Threat Report
Blog

Threat Report: WannaCry Ransomware

What Is It?

On May 12, 2017, a major ransomware outbreak occurred, utilizing the WannaCry malware.

The ransomware spread rapidly, infecting hundreds of thousands of systems. Notable victims included the National Health Service in the UK, FedEx in the US, Telefonica in Spain and Nissan factories in Japan.

The ransom demand was initially $300 via BitCoin. Three days later, that demand increased to $600.

Security researchers discovered the malware contained a “kill switch”. This took the form of a hardcoded domain name, which if it existed would cause the malware to exit without encrypting files or attempting to propagate. When researchers registered this domain the spread of the malware was effectively halted, this occurred before the malware had established significant infections in the US and the Pacific region.

How Does It Propagate?

The rapid spread of WannaCry can be attributed to its use of the ETERNALBLUE exploit for Windows SMB and the DOUBLEPULSAR backdoor, both developed by the NSA and leaked by the Shadow Brokers group in April 2017.  It was also distributed via malicious spam.

When/How Did BluVector Detect It?

BluVector’s patented machine learning malware detection engine detects the WannaCry malware as malicious. Regression testing on a number of samples has shown the files would have been detected by BluVector five months prior to their release.

About Threat Report

BluVector’s Threat Report is written by BluVector’s expert security team, tasked with identifying the latest cybersecurity threats in the wild and when our solution would protect customers from those threats. Read more Threat Reports here.

Interested in learning about BluVector?Contact Us >