You've probably heard about the WannaCry (variously known as Wannacrypt0r, Wanna Decryptor, WannaCrypt, etc.) malware by now. I updated our ransomware bundle this afternoon to detect the *.WNCRY file extension and @Please_Read_Me@.txt ransom note. Of course, the bundle also looks for unusual CIFS/SMB write activity indicative of any ransomware strain.
Already an ExtraHop customer? Download the Ransomware Bundle v1.2.6 here.
See my video below for more details.
If you've been hiding under a rock, you can get up to date by checking #NHScyberattack on Twitter. Besides hitting National Health Service hospitals in the United Kingdom, the malware is also spreading in other organizations worldwide, including Telefonica, by taking advantage of a vulnerability in a Windows file-sharing service to propagate quickly. Brian Krebs has a good summary.
For anyone looking for a deeper dive into exactly what happened during this attack, I recommend taking a look at this personal account of how one UK-based cybersecurity researcher found and activated a WannaCry "kill switch" on Friday afternoon—unfortunately, the fix was only temporary.
Download this whitepaper to learn how you can integrate the ExtraHop platform with your firewall and network access control devices to automatically block malicious IPs and quarantine ransomware-infected clients.