MAY 14, 2017

WannaCry: No Need to Cry if You’re Deeply Protected

Over the past several days, a massive ransomware attack dubbed ‘WannaCry’ has affected individuals and organizations across the world, infecting tens

Over the past several days, a massive ransomware attack dubbed ‘WannaCry’ has affected individuals and organizations across the world, infecting tens of thousands of computers. The attack, first reported on May 12th by multiple sources, infected hundreds of thousands of computers so far, most notably crippling at least 16 NHS hospitals in the UK alone.  Deep Instinct’s deep learning cyber security technology protects against this threat.

The extremely fast spread of WannaCry was enabled through the use of the SMB vulnerability EternalBlue, which was developed by the NSA and leaked by the Shadowbrokers on April 14th.[1] This vulnerability was already patched by Microsoft on March 14th, a month before the leak, and termed MS 017-10, or CVE-‎2017-0144.[2] However, as many organizations did not deliver the update patch on time, or were using unsupported systems, they remained vulnerable, and were successfully attacked by this ransomware.

The initial infection method of the ransomware still remains unknown, but it is assumed that the ransomware originally spread through phishing emails, a method utilized by many other ransomware campaigns. However, the main attack vector was the use of the EternalBlue vulnerability, which enabled the ransomware to spread quickly inside networks, once an initial hold in the network was gained. The vulnerability enables the malware to drop files, which then run as a service, onto other vulnerable systems. And then, the actual ransomware files are dropped by the service. Once the attack begins, the ransomware encrypts dozens of different file types on infected computers, demanding an initial amount of $300 in Bitcoin – an amount which doubles after 3 days.

The attack severely affected several prominent targets, causing serious damage in the U.K. to at- least 16 NHS hospitals, resulting in them only being able to treat emergency cases following the attack. Additional prominent targets were the Russian Ministry of Interior, the Spanish telecommunications company Telefonica, FedEx, and Deutsche Bahn.[3]

As a new variant of the the WannaCry ransomware, WannaCry 2.0, surfaced 2 days ago,[4] it is highly probable that new versions or variants of this ransomware will appear.

How to protect yourself from these attacks

If your machine is not already patched against the exploit (MS 017-10), patch it immediately. This will protect you from possible infections within your organizations network.

Users running Windows 10 are not targeted by the vulnerability, but can still be targeted by the usual infection vectors of ransomware, such as phishing emails and watering-hole attacks.[5]

To protect yourself from any ransomware infection, it is highly recommended to do the following:

1. Employ a backup strategy, and make sure to maintain up-to-date versions of your files.

2. Do not open suspicious emails, and no not click on suspicious links. Ransomware usually uses social engineering to infect users.

3. Always keep your computers and software updated.

Since the outbreak of this attack, Deep Instinct’s Research Team has been collecting and reviewing all samples associated with it. We are happy to report that Deep Instinct’s solution successfully detects all known samples of WannaCry. This, once again, demonstrates the power of Deep Instinct’s deep learning technology – identifying new, previously unseen malware, based on its strong predictive capabilities and preventing the attack.

[1] https://github.com/misterch0c/shadowbroker/

[2] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

[3] https://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-everything-need-know-biggest-ransomware-offensive/

[4] https://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html

[5] https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

To learn about the different Ransomware variants, download this free guide >>

Ransomware