Global Outbreak of WannaCry
[Updated May 17, 2017]
On May 12, 2017 the Check Point Incident Response Team started tracking a wide spread outbreak of the WannaCryp ransomware. We have reports that multiple global organizations are experiencing a large scale ransomware attack which is utilizing SMB to propagate within their networks. To complicate matters there are a number of different campaigns ongoing so identifying specific infection vectors has been a challenge.
For WannaCry the infection vector appears to be direct infection utilizing SMB as delivery method. Samples have been identified by Check Point Research Teams that contain variant “killswitch” domains and bitcoin addresses. All tested samples have been detected and blocked by SandBlast Anti-Ransomware and/or Threat Emulation.
Check Point offers the following protections for WannaCry:
- Network Protections (SandBlast)
- Threat Extraction and Threat Emulation
- Anti-Bot/Anti Virus
- Endpoint Protections (SandBlast Agent)
- Anti-Ransomware
- Threat Extraction and Threat Emulation
- Anti-Bot/Anti Virus
- Anti-Malware
- IPS Protections can prevent infection from outside and between internal segments:
- Microsoft Windows EternalBlue SMB Remote Code Execution https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0332.html
- Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0143) https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0177.html
- Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0144) https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0198.html
- Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0145) https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0200.html
- Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0146) https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0203.html
- Microsoft Windows SMB Information Disclosure (MS17-010: CVE-2017-0147) https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0205.html
- Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0148) https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0419.html
- Microsoft Windows NT Null CIFS Sessions
- Non-Compliant CIFS
General Protections
- Windows machines should be patched for vulnerabilities discussed in Microsoft Security Bulletin MS17-010 – Critical Security Update for Microsoft Windows SMB Server (4013389) https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- Ensure a backup is available that is not shared on the network
- Block encrypted password protected attachments from email gateways
The Check Point Incident Response Team is monitoring the situation closely and is available to assist customers.
The following sections provide detail that Check Point customers can use to understand how the company’s solutions can be leveraged to analyze, report and prevent the elements of the attack. And to learn more about ransomware in general, click here.
SandBlast Threat Emulation Reports
Check Point SandBlast Forensics Agent
Link to online report: http://freports.us.checkpoint.com/wannacryptor2_1/index.html.
Attack Tree
Check Point’s SandBlast Anti-Ransomware Agent
The video shows Check Point blocking and restoring a system infected with the ransomware