WanaCrypt0r 2.0 Ransomware

The Threat

It has come to our attention that multiple ransomware infections have surfaced and spread in Spain at the company Telefonica as reported by Reuters and at the National Health Service (NHS) of the United Kingdom, as reported by the Guardian.

This strain goes by the names WanaCrypt0r 2.0, WCry, WannaCrypt and Wana Decryptor. The ransomware spread appears to leverage an SMB exploit from the April 2017 Shadow Brokers dump. The purpose of the TOR client appears to send the infected machine's encryption key to the threat actor controlling the ransomware.

eSentire Response

• The eSentire Threat Intelligence team is currently analyzing WannaCryptor samples to gain further understanding.
• eSentire Network Interceptor™ has signatures in place to detect SMB exploitation. Additional detection signatures are forthcoming, post analysis.

Recommended Action

• eSentire highly recommends that MS17-010 patches be deployed immediately if they have not already.
• With all types of ransomware, It is recommended that the following precautionary actions be taken:
• Maintain up-to-date back-ups that are stored offline.
• Isolate infected assets and assets suspected of compromise immediately.

Additional Information

News outlets and online security sources are reporting that there have been more than 60,000 WannaCryptor infections across 50+ countries today.

Deployment of the MS17-010 patches is extremely important. The Microsoft SMB vulnerability is the primary means of the ransomware spreading while inside the network. eSentire does not recommend ransom payment, as there is no guarantee that the affected data will be recovered.