Starting May 12, 2017 there was a rapid global spread of WCRY (WannaCry) ransomware (with a few variants). Numerous enterprises, small businesses and consumers around the world were infected, but many more were unaffected, for one or more of the following reasons:
- Windows systems were fully patched, specifically with Microsoft’s MS17-010 patch.
- No servers or endpoints were internet-facing with SMB ports open.
- SMB was blocked at the company firewall or home/SMB router.
- Security software / hardware detected and blocked the malware
Cybersecurity teams may wish to assess their environments to see whether their software defenses were effective, and where detection and blocking occurred for WCRY. This could be helpful for forensic purposes or for internal / management reporting.
This document outlines the indicators customers can search for in various Trend Micro product log files, indicating the detection and/or blocking of WCRY-related malware.
Time Line
Prior to Friday May 12, 2017 Trend Micro was not aware of this specific ransomware family, as it had not been seen in the wild. During the early stages of WCRY’s spread, before we had patterns available, a range of Trend Micro technologies were already able to detect the ransomware based on behavior, exploit targeting, or our machine learning engine. Below you will see multiple items to search for - indicating WCRY or similar malware. Certain indicators are prior to May 12 while others became effective that day.
Is it really WCRY/WannaCry?
A number of our detection methods relate to items that are exploiting the MS17-010 vulnerability. These may or may not be WCRY; there are other attempted exploits for the same vulnerability.
Likewise, the predictive machine learning capability in the latest versions OfficeScan and Worry-Free Services products will broadly categorize an item as malware, but detections prior to the official discovery of WCRY will not be labeled WCRY in the logs.
File hashes for detected items can be compared to those published HERE to get additional verification.
WCRY-related log strings for relevant Trend Micro products
OfficeScan and Worry-Free Endpoint Products
| Feature | Detection Name |
|---|---|
| Behavior monitoring [OfficeScan 11 SP1 and higher, Worry-Free Services, Worry-Free Standard/Advanced 9.0 SP3 and higher] | Unauthorized file encryption |
| Predictive machine learning [OfficeScan XG and optional setting in Worry-Free Services] | Ransom.Win32.TRX.XXPE |
| Pattern-based (signature) detection - file-level or code fragments for malware family, effective after Friday May 12 pattern update [All current versions] |
|
Deep Security
| Feature | Rule/Patterns |
|---|---|
| IPS rules related to MS17-010 vulnerability (effective since March 17, 2017) |
|
| Anti-malware detection (effective after Friday May 12 pattern update) | (Same as OfficeScan and Worry-Free pattern list above) |
Endpoint Application Control
Application Control is effective at blocking the WCRY ransomware. Specific log info will follow in an update to this article.
Deep Discovery
| Feature | Rule |
|---|---|
| Rule related to SMB remote code execution | 2383 |
TippingPoint
| Details | Filters |
|---|---|
| Any of the following filters are indicative of activity that could be related to WCRY or other SMB-related malware. |
|
Cloud Edge
| Details | Rules |
|---|---|
| Rules relates to SMB exploit |
|
Additional References
