On 5/12/2017, the world saw a massive cyberattack that spread globally in only a matter of minutes.
The initial attack vector has been email, through spam. These messages are typically fake invoices, job offers and other lures which are sent to random email addresses. Within the email is a .zip file and once clicked, that initiates the WannaCry infection.
The attack is then spreading on internal networks using a P2P exploitation of SMB (Server Message Block) known as EternalBlue. The files are being dropped by a worm which abuses SMB, a network file sharing protocol. Other aspects of the malware leverages file-less exploitation techniques, and the malware is morphing rapidly in the wild with over a dozen variants seen thus far.
The file extension used is .wncry, which drops a ransomware notification named: @Please_Read_Me@.txt in common file and folder locations.
Earlier this month, independent researchers scanned the internet and deemed there were 150,000 internet-accessible computers open to this vulnerability.
HOW TO PROTECT YOURSELF:
If you have software protection such as VIPRE Advanced Security or Endpoint Protection installed, you are protected from this malware. VIPRE’s Advanced Active Protection feature has been shown to be effective at stopping even previously-unknown strains of this threat.
Microsoft released a patch for this particular vulnerability in March and we recommend that everyone install this patch immediately, even if you have VIPRE.
Click here for more information about the patch and the Windows versions and editions impacted by this exploit. There are various IDS rules available that can also be used to help stop the spread of this attack; install this on your IDS system and watch for its activation.
These new ransomware variants clearly show the critical importance of several fundamental security best practices:
1. Patch management: The vulnerabilities exploited by this ransomware have had patches available for over two weeks, and yet many systems on the internet (and many more in local networks) remain vulnerable. Keep ALL your systems (not just servers) up to date with the latest patches. Your operating systems and browsers will take care of themselves (although you need to monitor them and ensure the patching is working correctly), but many third-party applications will not – this is where a Patch Management solution is very important such as that included in VIPRE.
2. Signature-only approaches to anti-virus protection can now be circumvented. For these reasons, VIPRE has now incorporated advanced machine learning detection engines which monitors process behavior into all of our endpoint and network protection products. This ransomware is evolving and morphing quickly specifically to avoid signature-based detection, yet VIPRE can still stop it with Advanced Active Protection. Customers using older versions of VIPRE – including VIPRE Antivirus Business and VIPRE Business Premium - should upgrade as soon as possible to VIPRE Advanced Security to protect themselves from this threat.
3. Scanning files is no longer enough protection; malware like this can execute key portions of its payload without a separate file to scan.
4. Network protection files is becoming more critical even to small- and mid-sized businesses. In some cases, as in this case, infections can at least be detected using a complementary solution such as ThreatSecure Network or VIPRE Network Security.
IF YOU ARE INFECTED:
There are no known methods to recover from this ransomware to date. We also recommend backing up your systems early and often (we hope you’ve been doing that already), which you can then restore to recover from this.