StealthINTERCEPT Update: WannaCRY Detection
STEALTHbits is aware of the widespread ransomware attack which is affecting organizations in multiple countries. The new ransomware attack known as WannaCRY (also known as WCry, WanaCrypt, WanaCrypt0r and Wana DeCrypt0r) is encrypting files and changing the extensions to: .wnry, .wcry, .wncry and .wncrypt.
The malware then presents a window to the user with a ransom demand. This ransomware spreads rapidly, like a worm, by exploiting a Windows vulnerability in the Windows Server Message Block (SMB) service. Microsoft addressed the issue in its MS17-010 bulletin.
Analysis seems to confirm that the attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It uses a variant of the ShadowBrokers APT EternalBlue Exploit (CC-1353). Additional technical information on how the malware operates can be found on the STEALTHbits blog.
STEALTHbits has released an emergency hotfix to include coverage for WannaCry and its variants. The hotfix adds coverage for affected files and ransomware instructions. The hotfix can be downloaded here:
For questions or assistance, please e-mail firstname.lastname@example.org