How To Escape ‘Wannacry’ Ransomware

How To Escape ‘Wannacry’ Ransomware

Wana Decrypt0r 2.0 Ransomware

We are aware of a widespread ransomware attack, which is affecting several IT organizations in multiple countries. A new ransomware attack called ‘Wanna’ (also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r) is encrypting files and changing the extensions to: .wnry, .wcry, .wncry and .wncrypt. The ransomware spreads rapidly, like a worm, by exploiting a Windows vulnerability in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

firoz

Analysis seems to confirm that the attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It uses a variant of the ShadowBrokers APT EternalBlue Exploit (CC-1353). It uses strong encryption on files such as documents, images, and videos.

 

SOLUTIONS FROM SOPHOS

Sophos Customers using Intercept X and Sophos EXP products will also see this ransomware blocked by CryptoGuard. Please note that while Intercept X and EXP will block the underlying behavior and restore deleted or encrypted files in all cases we have seen, the offending ransomware splashscreen and note may still appear.

WannaCry – also known as Wanna Decrypter 2.0, WCry, WanaCrypt and WanaCrypt0r – exploited a Windows vulnerability that Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

 

Few of the Immediate Action to be taken to prevent the wide spread:

#1 Backup!
#2 Update your Operating System “OS”
#3 Close ports 135 and 445

#4 Disabling SMBv1 support

 

Customers using Sophos Intercept are been secured and feeling relaxed at this panic hours.

 

Sophos has issued protection for this threat:
Threat name Sophos IDE Protection available since
Troj/Ransom-EMG cerb-ama.ide May 12, 2017 17:25 UTC
Mal/Wanna-A wanna-d.ide May 12, 2017 19:13 UTC
Troj/Wanna-C wanna-d.ide May 12, 2017 19:13 UTC
Troj/Wanna-D wanna-d.ide May 12, 2017 19:13 UTC
HPMal/Wanna-A pdfu-bfo.ide May 13, 2017 02:18 UTC
Troj/Wanna-E rans-emh.ide May 13, 2017 07:04 UTC
Troj/Wanna-G rans-emh.ide May 13, 2017 07:04 UTC
Troj/Dloadr-EDC chisb-qv.ide May 13, 2017 23:16 UTC
Troj/Agent-AWDS chisb-qv.ide May 13, 2017 23:16 UTC
Troj/Wanna-H wanna-h.ide May 14, 2017 02:53 UTC
Troj/Wanna-I wanna-i.ide May 14, 2017 06:38 UTC
Troj/Ransom-EMJ wanna-i.ide May 14, 2017 06:38 UTC
Troj/Wanna-J emote-cb.ide May 14, 2017 22:03 UTC
Troj/Wanna-K emote-cb.ide May 14, 2017 22:03 UTC

Live Logs 

Whatsophos

 

 

 

 

 

 

 

 

WHAT TO DO

We are the National Distributor of Sophos in India and Sophos have a solution to prevent the attacks of Ransomware.

 Please ensure all of your Windows environments have been updated as described in Microsoft Security Bulletin MS17-010 – Critical Microsoft has made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download.

Download security updates for:

  • Windows Server 2003 SP2 x64,
  • Windows Server 2003 SP2 x86,
  • Windows XP SP2 x64,
  • Windows XP SP3 x86,
  • Windows XP Embedded SP3 x86,
  • Windows 8 x86,
  • Windows 8 x64

Microsoft is providing more information at its KBA article here:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

For commercials kindly contact on below Contact no and Mail ID:

  • Mumbai: 022-6791140
  • Delhi: 66-011-40537576
  • Bangalore: 080-41269789/ 080-25586220
  • Hyderabad: 040-40102067
  • Chennai: 044-43870487