We are aware of a widespread ransomware attack which is affecting several IT organizations in multiple countries.
A new ransomware attack called Wanna (also known as WannaCry, WCry, WanaCrypt, WanaCrypt0r and Wana DeCrypt0r) is encrypting files
and changing the extensions to: .wnry, .wcry, .wncry and .wncrypt.
The malware then presents a window to the user with a ransom demand.
The ransomware spreads rapidly, like a worm, by exploiting a Windows vulnerability in the Windows Server Message Block (SMB) service,
which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.
Analysis seems to confirm that the attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers.
It uses a variant of the ShadowBrokers APT EternalBlue Exploit (CC-1353). It uses strong encryption on files such as documents, images, and videos.
Sophos Customers using Intercept X and Sophos EXP products will also see this ransomware blocked by CryptoGuard.
Please note that while Intercept X and EXP will block the underlying behavior and restore deleted or encrypted files in all cases we have seen,
the offending ransomware splashscreen and note may still appear.
Sophos has issued protection for this threat:
| Threat name |
Sophos IDE |
Protection availability |
|
|
Publication started |
Publication finished |
| Troj/Ransom-EMG |
cerb-ama.ide |
May 12, 2017 15:58 UTC |
May 12, 2017 17:25 UTC |
| Mal/Wanna-A |
wanna-d.ide |
May 12, 2017 19:06 UTC |
May 12, 2017 19:13 UTC |
| Troj/Wanna-C |
wanna-d.ide |
May 12, 2017 19:06 UTC |
May 12, 2017 19:13 UTC |
| Troj/Wanna-D |
wanna-d.ide |
May 12, 2017 19:06 UTC |
May 12, 2017 19:13 UTC |
| HPMal/Wanna-A |
pdfu-bfo.ide |
May 13, 2017 00:12 UTC |
May 13, 2017 02:18 UTC |
| Troj/Wanna-E |
rans-emh.ide |
May 13, 2017 04:57 UTC |
May 13, 2017 07:04 UTC |
| Troj/Wanna-G |
rans-emh.ide |
May 13, 2017 04:57 UTC |
May 13, 2017 07:04 UTC |
| Troj/Dloadr-EDC |
chisb-qv.ide |
May 13, 2017 21:09 UTC |
May 13, 2017 23:16 UTC |
| Troj/Agent-AWDS |
chisb-qv.ide |
May 13, 2017 21:09 UTC |
May 13, 2017 23:16 UTC |
| Troj/Wanna-H |
wanna-h.ide |
May 14, 2017 00:47 UTC |
May 14, 2017 02:53 UTC |
| Troj/Wanna-I |
wanna-i.ide |
May 14, 2017 04:32 UTC |
May 14, 2017 06:38 UTC |
| Troj/Ransom-EMJ |
wanna-i.ide |
May 14, 2017 04:32 UTC |
May 14, 2017 06:38 UTC |
| Troj/Wanna-J |
emote-cb.ide |
May 14, 2017 19:56 UTC |
May 14, 2017 22:03 UTC |
| Troj/Wanna-K |
emote-cb.ide |
May 14, 2017 19:56 UTC |
May 14, 2017 22:03 UTC |
What to do
Please ensure all of your Windows environments have been updated as described in Microsoft Security Bulletin MS17-010 – Critical. Microsoft is providing Customer Guidance for WannaCrypt attacks
Microsoft has made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download:
Applying the Microsoft patches MS17-010 should be enough to protect against the EternalBlue Exploit that enabled the rapid spread of the Wanna ransomware attack.
However some people are also advising customers to disable the protocol that is exploited by EternalBlue – SMB v1 especially if they cannot patch.
We do not believe that this is necessary if you are already patched, and it certainly does not mitigate the need to patch since there are other vulnerabilities in the Shadow Brokers leak,
but we understand why customers may wish to disable SMB v1 as a precaution.
Disabling SMB v1 could cause a range of software and other services that depend on SMB to stop functioning correctly,
so you should certainly test first if you do intend to disable it.
Please see the following article for information regarding disabling SMB v1 for Sophos
products: What to do if you decide to disable SMBv1 as a response to Wanna ransomware
The Wanna malware variants that we have seen include a lookup to a URL. If the malware gets a response, the attack stops.
This has been described in some media reports as a “kill switch”.
The domain for the URL was registered and activated by an independent malware analyst intending to track the malware,
meaning that if current variants of the ransomware can reach the URL the attack would stop.
As a result, the National Cyber Security Centre (NCSC) provide this advice: Finding the kill switch to stop the spread of ransomware. NCSC recommends the following domains be whitelisted in your environment:
- www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
- www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
(remove square brackets [] when whitelisting). Sophos has categorized these domains as Other/Computers & Internet.
| Sophos Product |
Actions |
| Sophos Intercept X |
None required. |
| Central Server Protection Standard |
Ensure endpoints are updated with the latest threat protection (IDE’s). |
| Central Server Protection Advanced |
Ensure CryptoGuard is enabled. |
| Sophos EXP |
None required. |
| Sophos Endpoint Protection |
Ensure endpoints are updated with the latest threat protection (IDE’s). |
| Sophos XG Firewall |
Ensure your IPS and Application signatures are using version x.13.54 or higher |
| Sophos Home |
Ensure Sophos Home on protected computers is up to date.
Also consider signing up for the Sophos Home Premium beta,
which adds proactive protection against exploits and ransomware. |
We will continue to update this article as further information becomes available.
Related information
Feedback and contact
If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
