On Friday, May 12, 2017, a ransomware attack known as “WannaCry” (detected by ESET as Win32/Filecoder.WannaCryptor.D) began to spread across the globe at unprecedented scale and speed.
For our customers: Yes, ESET detects and blocks the WannaCryptor.D threat and its variants. ESET’s network protection module (in ESET Endpoint Security) also blocks the exploit (known as EternalBlue) used to spread it at the network level. Attempts to exploit the leaked vulnerability had already been detected, reported on, and stopped well before this particular malware was even created. On Friday, ESET increased the protection level for this particular threat via updates to our detection engine. (For more information on ESET products that prevent a WannaCry infection, view our Customer Advisory.)
The rapidly spreading WannaCry that utilizes the leaked United States National Security Agency (NSA) exploit, EnternalBlue, was released last month by a hacker collective known as Shadow Brokers.
When WannaCry touches a user’s computer, it encrypts its files, and tells the victim to pay in Bitcoin in order to retrieve those files. The ransom demanded for decryption of the files appears to be about $300. It then will use the EternalBlue exploit to access unpatched machines. (For a real-time check of the amounts that the malicious actors have received in Bitcoin funds, go here.)
Reports of WannaCry started in Spain’s telecom sector and quickly spread from that point to healthcare organizations in the U.K., plus various commercial websites, entire enterprise sites, and just about every type of network in between. People from around the world posted screenshots of the malware from computers in offices, hospitals and schools.
As far as we can tell, the attack is continuing to spread. Please follow these steps to help keep your business protected in the wake of WannaCry.
Ensure your Windows machines are up to date:
Our security research teams around the globe are working 24/7 and continuing to track, monitor (both EternalBlue and WannaCry) and report on what we find. We are releasing our most up-to-date research on Welivesecurity.com, and sharing via our social channels.
Follow @ESET on Twitter and/or Facebook for updates on this topic.
(Media requests, please contact PR@eset.com)