Last updated: 1:49am PDT, May 24, 2017
Subscribe for updates
A virulent new strain of ransomware known as WannaCry (Ransom.Wannacry
) has hit hundreds of thousands of computers worldwide since its emergence on Friday, May 12. WannaCry is far more dangerous than other common ransomware types because of its ability to spread itself across an organization's network by exploiting a critical vulnerability in Windows computers, which was patched by Microsoft in March 2017 (MS17-010
). The exploit, known as "Eternal Blue" was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers
, who claimed that it had stolen the data from the Equation cyber espionage group.
Ransomware attacks show strong links to Lazarus group
Tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus, the group that was responsible for the destructive attacks on Sony Pictures and the Bangladesh Central Bank
. Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign. Our analysis only allows us to attribute these attacks to the Lazarus group. The technical details do not enable us to attribute the motivations of the attacks to a specific nation state or individuals.
Am I protected against the WannaCry attack?
Even though WannaCry currently exploits an SMB vulnerability in systems running Windows operating systems
, Symantec customer assets have been protected across multiple attack vectors
prior to its emergence. Symantec protects customers against ransomware through layered defenses across multiple product lines, guarding multiple attack vectors and targets including email, web, endpoints, and data center servers.
Symantec Ransomware Protections
To date, Symantec has blocked nearly 47 million WannaCry infection attempts across 1.6 million endpoints, providing full protection for Symantec customers through its advanced exploit protection technology:
Endpoint: Symantec Endpoint Protection and Norton
Symantec Endpoint Protection
(SEP) and Norton
have blocked any attempt to exploit the vulnerability used by WannaCry since April 24, before WannaCry first appeared, using a combination of technologies. In fact, the Advanced Machine Learning feature alone in SEP proactively blocked all WannaCry infections on day zero, without any updates. All SEP versions including SEP 14, SEP Cloud and SEP Small Business Edition have these automatic protections available against WannaCry. See Details and Recommendations section below for more information.
Email: Symantec Email Security.cloud and Symantec Messaging Gateway
Symantec Email Security.cloud
and Symantec Messaging Gateway
products provide automatic protection against WannaCry for email-based attacks.
Web: Symantec Secure Web Gateway
Symantec Secure Web Gateway
(SWG) blocks access to malicious websites and downloads that might contain ransomware. SWG solutions include ProxySG, WSS, GIN, Content and Malware Analysis, Security Analytics, and SSLV.
Workload: Symantec Data Center Security: Server Advanced
Symantec Data Center Security: Server Advanced
(DCS:SA) intrusion prevention policies block WannaCry 'out of the box'. All three levels of Symantec DCS:SA policies; Windows 6.0 (and up) Basic, Hardening, and Whitelisting block the WannaCry ransomware attack from dropping malicious executables onto systems. Customers not deploying full intrusion prevention capabilities can apply targeted intrusion prevention policies to block execution of ransomware.
Endpoint Management: Symantec IT Management Suite
Symantec IT Management Suite
(ITMS) provides vulnerability patching and updates for endpoints and data center servers. The Security Update for Microsoft Windows SMB Server (4013389) patch, which protects against WannaCry, was released in March by Microsoft, and ITMS has been supporting it from the same date
Note: ITMS 7.5 will patch Windows 7/8.1 systems, however ITMS 7.6 or newer is required to patch Windows 10 systems.
Cyber Security Services: Customers can benefit from Symantec's Managed Security Services for monitoring WannaCry alerts and detect ransomware spread within their organization. Symantec can also provide Incident Response Services including readiness, hunting, and response services for WannaCry victims.
View the detailed overview
of how Symantec Products protect you from Wannacry and other Ransomware.
Details and recommendations for Symantec Endpoint Protection and Norton customers
Symantec recommends that customers have the following technologies enabled for full proactive protection:
- Intrusion prevention
- SONAR behavioral detection technology
- Advanced machine learning
Note: Symantec Endpoint Protection customers are advised to migrate to SEP 14 to take advantage of the proactive protection provided by advanced machine learning.
Symantec has the following intrusion prevention policies in place to block attempts to exploit the MS17-010 vulnerability:
SONAR behavior detection technology
Advanced machine learning
For expanded protection and identification purposes the following Antivirus signatures have been updated:
Customers should run LiveUpdate and verify that they have the following definition versions or later installed in order to ensure they have the most up-to-date protection:
The following intrusion prevention policy blocks activity related to Ransom.Wannacry:
Organizations should also ensure that they have the latest Windows security updates installed, in particular MS17-010 to prevent spreading.
Host Integrity in SEP 12.1 and 14 can be used to automatically identify and remediate computers that have not installed MS17-010. An example Host Integrity policy and additional details are provided in TECH246459