Welcome Guest ( Log In | Register )

Closed TopicStart new topic
> Kaspersky Lab’ comment on WannaCry attack
Kravtsov Vitaly
post 14.05.2017 10:46
Post #1

Central Support Group Manager

Group: Admin
Posts: 7758
Joined: 11.11.2012
From: Moscow


We have prepared special article in KB:


On May 12th, a massive ransomware attack was unleashed, hitting organizations across the world.

Kaspersky Lab’s researchers have analysed the data and can confirm that the company’s protection subsystems detected at least 45,000 infection attempts in 74 countries, most of them in Russia.

The ransomware infects victims by exploiting a Microsoft Windows vulnerability described and fixed in Microsoft Security Bulletin MS17-010. The exploit used, “Eternal Blue” was revealed in the Shadowbrokers dump on April 14.

Once inside the system, the attackers install a rootkit, which enables them to download the software to encrypt the data. The malware encrypts the files. A request for $600 in Bitcoin is displayed along with the wallet – and the ransom demand increases over time.

Kaspersky Lab experts are currently trying to determine whether it is possible to decrypt data locked in the attack – with the aim of developing a decryption tool as soon as possible.

Kaspersky Lab security solutions detect the malware used in this attack by the following detection names:

• Trojan-Ransom.Win32.Scatter.uf
• Trojan-Ransom.Win32.Scatter.tr
• Trojan-Ransom.Win32.Fury.fr
• Trojan-Ransom.Win32.Gen.djd
• Trojan-Ransom.Win32.Wanna.b
• Trojan-Ransom.Win32.Wanna.c
• Trojan-Ransom.Win32.Wanna.d
• Trojan-Ransom.Win32.Wanna.f
• Trojan-Ransom.Win32.Zapchast.i
• Trojan.Win64.EquationDrug.gen
• Trojan.Win32.Generic (the System Watcher component must be enabled)

We recommend taking the following measures to reduce the risk of infection:

• Install the official patch from Microsoft that closes the vulnerability used in the attack
• Ensure that security solutions are switched on all nodes of the network
• If Kaspersky Lab’s solution is used, ensure that it includes the System Watcher, a behavioral proactive detection component, and that it is switched on
• Run the Critical Area Scan task in Kaspersky Lab’s solution to detect possible infection as soon as possible (otherwise it will be detected automatically, if not switched off, within 24 hours).
• Reboot the system after detecting MEM: Trojan.Win64.EquationDrug.gen
• Use Customer-Specific Threat Intelligence Reporting services

A detailed description of the WannaCry attack method, and Indicators of Compromise can be found in the blogpost on Securelist.

English: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces | klnagchk log

Русский: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk

Подписаться на новости о корпоративных продуктах

Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика!
Please evaluate support help by using "Rating" option!
Go to the top of the page
+Quote Post

Closed TopicStart new topic


Lo-Fi Version Time is now: 26.06.2017 23:11