On Friday, 12th of May, the world was rocked by the biggest ransomware attack in history. It started with Spain’s telecom sector, then news started coming in about British Health Service being targeted and attacks on FedEx, several Russian banks and ministries as well as many other targets in about a hundred countries across the world.
The culprit? A piece of ransomware that ESET calls WannaCryptor, but also going by WannaCry and Wcrypt, has been spreading rapidly, using leaked NSA files, namely the eternalblue SMB exploit. Unlike most encrypting-type malware, this one has wormlike capabilities, allowing it to spread by itself. As a result, it has spread very quickly indeed.
Since Friday May 12th 14.383 ESET clients reported as many as 66.566 attack attempts (9922 clients reported 60187 – stopped by ESET’s file/memory detection and 4461 clients reported 6379 – stopped by ESET’s Attack Network Protection module).
ESET has created the detection for this vulnerability on April 6, 29017, and its network protection module was already blocking attempts to exploit the leaked vulnerability at the network level before this particular malware variant was even created. ESET increased the protection level by adding detection for this specific threat as Win32/Filecoder.WannaCryptor.D on Friday, May 12th.
ESET Ireland recommends following these guidelines:
- You can protect against this exploit by running Windows Update. For more detailed information about the Windows vulnerability and how to resolve it, see Microsoft Security Bulletin MS17-010 – Critical.
- Make sure that ESET Live Grid is enabled in your ESET product.
- Make sure that your ESET software is upgraded to the latest version and has the latest Virus Signature Database updates.
- Do not open attachments sent to you in emails from unknown senders.
- Warn colleagues who frequently receive emails from external sources – for instance financial departments or Human Resources.
- Regularly back up your data. In the event of infection, this will help you recover all data. Do not leave external storage used for backups connected to your computer to eliminate the risk of infecting your backups. If your system requires Windows Updates to receive the patch for this exploit, create new backups after applying the patch.
- Disable or restrict Remote Desktop Protocol (RDP) access (see Remote Desktop Protocol best practices against attacks).
- Disable macros in Microsoft Office.