Views:

What steps do I need to take to reduce the risk of infection?

Implement the best practices

Patch and update your systems, or consider a virtual patching solution.
Enable your firewalls as well as intrusion detection and prevention systems.
Proactively monitor and validate traffic going in and out of the network.
Implement security mechanisms for other points of entry attackers can use, such as email and websites.
Deploy application control to prevent suspicious files from executing on top of behavior monitoring that can thwart unwanted modifications to the system.
Employ data categorization and network segmentation to mitigate further exposure and damage to data.
Disable SMB (v1) on vulnerable machines – using either GPO or by following the instructions provided by Microsoft.
Ensure that all of the latest patches (if possible using Virtual Patching solution) are applied to affected operating systems – especially the ones related to MS17-010.

Protect your network using Trend Micro Products

Trend Micro recommends a layered security approach on endpoint, messaging, and gateway, to ensure that all potential entry and compromise points have protection against these types of threats:

Updated Configuration and Next Generation Technology - Trend Micro customers using the latest versions of OfficeScan and Worry-Free Business Security should ensure that they have both Predictive Machine Learning (OfficeScan, Worry-Free Services) and all relevant Ransomware protection features enabled in their product. The following article contains information on optimal configurations to help protect against ransomware: https://success.trendmicro.com/solution/KA-0005711
Smart Scan Agent Pattern and Official Pattern Release: Trend Micro has added known variant and component detections into the following patterns for all products that utilizes these patterns:
- Smart Scan Agent Pattern - 13.401.00
- Official Pattern Release (conventional) - 13.401.00
Please note that these patterns are the minimum recommended ones that contain protection for this threat -- however, due to new components and variants being discovered it is important that customers ALWAYS obtain the latest pattern files to ensure up-to-date protection.
Trend Micro Web Reputation Services (WRS) has added coverage for known Command and Control (C&C) servers.
Trend Micro Deep Security and Vulnerability Protection (formerly the IDF plug-in for OfficeScan) customers with the latest IPS rules have an updated layer of Virtual Patching protection for multiple Windows operating systems, including some that have reached end-of-support (XP, 2000, 2003). Specifically, Trend Micro released the following IPS rules for proactive protection:
- IPS Rules 1008224, 1008228, 1008225, 1008227 - Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities
Trend Micro Deep Discovery Inspector customers with the latest rules also have an additional layer of protection against the vulnerabilities associated with the exploit. Specifically, Trend Micro has released the following official rule for proactive protection:
- DDI Rule 2383: CVE-2017-0144 - Remote Code Execution - SMB (Request)
Trend Micro TippingPoint customers with the following filters have updated protection:
- Filters 5614, 27433, 27711, 27935, 27928 - Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities and attacks
- ThreatDV Filter 30623 - helps to mitigate outbound C2 communication
- Policy Filter 11403 - provides additional protection against suspicious SMB fragmentation
Trend Micro Endpoint Application Control (EAC) administrators utilizing the product's "Lockdown" mode - which allows only pre-specified applications to run - also provides protection against this threat.
Trend Micro Cloud Edge and Smart Home Network customers have protection with the following rules:
- Rule 1133615: SMB Microsoft Windows SMB Server SMBv1 CVE-2017-0145 Buffer Overflow (CVE-2017-0145)
- Rule 1133635: SMB Microsoft MS17-010 SMB Remote Code Execution -1
- Rule 1133636: SMB Microsoft MS17-010 SMB Remote Code Execution -2
- Rule 1133637: SMB Microsoft MS17-010 SMB Remote Code Execution -3
- Rule 1133638: SMB Microsoft MS17-010 SMB Remote Code Execution -4

Trend Micro highly recommends that vendor critical patches are applied as soon as possible upon release. Customers and partners who may need some additional information or have questions are encouraged to contact their authorized Trend Micro technical support representative for further assistance.

Useful tools to help detect and prevent infection

Trend Micro also has some standalone tools available for assessing and addressing potential WCRY risk and infections on end-user machines.

Please note these tools are provided as-is, without warranties of any kind. They are meant to assist customers in emergency troubleshooting, and are not guaranteed to be error-free.

Customers who have any questions or issues using the tools provided below should contact Trend Micro technical support for additional assistance.

Trend Micro Anti-Threat Toolkit (ATTK): users having issues with their endpoint protection may try downloading ATTK to scan a potentially compromised machine for malware (including WCRY). There are both online and offline versions available. Please visit this article for additional instructions on how to use ATTK.
Trend Micro Ransomware Decryptor: Trend Micro has added limited decryption support for WCRY infected machines as of May 21, 2017. Based on internal testing, the highest success rate has been observed on infected systems running Windows XP (x86) - but individual users' success rates will vary. Please visit the article for the tool and detailed instructions.

