FortiGuard Labs Threat Research
Ransomware has become the fastest growing malware threat, targeting everyone from home users to healthcare systems to corporate networks. Tracking analysis shows that there has been an average of more than 4,000 ransomware attacks every day since January 1, 2016.
On May 12, FortiGuard Labs began tracking a new ransomware variant that spread rapidly throughout the day. It is a highly virulent strain of a self-replicating ransomware that has impacted such far-flung organizations as the Russian Interior Ministry, Chinese universities, Hungarian and Spanish telcos, and hospitals and clinics run by the British National Health Services. It is especially notable for its multi-language ransom demands that support more than two-dozen languages.
This ransomware is being referred to by a number of names, including WCry, WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r. It is spread through an alleged NSA exploit called ETERNALBLUE that was leaked online last month by the hacker group known as The Shadow Brokers. ETERNALBLUE exploits a vulnerability in the Microsoft Server Message Block 1.0 (SMBv1) protocol.
Note: More information below as well as in these other related blogs.
Critical Update: WannaCry Ransomware
WannaCry: Evolving History from Beta to 2.0
Microsoft released a critical patch for this vulnerability in March in Microsoft Security Bulletin MS17-010. That same month, Fortinet released an IPS signature to detect and block this vulnerability. And we released new AV signatures today to also detect and stop this attack. Third party testing also confirms that Fortinet Anti-Virus and FortiSandbox effectively block this malware. Details about IPS and AV signatures are included at the end of this article.
• Apply the patch published by Microsoft on all affected nodes of the network.
• Ensure that the Fortinet AV and IPS inspections as well as web filtering engines are turned on to prevent the malware from being downloaded, and to ensure that web filtering is blocking communications back to the command and control servers.
• Isolate communication to UDP ports 137 / 138 and TCP ports 139 / 445.
The security of our customers’ systems is of paramount importance to Fortinet. We are actively monitoring the situation to respond to any new malicious behavior and will reach out immediately if new developments are discovered.
MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution
W32/Filecoder_WannaCryptor.B!tr
W32/WannaCryptor.B!tr
W32/Generic.AC.3EE509!tr
W32/GenKryptik.1C25!tr
2017-0143 thru 2017-0148