On May 12, 2017 there were multiple public reports of an ongoing large-scale cyberattack involving a variant of the ransomware named WannaCry (aka WCry). These attacks are targeting and have affected users from various countries across the globe.
The WannaCry threat will encrypt data files on infected computers and ask users to pay a $300 US ransom in bitcoin to decrypt their files. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.
Analysis indicates the attack spreads through a Server Message Block (SMB) Protocol remote code execution in Microsoft Windows announced and patched by Microsoft on March 14, 2017. Users who have installed this patch are not susceptible. A specific exploit against this vulnerability, code-named “Eternal Blue”, was made available through a dump of various attack tools by the group Shadow Brokers, on April 14, 2017.
Symantec has had protection against this vulnerability through our Intrusion Prevention System (IPS) network protection technology in Symantec Endpoint Protection (SEP) and Norton products prior to the release of the WannaCry attacks.
There are two basic ways that customers can be protected against this threat:
We also recommend that customers ensure that SEP’s Insight reputation-based technology and SONAR behavioral technology are enabled. Both technologies can provide additional proactive protection capabilities for new versions of WannaCry.
Because we have real-time sharing of Symantec and Blue Coat intelligence, all WannaCry samples blocked by SEP will also be automatically be blocked for Blue Customers who have our Content Analysis System (CAS).
Note: This capability is not available in the older ProxyAV predecessor to Content Analysis System, although ProxyAV's malware scanning engines may independently be able to block WannaCry.
As additional samples are discovered by Symantec, appropriate protection will automatically be added for both SEP and Blue Coat proxy customers.
All Symantec email customers are fully protected from WannaCry with our latest released set of signatures. Our Skeptic and Link Following technologies available in our Email Security.cloud product will provide additional proactive protections.
Symantec highly recommends that you do the following: