After analyzing the “WannaCry” attack last week on Friday 12 th May 2017, IT security firm Sophos issued a detection update for its customers. According to SophosLabs, WannaCry mimics an old school computer insecurity technique where viruses swept files through the internet.
WannaCrytor also known as (also known as WannaCry, WCry, WanaCrypt, WanaCrypt0r and Wana DeCrypt0r) encrypted files and changed their extensions to: ‘.wnry,’ ‘.wcry,’ ‘.wncry’ and ‘.wncrypt.’ The ransomware then presented a window to the user with a ransom demand.
The company believes this is a first recent example of a commercial malware attack that has hit over 150 countries and over 200,000 computers using ransomware techniques. The ransomware which demanded US $3,000 in bitcoin otherwise affected users risked losing their files, took advantage of an exploit allegedly leaked from the US National Security Agency (NSA) and used a variant of the ShadowBrokers APT EternalBlue exploit.
Sophos customers using Sophos Intercept X or Sophos Exploit Prevention (EXP) were protected proactively against the ransomware behavior from the first instance.
Those using the IPS rules in the company’s XG firewall would have been protected from the exploit spreading the infection from outside their firewall.
The company added identities and generic rules to their Sophos Endpoint Protection since then to block all known and potential future variants of the malware. Windows customers are advised to deploy the Microsoft patch that mitigates the underlying vulnerability in the Windows operating system.
“It is imperative that businesses everywhere update their operating systems, their security software and educate their users against phishing attacks. This is a best practice to reduce the risk from any attack in case of any other variants that might come up”, says Harish Chib, Sophos’ VP for Middle East and Africa (MEA).