On May 12th, a massive ransomware attack was unleashed, hitting organizations across the world. Kaspersky Lab’s researchers have analysed the data and can confirm that the company’s protection subsystems detected at least 45,000 infection attempts in 74 countries, most of them in Russia.
The ransomware infects victims by exploiting a Microsoft Windows vulnerability described and fixed in Microsoft Security Bulletin MS17-010. The exploit used, “Eternal Blue” was revealed in the Shadowbrokers dump on April 14.
Once inside the system, the attackers install a rootkit, which enables them to download the software to encrypt the data. The malware encrypts the files. A request for $600 in Bitcoin is displayed along with the wallet – and the ransom demand increases over time.
Kaspersky Lab experts are currently trying to determine whether it is possible to decrypt data locked in the attack – with the aim of developing a decryption tool as soon as possible.
Kaspersky Lab security solutions detect the malware used in this attack by the following detection names:
- Trojan-Ransom.Win32.Scatter.uf
- Trojan-Ransom.Win32.Scatter.tr
- Trojan-Ransom.Win32.Fury.fr
- Trojan-Ransom.Win32.Gen.djd
- Trojan-Ransom.Win32.Wanna.b
- Trojan-Ransom.Win32.Wanna.c
- Trojan-Ransom.Win32.Wanna.d
- Trojan-Ransom.Win32.Wanna.f
- Trojan-Ransom.Win32.Zapchast.i
- Trojan.Win64.EquationDrug.gen
- Trojan.Win32.Generic (the System Watcher component must be enabled)
We recommend taking the following measures to reduce the risk of infection:
- Install the official patch from Microsoft that closes the vulnerability used in the attack
- Ensure that security solutions are switched on all nodes of the network
- If Kaspersky Lab’s solution is used, ensure that it includes the System Watcher, a behavioral proactive detection component, and that it is switched on
- Run the Critical Area Scan task in Kaspersky Lab’s solution to detect possible infection as soon as possible (otherwise it will be detected automatically, if not switched off, within 24 hours).
- Reboot the system after detecting MEM: Trojan.Win64.EquationDrug.gen
- Use Customer-Specific Threat Intelligence Reporting services
A detailed description of the WannaCry attack method, and Indicators of Compromise can be found in the blogpost on Securelist.