Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Indicators showing interception or blocking of WCRY (WannaCry) Ransomware

    • Updated:
    • 19 May 2017
    • Product/Version:
    • Deep Discovery Inspector All.All
    • Deep Security All.All
    • Deep Security as a Service All.All
    • Endpoint Application Control All.All
    • OfficeScan All.All
    • Worry-Free Business Security Services All.All
    • Worry-Free Business Security Standard/Advanced All.All
    • Platform:
    • Windows All
Summary

Starting May 12, 2017 there was a rapid global spread of WCRY (WannaCry) ransomware (with a few variants). Numerous enterprises, small businesses and consumers around the world were infected, but many more were unaffected, for one or more of the following reasons:

  • Windows systems were fully patched, specifically with Microsoft’s MS17-010 patch.
  • No servers or endpoints were internet-facing with SMB ports open.
  • SMB was blocked at the company firewall or home/SMB router.
  • Security software / hardware detected and blocked the malware

 

Cybersecurity teams may wish to assess their environments to see whether their software defenses were effective, and where detection and blocking occurred for WCRY. This could be helpful for forensic purposes or for internal / management reporting.

This document outlines the indicators customers can search for in various Trend Micro product log files, indicating the detection and/or blocking of WCRY-related malware.

Details
Public

Time Line

Prior to Friday May 12, 2017 Trend Micro was not aware of this specific ransomware family, as it had not been seen in the wild. During the early stages of WCRY’s spread, before we had patterns available, a range of Trend Micro technologies were already able to detect the ransomware based on behavior, exploit targeting, or our machine learning engine. Below you will see multiple items to search for - indicating WCRY or similar malware. Certain indicators are prior to May 12 while others became effective that day.

Is it really WCRY/WannaCry?

A number of our detection methods relate to items that are exploiting the MS17-010 vulnerability. These may or may not be WCRY; there are other attempted exploits for the same vulnerability.

Likewise, the predictive machine learning capability in the latest versions OfficeScan and Worry-Free Services products will broadly categorize an item as malware, but detections prior to the official discovery of WCRY will not be labeled WCRY in the logs.

File hashes for detected items can be compared to those published HERE to get additional verification.

WCRY-related log strings for relevant Trend Micro products

OfficeScan and Worry-Free Endpoint Products

FeatureDetection Name

Behavior monitoring
(if feature enabled, before May 12 pattern update)

[OfficeScan 11 SP1 and higher, Worry-Free Services, Worry-Free Standard/Advanced 9.0 SP3 and higher]

Unauthorized file encryption

Predictive machine learning
(this log string applies to any ransomware)

[OfficeScan XG and optional setting in Worry-Free Services]

Ransom.Win32.TRX.XXPE

Pattern-based (signature) detection - file-level or code fragments for malware family, effective after Friday May 12 pattern update

[All current versions]

  • Ransom_WANA.A
  • Ransom_WCRY.B
  • Ransom_WCRY.C
  • Ransom_WCRY.H
  • Ransom_WCRY.I
  • Ransom_WCRY.J
  • Ransom_WCRY.K
  • Ransom_WCRY.L
  • Ransom_WCRY.DAM
  • Ransom_WCRY.F117D7
  • Ransom_WCRY.F117DB
  • Ransom_WCRY.F117E8
  • Ransom_WCRY.SM
  • Ransom_WCRY.SM1
  • Ransom_WCRY.SMB
  • WORM_WCRY.A

Deep Security

FeatureRule/Patterns
IPS rules related to MS17-010 vulnerability
(effective since March 17, 2017)
  • 1008224
  • 1008228
  • 1008225
  • 1008227
Anti-malware detection
(effective after Friday May 12 pattern update)
(Same as OfficeScan and
Worry-Free pattern list above)

Endpoint Application Control

Application Control is effective at blocking the WCRY ransomware. Specific log info will follow in an update to this article.

Deep Discovery

FeatureRule
Rule related to SMB remote code execution2383

TippingPoint

DetailsFilters
Any of the following filters are indicative of activity
that could be related to WCRY or other SMB-related malware.
  • 27433
  • 27928
  • 27711
  • 27928
  • 27929
  • 27937
  • 2176
  • 11403
  • 27935
  • 5614
  • 30623
  • 28304
  • 28305

Cloud Edge

DetailsRules
Rules relates to SMB exploit
  • 1133615
  • 1133635
  • 1133636
  • 1133637
  • 1133638

Additional References

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1117402
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.