rules and SID 2024218 | ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response and ET signature 2024291 - ET Trojan Possible WannaCry DNS Lookup.
This will enable identification and blocking of WannaCry network commands.
WannaCry Effect on Proofpoint Users is Minimal
More than 100 countries were impacted by the initial spread of WannaCry.
1) Malware Propagation was Effectively Stopped
Proofpoint researcher Darien Huss, collaborating with a UK counterpart, uncovered a “kill switch” in the ransomware and used it to effectively stop WannaCry’s network propagation. By registering a domain referenced in the malware’s code, Huss terminated its network propagation sequence.
2) Scams Immediately Emerged
By Saturday, May 15, Proofpoint was blocking a high volume of malicious email campaigns advertising “pre-emptive” defense against WannaCry 2.0. These emails claimed that for a one-time payment of 10 Bitcoins -- $18,000, substantially higher than the original ransom demand – recipients would obtain “a special download that will protect you from all ransomware.”
This is a common post-event tactic. At best, respondents to such offers lose the payment. At worst, the offered downloads are malicious. Only work with a trusted security vendor when developing your data security plan, including backups of key files.
3) Additional WannaCry Variants Became Active Over the Next 36 Hours
By Sunday, May 14, two additional variants of WannaCry 2.0 emerged. They appear to be “patched” versions of the original, not unique releases. The first, WannaCry 2.0(a), was effectively halted using the same technique described by Huss.
WannaCry 2.0(b) was updated to remove the “kill switch” and, thus, is able to propagate freely through affected networks. However, its ransomware payload failed to properly deploy, thus causing no direct impact to targeted systems.
Threat Situation Remains Serious for Organizational Users
Our Partner Proofpoint has tracked new variants of ransomware emerging every 2-3 days over the last 14 months, and there is no indication that the trend is slowing. The immense global publicity that was attributed to WannaCry makes “copycat” attacks more likely in the coming days.
Customers are strongly encouraged to review the suggested system settings and patches posted above in the original advisory.
At this time, there are no reports of WannaCry 2.0 or its variants successfully leveraging Proofpoint-protected vectors for infection of Proofpoint customers.
As always, please report any confirmed “false negatives” – that is, threats that appear to have used a Proofpoint-protected vector to gain entry. NCA security engineers are always available to help customers with their security concerns.