Cylance vs. WannaCry-WanaCrypt0r 2.0

The “EternalBlue” flaw that’s been taking over headlines in the news over the last few hours rose to popularity as a result of its inclusion in the leaked ‘Shadow Broker’ data. It has so far been hugely damaging to healthcare organizations. This article will catch you up if you’re not up to speed on the latest.

To cut to the chase: Yes, CylancePROTECT® fully prevents all in-the-wild examples of the malware related to these specific attacks. Cylance has blocked WannaCry since 2015. 

Read our research team’s technical deep dive here.

In this video, as we show the WannaCry/WanaCrypt ransomware worm in three scenarios:

  1. On an unprotected machine.
  2. On a machine protected by CylancePROTECT.
  3. On multiple victims, with Cylance stopping further communication.

VIDEO: Cylance Stops WannaCry/WanaCrypt0r Dead, Pre-Execution

This attack exploits a flaw in the Server Message Block (SMB) in Microsoft Windows, which can allow for remote code execution upon proper and successful exploitation. This flaw was patched in Microsoft’s March 2017 update cycle (MS17-10).

However, many environments are still behind on patches for various reasons and may also be running legacy operating systems (ex: XP) which are no longer updated/supported with security updates, which leaves those systems exposed. Leveraging this exploit, the attackers can fully execute arbitrary code.

In the case of the WanaCrypt issue, we are dealing with a ransomware executable that includes additional worm functionality. It has the ability to scan and locate other machines and propagate itself to other adjacent and exposed hosts via the EternalBlue vulnerability.

Due to the nature of the flaw, machines that are propagated to via the worm functionality do not require interaction from the user on the victimized host. 

The worm/ransomware binary handles the remote execution. In most confirmable cases today, stage one is a malicious phishing email. This includes an (Read more...)

This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog