WCry: Knowns And Unknowns

WCry, WannaCry, Wana Decrypt0r. I’m sure at this point you’ve heard something about what the industry has dubbed the largest crypto ransomware outbreak in history. Following its debut yesterday afternoon, a lot of facts have been flying around. Here’s what we know, and don’t know.

WCry has currently made a measly $25,000

The spread of WCry was slowed by the actions of an “accidental hero” who registered a “killswitch” domain name he found in the code.

But, it only takes a small edit of that code, and a re-release to get the thing spreading like wildfire again.

It’s been featured in many public places, such as a train station in Frankfurt…

…in high street stores…

…and in academia.

It is reportedly super-easy to reverse engineer.

Microsoft has released a patch for Windows XP because of this malware…

…to the relief of many…

…including the guys running the Trident program.

Even Microsoft haven’t figured out the initial entry vector.

In case you were wondering, yes, F-Secure’s products block the WCry ransomware trojan. In fact, we block multiple mechanisms in the infection vector. Here are the WCry-associated detection names our systems have reported so far:

Gen:Variant.Graftor.374377
Trojan.GenericKD.5054801
Gen:Variant.Graftor.369176
Application:W32/Generic.e889544aff!Online
Gen:Variant.Ransom.WannaCryptor.1
Trojan.Ransom.WannaCryptor.A
Gen:Trojan.Heur.RP.JtW@aePsbmpi
Trojan.GenericKD.5057843
Application:W32/Generic.5ff465afaa!Online
Suspicious:W32/Malware.c5e6c97e27!Online
Application:W32/Generic.47a9ad4125!Online
Trojan.Ransom.WannaCryptor.D
Gen:Trojan.Heur.RP.JtW@aePsbmp
Trojan.GenericKD.5057554
Suspicious:W32/Malware.e889544aff!Online
Suspicious:W32/Malware.5ff465afaa!Online
Suspicious:W32/Malware.51e4307093!Online
Application:W32/Generic.e3712f9d19!Online

Here’s where we’ve been blocking it.

As a final note, the usual advice still applies. Patch your systems. Don’t run XP. And don’t click “enable content”.

You can also check out our other blog post about this outbreak.

Update: Here’s a link to our threat description.



Articles with similar Tags