Additional Information

Below is additional technical information on the known variants and components of this ransomware attack:

Expert Analysis

TrendLabs Security Intelligence Blog: Massive WannaCry/Wcry Ransomware Attack Hits Various Countries
TrendLabs Security Intelligence Blog: After WannaCry, UIWIX Ransomware and Monero-Mining Malware Follow Suit
Trend Micro SimplySecurity Blog: WannaCry & The Reality of Patching
Trend Micro SimplySecurity Blog: WannaCry and the Executive Order
Defense Strategies Blog: Defending against WannaCry/Wcry Ransomware
Trend Micro Security News: Malware Using Exploits from Shadow Brokers Leak Reportedly in the Wild

Technical Information

Virus Encyclopedia: Ransom_Wana.A
Virus Encyclopedia: Ransom_WCRY.I
Support Advisory: Indicators Showing Interception / Blocking on WCRY (WannaCry) Ransomware
Support Article: Latest Trend Micro Protection Against Shadow Brokers Tools (including "Eternalblue")
Trend Micro Security News: WCRY: What Your IT/SYS Admins Need to Do

3rd Party Information

Microsoft Security Bulletin MS17-010: Critical Security Update for Windows SMB Server (4013389)
Additional patches for older Operating Systems not included in main MS17-010 bulletin above: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

Keywords: wcry/wannacry.w cry,wanna cry,wcry ransomware,wannary ransomware,wcry,wannacry,w cry,wanna cry,wcry ransomware,wannary ransomware,Updates on the latest WCRY (WannaCry) Ransomware Attack and Trend Micro Protection,OfficeScan XG Service Pack 1,OfficeScan XG

Preventing WannaCry (WCRY) ransomware attacks using Trend Micro products

Product / Version includes:

Deep Discovery InspectorAll , Deep Discovery AnalyzerAll , Deep SecurityAll , Worry-Free Business Security StandardAll , Worry-Free Business Security AdvancedAll

Last updated: 2021/10/10

Solution ID: KA-0007453

Category: Remove a Malware / Virus

Summary

Updated: May 21 @ 6:00PM GMT

Please note that this article is intended for enterprise and business users. For Home/Home Office users, please visit the related knowledgebase article here.

What is the Wannacry (WCRY) ransomware?

Trend Micro is closely monitoring the latest ransomware outbreak that has affected several organizations around the world. This ransomware attack is referred to as WCRY or WannaCry. This ransomware is taking advantage of a recently disclosed Microsoft vulnerability (MS17-010 – “Eternalblue”) associated with the Shadow Brokers tools release. After a computer is infected, WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database files, multimedia and archive files, as well as Microsoft Office documents. In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its victims—an amount that increases incrementally after a certain time limit. The victim is also given seven days before the affected files are deleted.

As of May 21,2017, Trend Micro's Ransomware File Decryptor tool has added limited support for recovery of infected Windows machines. Please visit here for more information on the tool.

How does it infect computers?

WannaCry leverages CVE-2017-0144, a vulnerability in Microsoft Server Message Block 1.0 (SMBv1), to infect computers. The security flaw is attacked using an exploit leaked by the Shadow Brokers group—the “EternalBlue” exploit, in particular. Although, Microsoft’s Security Response Center (MSRC) Team addressed the vulnerability via MS17-010 released March, 2017, unpatched computers are easily infected. Its worm-like behavior allows WannaCry to spread across networks, infecting connected systems without user interaction. Once one computer on a network is infected, it will place the whole network at risk.

We are closely monitoring similar threats - such as the recently reported Uiwix ransomware and Monero-Mining malware - that appear to be exploiting the same vulnerability mentioned above - and are continually updating our detections with these new samples (e.g. Ransom_UIWIX.A, TROJ_COINMINER.WN). Please visit our new Security Intelligence blog entry for more information on these new threats.

What steps do I need to take to reduce the risk of infection?

Implement the best practices

Patch and update your systems, or consider a virtual patching solution.
Enable your firewalls as well as intrusion detection and prevention systems.
Proactively monitor and validate traffic going in and out of the network.
Implement security mechanisms for other points of entry attackers can use, such as email and websites.
Deploy application control to prevent suspicious files from executing on top of behavior monitoring that can thwart unwanted modifications to the system.
Employ data categorization and network segmentation to mitigate further exposure and damage to data.
Disable SMB (v1) on vulnerable machines – using either GPO or by following the instructions provided by Microsoft.
Ensure that all of the latest patches (if possible using Virtual Patching solution) are applied to affected operating systems – especially the ones related to MS17-010.

