Wana Decrypt0r 2.0 Ransomware
We are aware of a widespread ransomware attack, which is affecting several IT organizations in multiple countries. A new ransomware attack called ‘Wanna’ (also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r) is encrypting files and changing the extensions to: .wnry, .wcry, .wncry and .wncrypt. The ransomware spreads rapidly, like a worm, by exploiting a Windows vulnerability in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.
Analysis seems to confirm that the attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It uses a variant of the ShadowBrokers APT EternalBlue Exploit (CC-1353). It uses strong encryption on files such as documents, images, and videos.
SOLUTIONS FROM SOPHOS
Sophos Customers using Intercept X and Sophos EXP products will also see this ransomware blocked by CryptoGuard. Please note that while Intercept X and EXP will block the underlying behavior and restore deleted or encrypted files in all cases we have seen, the offending ransomware splashscreen and note may still appear.
WannaCry – also known as Wanna Decrypter 2.0, WCry, WanaCrypt and WanaCrypt0r – exploited a Windows vulnerability that Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.
Few of the Immediate Action to be taken to prevent the wide spread:
#1 Backup!
#2 Update your Operating System “OS”
#3 Close ports 135 and 445
#4 Disabling SMBv1 support
Customers using Sophos Intercept are been secured and feeling relaxed at this panic hours.
| Sophos has issued protection for this threat: | ||
| Threat name | Sophos IDE | Protection available since |
| Troj/Ransom-EMG | cerb-ama.ide | May 12, 2017 17:25 UTC |
| Mal/Wanna-A | wanna-d.ide | May 12, 2017 19:13 UTC |
| Troj/Wanna-C | wanna-d.ide | May 12, 2017 19:13 UTC |
| Troj/Wanna-D | wanna-d.ide | May 12, 2017 19:13 UTC |
| HPMal/Wanna-A | pdfu-bfo.ide | May 13, 2017 02:18 UTC |
| Troj/Wanna-E | rans-emh.ide | May 13, 2017 07:04 UTC |
| Troj/Wanna-G | rans-emh.ide | May 13, 2017 07:04 UTC |
| Troj/Dloadr-EDC | chisb-qv.ide | May 13, 2017 23:16 UTC |
| Troj/Agent-AWDS | chisb-qv.ide | May 13, 2017 23:16 UTC |
| Troj/Wanna-H | wanna-h.ide | May 14, 2017 02:53 UTC |
| Troj/Wanna-I | wanna-i.ide | May 14, 2017 06:38 UTC |
| Troj/Ransom-EMJ | wanna-i.ide | May 14, 2017 06:38 UTC |
| Troj/Wanna-J | emote-cb.ide | May 14, 2017 22:03 UTC |
| Troj/Wanna-K | emote-cb.ide | May 14, 2017 22:03 UTC |
Live Logs
WHAT TO DO
We are the National Distributor of Sophos in India and Sophos have a solution to prevent the attacks of Ransomware.
Please ensure all of your Windows environments have been updated as described in Microsoft Security Bulletin MS17-010 – Critical Microsoft has made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download.
Download security updates for:
- Windows Server 2003 SP2 x64,
- Windows Server 2003 SP2 x86,
- Windows XP SP2 x64,
- Windows XP SP3 x86,
- Windows XP Embedded SP3 x86,
- Windows 8 x86,
- Windows 8 x64
Microsoft is providing more information at its KBA article here:
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
For commercials kindly contact on below Contact no and Mail ID:
- Mumbai: 022-6791140
- Delhi: 66-011-40537576
- Bangalore: 080-41269789/ 080-25586220
- Hyderabad: 040-40102067
- Chennai: 044-43870487