ESET Customer Advisory 2017-0010
May 15, 2017
Severity: Critical
On Friday May 12, 2017, massive attacks of Win32/WannaCryptor ransomware were reported worldwide, impacting various institutions, including hospitals, causing disruption of provided services. Of special note, this attack was the first massively spread malware to exploit the CVE-2017-0144 vulnerability in SMB to spread over LAN. In particular, if a user opened a malicious file that usually came as an attachment to an email, the malware started to propagate to unpatched computers in LAN and encrypt files, appending the WNCRY extension.
Details
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka “Windows SMB Remote Code Execution Vulnerability.”
On March 14 Microsoft released a hotfix KB4012212 which is included in a monthly rollup update KB4012215. Vulnerability details were disclosed on March 16, 2017.
For more information about WannaCryptor ransomware, please read:
Solution
We strongly recommend installing the above mentioned hotfix as soon as possible, as further attacks exploiting this vulnerability may come soon.
The hotfix can be downloaded from https://technet.microsoft.com/en-us/library/security/MS17-010.
For download links for older and otherwise unsupported operating systems, such as Windows XP SP3, Windows Server 2003 and Windows 8, refer to https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/.
ESET security solutions with up-to-date version of Detection engine are able to detect and stop this malware. On vulnerable systems, ESET Endpoint Security version 6 and ESET Smart Security version 9 and later, as well as ESET Internet Security and ESET Smart Security Premium version 10 protect the system from remote exploitation of the vulnerability at the network level, using the Network protection module.
Summary
The most important thing for our partners and customers to know is that ESET detects and blocks the WannaCryptor.D threat and its variants. ESET’s network protection module (in ESET Endpoint Security), also blocks the exploit known CVE-2017-0144 (code named EternalBlue) which was used to spread WannaCry at the network level. Attempts to exploit the leaked vulnerability had already been detected, reported on, and stopped by ESET well before this particular malware was even created.
Note: Because ESET NOD32 Antivirus and ESET Endpoint Antivirus do not contain the firewall and ESET Endpoint Security version 5 does not contain the Network protection module, these cannot provide protection at the network level.