WannaCry is the largest ransomware epidemic we've ever seen. The infection started Friday May 12 and has run through this week. There has been a lot of investigation into this malware and tons of interesting stories. I'm sure there will be more before this is all finished.
Tom Roeh was able to deliver an update to our Ransomware Detection bundle on Friday afternoon. This saved a lot of people and I'm sure some people spent the weekend anxiously watching their dashboard. Thanks to Tom for getting that delivered so quickly.
The team started thinking about more specific detection methods over the weekend and I'm proud to deliver our latest bundle that directly detects the EternalBlue portion of WannaCry. EternalBlue is the EquationGroup's exploit that is used as an infection vector for WannaCry.
The screenshot above is an empty version of the dashboard. The two lists on the top right show attackers and victims. Since infected victims quickly become attackers you will likely see the same host on both lists. Any hosts that show up here should be cleaned and disinfected per MS17-010.
The list on the bottom shows hosts that have looked up the killswitch domains. Some versions of WannaCry look up a killswitch domain before starting to encrypt files. If the domain responds, then WannaCry does not proceed with encryption. The hosts that are on this list are also suspected of being infected and should be cleaned.
Don't uninstall your Ransomware Bundle. It is still effective and we plan to support it for the foreseeable future. This bundle should be used as an aide to help you find and clean infected hosts.
ExtraHop is continuing to investigate this malware. We'll update when we have more information. Stay Safe.