Kaspersky Lab comments on WannaCry attack
On May 12, 2017, a massive ransomware attack was unleashed, hitting organizations across the world. Kaspersky Lab’s researchers have analyzed the data and can confirm that the company’s protection subsystems detected at least 45,000 infection attempts in 74 countries, most of them in Russia. The ransomware infects victims by exploiting a Microsoft Windows vulnerability described and fixed in Microsoft Security Bulletin MS17-010. The exploit used, “Eternal Blue” was revealed in the Shadowbrokers dump on April 14.
Once inside the system, the attackers install a root kit, which enables them to download the software to encrypt the data. The malware encrypts the files. A request for $600 in Bitcoin is displayed along with the wallet - and the ransom demand increases over time. Kaspersky Lab experts are currently trying to determine whether it is possible to decrypt data locked in the attack - with the aim of developing a decryption tool as soon as possible. Kaspersky Lab security solutions detect the malware used in this attack by the following detection names: Trojan-Ransom.Win32.Scatter.uf Trojan-Ransom.Win32.Scatter.tr Trojan-Ransom.Win32.Fury.fr Trojan-Ransom.Win32.Gen.djd Trojan-Ransom.Win32.Wanna.b Trojan-Ransom.Win32.Wanna.c Trojan-Ransom.Win32.Wanna.d Trojan-Ransom.Win32.Wanna.f Trojan-Ransom.Win32.Zapchast.i Trojan.Win64.EquationDrug.gen Trojan.Win32.Generic (the System Watcher component must be enabled). We recommend taking the following measures to reduce the risk of infection:
Install the official patch from Microsoft that closes the vulnerability used in the attack.