As of this writing, the WannaCry ransomware outbreak infected 350,000 victims in more than 150 countries. As a customer, we want to keep you up-to-date on the latest information about the threat and our response.
What makes WannaCry unique?
WannaCry is a unique ransomware strain that exploits a critical Microsoft Windows Server Message Block (SMB) vulnerability to spread like a worm, lending to its rapid propagation after just a few hours of initial detection. The SMB exploit spreads across network shares, so the effect of the attack was minimal to consumers.
The unique trifecta of a broadly available vulnerability with a working exploit and the ability for execution without human intervention created the perfect environment for a “wormable” ransomware attack. Since the WannaCry attack, another attack called Adylkuzz has surfaced that takes advantage of the same Windows vulnerability, emphasizing the need for action.
What was McAfee’s response?
Over the course of Friday, May 12, McAfee received multiple reports of the attack. By Friday afternoon, the McAfee® Global Threat Intelligence system was updated to identify all known WannaCry samples, and McAfee had delivered DAT signature updates to all its customers.
Our enterprise endpoint products provide zero-day protection against the attack as outlined below. As new variants of this ransomware arise, we will continuously update our software to keep our users protected.
Get ongoing Wannacry news updates from McAfee’s top researchers on our Securing Tomorrow blog. Our scientists have analyzed this attack and the subsequent Adylkuzz attack, which exploits the same Windows vulnerability:
Executive Perspectives: Chief Technology Officer Steve Grobman
Technical Analysis: Chief Scientist Raj Samani, Lead Scientist Christiaan Beek, Senior Research Scientist Charles McFarland
McAfee Protection: General Manager of Enterprise Security Brian Dye
Adylkuzz Attack: Research Scientist Guilherme Venere
We also conducted a webinar and Q&A with our experts on May 18. You can review that webcast (English) on demand.
How do McAfee products neutralize the threat?
McAfee researchers have confirmed that our technologies provided zero-day protection against the attack using the Dynamic Application Containment capability of the ENS platform. More specifically:
• ENS 10.2 or later running Dynamic Application Containment (DAC) in Secure mode gave full Day Zero protection against the ransomware attack;
• ENS, TIE and Advanced Threat Defense (ATD) provided effective prevention, detection and response of the attacks at Day Zero because ATD identified the attacks as malicious, allowing the McAfee integrated defense architecture to secure the remaining environment;
• McAfee® Active Response drove effective proactive detection as the trace data revealed malicious activity at Day Zero; and
• Intrusion Protection Service (IPS) with Signatureless engine provides effective prevention against known samples as well as updated signatures to protect against the SMB RCE attacks.
What should I do next?
• Download the latest information about McAfee’s Dynamic Endpoint defense
• Continue to monitor the entire threat landscape. McAfee publishes its latest findings on the Threat Landscape Dashboard.
• Sign up to receive threat advisories from McAfee Labs.
• Learn more about ransomware and how to prevent it. We’ve compiled an educational brief at: http://preventransomware.mcafee.com.