On Friday, 12th of May, the world was rocked by the biggest ransomware attack in history. It started with Spain’s telecom sector, then news started coming in about British Health Service being targeted and attacks on FedEx, several Russian banks and ministries as well as many other targets in about a hundred countries across the world.
The culprit? A piece of ransomware that ESET calls WannaCryptor, but also going by WannaCry and Wcrypt, has been spreading rapidly, using leaked NSA files, namely the eternalblue SMB exploit. Unlike most encrypting-type malware, this one has wormlike capabilities, allowing it to spread by itself. As a result, it has spread very quickly indeed.
Since Friday May 12th 14.383 ESET clients reported as many as 66.566 attack attempts (9922 clients reported 60187 – stopped by ESET’s file/memory detection and 4461 clients reported 6379 – stopped by ESET’s Attack Network Protection module).
Top countries affected by the cyberattack, based on file/memory detections (excl. network protection module):
Russia 30189 (45.07%)
Ukraine 7955 (11.88%)
Taiwan 7736 (11.55%)
Philippines 1973 (2.95%)
Egypt 1592 (2.38%)
Iran 1445 (2.16%)
India 1135 (1.69%)
Thailand 1036 (1.55%)
Italy 795 (1.19%)
Turkey 711 (1.06%)
China 706 (1.05%)
ESET has created the detection for this vulnerability on April 6, 29017, and its network protection module was already blocking attempts to exploit the leaked vulnerability at the network level before this particular malware variant was even created. ESET increased the protection level by adding detection for this specific threat as Win32/Filecoder.WannaCryptor.D on Friday, May 12th.
ESET Ireland recommends following these guidelines:
- You can protect against this exploit by running Windows Update. For more detailed information about the Windows vulnerability and how to resolve it, see Microsoft Security Bulletin MS17-010 – Critical.
- Make sure that ESET Live Grid is enabled in your ESET product.
- Make sure that your ESET software is upgraded to the latest version and has the latest Virus Signature Database updates.
- Do not open attachments sent to you in emails from unknown senders.
- Warn colleagues who frequently receive emails from external sources – for instance financial departments or Human Resources.
- Regularly back up your data. In the event of infection, this will help you recover all data. Do not leave external storage used for backups connected to your computer to eliminate the risk of infecting your backups. If your system requires Windows Updates to receive the patch for this exploit, create new backups after applying the patch.
- Disable or restrict Remote Desktop Protocol (RDP) access (see Remote Desktop Protocol best practices against attacks).
- Disable macros in Microsoft Office.