Views:

Time Line

Prior to Friday May 12, 2017 Trend Micro was not aware of this specific ransomware family, as it had not been seen in the wild. During the early stages of WCRY’s spread, before we had patterns available, a range of Trend Micro technologies were already able to detect the ransomware based on behavior, exploit targeting, or our machine learning engine. Below you will see multiple items to search for - indicating WCRY or similar malware. Certain indicators are prior to May 12 while others became effective that day.

Is it really WCRY/WannaCry?

A number of our detection methods relate to items that are exploiting the MS17-010 vulnerability. These may or may not be WCRY; there are other attempted exploits for the same vulnerability.

Likewise, the predictive machine learning capability in the latest versions OfficeScan and Worry-Free Services products will broadly categorize an item as malware, but detections prior to the official discovery of WCRY will not be labeled WCRY in the logs.

File hashes for detected items can be compared to those published HERE to get additional verification.

WCRY-related log strings for relevant Trend Micro products

OfficeScan and Worry-Free Endpoint Products

FeatureDetection Name

Behavior monitoring
(if feature enabled, before May 12 pattern update)

[OfficeScan 11 SP1 and higher, Worry-Free Services, Worry-Free Standard/Advanced 9.0 SP3 and higher]

Unauthorized file encryption

Predictive machine learning
(this log string applies to any ransomware)

[OfficeScan XG and optional setting in Worry-Free Services]

Ransom.Win32.TRX.XXPE

Pattern-based (signature) detection - file-level or code fragments for malware family, effective after Friday May 12 pattern update

[All current versions]
  • Ransom_WANA.A
  • Ransom_WCRY.B
  • Ransom_WCRY.C
  • Ransom_WCRY.H
  • Ransom_WCRY.I
  • Ransom_WCRY.J
  • Ransom_WCRY.K
  • Ransom_WCRY.L
  • Ransom_WCRY.DAM
  • Ransom_WCRY.F117D7
  • Ransom_WCRY.F117DB
  • Ransom_WCRY.F117E8
  • Ransom_WCRY.SM
  • Ransom_WCRY.SM1
  • Ransom_WCRY.SMB
  • WORM_WCRY.A

Deep Security

FeatureRule/Patterns
IPS rules related to MS17-010 vulnerability
(effective since March 17, 2017)
  • 1008224
  • 1008228
  • 1008225
  • 1008227
Anti-malware detection
(effective after Friday May 12 pattern update)		(Same as OfficeScan and
Worry-Free pattern list above)

Endpoint Application Control

Application Control is effective at blocking the WCRY ransomware. Specific log info will follow in an update to this article.

Deep Discovery

FeatureRule
Rule related to SMB remote code execution2383

TippingPoint

DetailsFilters
Any of the following filters are indicative of activity
that could be related to WCRY or other SMB-related malware.
  • 27433
  • 27928
  • 27711
  • 27928
  • 27929
  • 27937
  • 2176
  • 11403
  • 27935
  • 5614
  • 30623
  • 28304
  • 28305

Cloud Edge

DetailsRules
Rules relates to SMB exploit
  • 1133615
  • 1133635
  • 1133636
  • 1133637
  • 1133638

Additional References

Keywords: wcry/wannacry.w cry,wanna cry,wcry ransomware,wannary ransomware,wcry,wannacry,w cry,wcry indicator,wannacry indicator,