Protect your network using Trend Micro Products

Trend Micro recommends a layered security approach on endpoint, messaging, and gateway, to ensure that all potential entry and compromise points have protection against these types of threats:

Updated Configuration and Next Generation Technology - Trend Micro customers using the latest versions of OfficeScan and Worry-Free Business Security should ensure that they have both Predictive Machine Learning (OfficeScan, Worry-Free Services) and all relevant Ransomware protection features enabled in their product. The following article contains information on optimal configurations to help protect against ransomware: https://success.trendmicro.com/solution/KA-0005711
Smart Scan Agent Pattern and Official Pattern Release: Trend Micro has added known variant and component detections into the following patterns for all products that utilizes these patterns:
- Smart Scan Agent Pattern - 13.401.00
- Official Pattern Release (conventional) - 13.401.00
Please note that these patterns are the minimum recommended ones that contain protection for this threat -- however, due to new components and variants being discovered it is important that customers ALWAYS obtain the latest pattern files to ensure up-to-date protection.
Trend Micro Web Reputation Services (WRS) has added coverage for known Command and Control (C&C) servers.
Trend Micro Deep Security and Vulnerability Protection (formerly the IDF plug-in for OfficeScan) customers with the latest IPS rules have an updated layer of Virtual Patching protection for multiple Windows operating systems, including some that have reached end-of-support (XP, 2000, 2003). Specifically, Trend Micro released the following IPS rules for proactive protection:
- IPS Rules 1008224, 1008228, 1008225, 1008227 - Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities
Trend Micro Deep Discovery Inspector customers with the latest rules also have an additional layer of protection against the vulnerabilities associated with the exploit. Specifically, Trend Micro has released the following official rule for proactive protection:
- DDI Rule 2383: CVE-2017-0144 - Remote Code Execution - SMB (Request)
Trend Micro TippingPoint customers with the following filters have updated protection:
- Filters 5614, 27433, 27711, 27935, 27928 - Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities and attacks
- ThreatDV Filter 30623 - helps to mitigate outbound C2 communication
- Policy Filter 11403 - provides additional protection against suspicious SMB fragmentation
Trend Micro Endpoint Application Control (EAC) administrators utilizing the product's "Lockdown" mode - which allows only pre-specified applications to run - also provides protection against this threat.
Trend Micro Cloud Edge and Smart Home Network customers have protection with the following rules:
- Rule 1133615: SMB Microsoft Windows SMB Server SMBv1 CVE-2017-0145 Buffer Overflow (CVE-2017-0145)
- Rule 1133635: SMB Microsoft MS17-010 SMB Remote Code Execution -1
- Rule 1133636: SMB Microsoft MS17-010 SMB Remote Code Execution -2
- Rule 1133637: SMB Microsoft MS17-010 SMB Remote Code Execution -3
- Rule 1133638: SMB Microsoft MS17-010 SMB Remote Code Execution -4

Useful tools to help detect and prevent infection

Trend Micro also has some standalone tools available for assessing and addressing potential WCRY risk and infections on end-user machines.

Please note these tools are provided as-is, without warranties of any kind. They are meant to assist customers in emergency troubleshooting, and are not guaranteed to be error-free.

Customers who have any questions or issues using the tools provided below should contact Trend Micro technical support for additional assistance.

Trend Micro Anti-Threat Toolkit (ATTK): users having issues with their endpoint protection may try downloading ATTK to scan a potentially compromised machine for malware (including WCRY). There are both online and offline versions available. Please visit this article for additional instructions on how to use ATTK.
Trend Micro Ransomware Decryptor: Trend Micro has added limited decryption support for WCRY infected machines as of May 21, 2017. Based on internal testing, the highest success rate has been observed on infected systems running Windows XP (x86) - but individual users' success rates will vary. Please visit the article for the tool and detailed instructions.

Additional Information

Below is additional technical information on the known variants and components of this ransomware attack:

Expert Analysis

TrendLabs Security Intelligence Blog: Massive WannaCry/Wcry Ransomware Attack Hits Various Countries
TrendLabs Security Intelligence Blog: After WannaCry, UIWIX Ransomware and Monero-Mining Malware Follow Suit
Trend Micro SimplySecurity Blog: WannaCry & The Reality of Patching
Trend Micro SimplySecurity Blog: WannaCry and the Executive Order
Defense Strategies Blog: Defending against WannaCry/Wcry Ransomware
Trend Micro Security News: Malware Using Exploits from Shadow Brokers Leak Reportedly in the Wild

Technical Information

Virus Encyclopedia: Ransom_Wana.A
Virus Encyclopedia: Ransom_WCRY.I
Support Advisory: Indicators Showing Interception / Blocking on WCRY (WannaCry) Ransomware
Support Article: Latest Trend Micro Protection Against Shadow Brokers Tools (including "Eternalblue")
Trend Micro Security News: WCRY: What Your IT/SYS Admins Need to Do

3rd Party Information

Microsoft Security Bulletin MS17-010: Critical Security Update for Windows SMB Server (4013389)
Additional patches for older Operating Systems not included in main MS17-010 bulletin above: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Preventing WannaCry (WCRY) ransomware attacks using Trend Micro products

Preventing WannaCry (WCRY) ransomware attacks using Trend Micro products

Product / Version includes:

Summary