WannaCryptor Ransomware hit over 40 UK hospitals, as well as over 75,000 additional workstations in 99 countries as of today, in what is turning to be the most massive ransomware campaign to date.

The ransomware, also referred to as WannaCry and Wana Decrypt0r, is delivered as a Trojan, which is downloaded when the user mistakenly clicks on a hyperlink delivered in a phishing email, Dropbox link or banner. Once the ransomware payload is executed, it encrypts files on the user’s hard drive, deletes the originals and displays the following message, requesting the user to pay a ransom in order to decrypt and recover the files.

Why is WannaCryptor ransomware spreading so quickly?

As initially reported by the Spanish CERT, and confirmed by Cyberbit researchers, the attack utilizes a Windows SMB Server vulnerability: EternalBlue/MS17-010/SMB to spread laterally. This means that after attacking one computer in the organization, the ransomware can spread independently within the network and attack additional workstations. An interesting fact is that this exploit was developed by the NSA and leaked by Shadow Brokers hacker group. Although these vulnerabilities were patched by Microsoft in March, large corporates, particularly hospitals, often lag behind in patching and therefore many of the workstations were left vulnerable, allowing the attack to spread.

What should your organization do now?

1. Patch Windows machines immediately – installing latest patches including Windows SMB Server patch MS17-010 that was distributed by Microsoft in March 2017. While this will not prevent the initial infection it will prevent the ransomware from spreading laterally and substantially slow it down.
2. Disable SMBv1 in Windows and block it in your firewall.
3. Re-enforce security awareness best practices – East Kent Hospitals Tweeted all staff and warned them from opening the phishing email labeled ‘Clinical results’. Update your employees on best practices and warn them about the risk of opening unexpected emails from untrusted sources.
   
4. Deploy an Endpoint Detection and Response Product with anti-ransomware – only 30% of antivirus software can identify and block WannaCryptor ransomware, as reported by the Mirror. It is essential to complement antivirus with an endpoint detection and response product that protects against advanced malware that bypasses traditional AV. This solution should include inherent anti-ransomware capabilities.

Cyberbit EDR anti-ransomware

Cyberbit’s Endpoint Detection and Response (EDR) provides ransomware detection and prevention that helps organizations detect and block ransomware attacks like WannaCryptor in real-time, before critical files were encrypted. Cyberbit EDR identifies behavioral characteristics that indicate an attack, and as a result, it detects threats that often bypass antivirus solutions.

WannaCryptor Analysis in Cyberbit EDR Graph View

Tal Morgenstern is Head of R&D, Endpoint Detection and Response Team at Cyberbit.