McAfee threat update on WannaCry Ransomware

As of this writing, the WannaCry ransomware outbreak infected 350,000 victims in more than 150 countries. As a customer, we want to keep you up-to-date on the latest information about the threat and our response.
What makes WannaCry unique?
WannaCry is a unique ransomware strain that exploits a critical Microsoft Windows Server Message Block (SMB) vulnerability to spread like a worm, lending to its rapid propagation after just a few hours of initial detection. The SMB exploit spreads across network shares, so the effect of the attack was minimal to consumers. 

The unique trifecta of a broadly available vulnerability with a working exploit and the ability for execution without human intervention created the perfect environment for a “wormable” ransomware attack. Since the WannaCry attack, another attack called Adylkuzz has surfaced that takes advantage of the same Windows vulnerability, emphasizing the need for action.

What was McAfee’s response?
Over the course of Friday, May 12, McAfee received multiple reports of the attack. By Friday afternoon, the McAfee® Global Threat Intelligence system was updated to identify all known WannaCry samples, and McAfee had delivered DAT signature updates to all its customers.

Our enterprise endpoint products provide zero-day protection against the attack as outlined below. As new variants of this ransomware arise, we will continuously update our software to keep our users protected. 

Get ongoing Wannacry news updates from McAfee’s top researchers on our Securing Tomorrow blog. Our scientists have analyzed this attack and the subsequent Adylkuzz attack, which exploits the same Windows vulnerability: 
Executive Perspectives: Chief Technology Officer Steve Grobman 
Technical Analysis: Chief Scientist Raj Samani, Lead Scientist Christiaan Beek, Senior Research Scientist Charles McFarland 
McAfee Protection: General Manager of Enterprise Security Brian Dye 
Adylkuzz Attack: Research Scientist Guilherme Venere 

We also conducted a webinar and Q&A with our experts on May 18. You can review that webcast (English) on demand.

How do McAfee products neutralize the threat? 
McAfee researchers have confirmed that our technologies provided zero-day protection against the attack using the Dynamic Application Containment capability of the ENS platform. More specifically:

  • ENS 10.2 or later running Dynamic Application Containment (DAC) in Secure mode gave full Day Zero protection against the ransomware attack;
  • ENS, TIE and Advanced Threat Defense (ATD) provided effective prevention, detection and response of the attacks at Day Zero because ATD identified the attacks as malicious, allowing the McAfee integrated defense architecture to secure the remaining environment;
  • McAfee® Active Response drove effective proactive detection as the trace data revealed malicious activity at Day Zero; and
  • Intrusion Protection Service (IPS) with Signatureless engine provides effective prevention against known samples as well as updated signatures to protect against the SMB RCE attacks.
What should I do next?

No comments yet.

Leave a Reply