In this screenshot, from the Falcon UI, the detection process tree shows that the malicious file associated with WanaCryptor, was launched from explorer.exe.
CrowdStrike Falcon Intelligence™ has identified a new variant of Windows ransomware, named Wana or WanaCry, that is rapidly spreading across multiple countries and was widely reported as an attack on England’s National Health Service (NHS). Wana ransomware is believed to have already caused a significant number of infections from a campaign that began on May 12, 2017.
CrowdStrike® customers are protected against this ransomware variant with exclusive technology in the CrowdStrike Falcon® platform. Falcon’s advanced endpoint protection offers next-gen antivirus that incorporates machine learning augmented with behavioral analysis that looks for indicators of attack (IOAs) — detecting suspicious behavior before an attack occurs. These prevention features will block the WanaCry ransomware and keep it from executing and encrypting the target organization’s data.
The WanaCry ransomware attacks have been extensive, targeting healthcare organizations, including doctor’s offices and hospitals, as well as telecommunication systems and gas and electric companies. Early infection reports originated in Europe but have since spread across the United Kingdom, Spain, Russia, Pakistan, and potentially other regions.
According to CrowdStrike VP of Intelligence Adam Meyers, this attack vector has all the hallmarks of a traditional computer worm with the capacity to replicate itself, but Meyers says it is quite unique for such a massive ransomware campaign to use self-propagating techniques at this scale.
Meyers outlined how this attack might be unfolding:
- Early analysis of the worm reveals that it’s taking advantage of a recent Microsoft Windows exploit called EternalBlue that enables the sharing of files, which is how the ransomware spread.
- Targeting is likely in bulk, via massive phishing campaigns delivering .zip archives with themes such as fake invoices, job offers, security warnings, undelivered email, etc.
- Once an infection takes place, Wana encrypts victim files using the AES cipher, and demands a Bitcoin ransom that increases in value as time passes.
- The ransom demands observed require victims to pay either $300 or $600 USD worth of Bitcoin for a decryption key that can release the victim’s data.
- CrowdStrike Intelligence has verified at least several thousand dollars’ worth of ransom payments already made to criminal-controlled Bitcoin (BTC) addresses.
- Unfortunately, this strain of ransomware has the potential to encrypt backup files, making remediation even more challenging.
Meyers advises that organizations act quickly to ensure they are not impacted by this wave of attacks. He recommends that swift action to patch against Windows exploits is critical (the EternalBlue exploit is patched by MS-17010), as is ensuring that backup data files are disconnected from the core network.
For more information on how the CrowdStrike Falcon platform defends against ransomware and other modern attacks, read the white paper, “Ransomware, a Growing Enterprise Threat.”
The post Falcon Endpoint Protection Blocks the Ransomware that Attacked the NHS appeared first on .
Article Link: https://www.crowdstrike.com/blog/falcon-endpoint-protection-blocks-the-ransomware-that-attacked-the-nhs/