[Updated May 17, 2017]
On May 12, 2017 the Check Point Incident Response Team started tracking a wide spread outbreak of the WannaCryp ransomware. We have reports that multiple global organizations are experiencing a large scale ransomware attack which is utilizing SMB to propagate within their networks. To complicate matters there are a number of different campaigns ongoing so identifying specific infection vectors has been a challenge.
For WannaCry the infection vector appears to be direct infection utilizing SMB as delivery method. Samples have been identified by Check Point Research Teams that contain variant “killswitch” domains and bitcoin addresses. All tested samples have been detected and blocked by SandBlast Anti-Ransomware and/or Threat Emulation.
Check Point offers the following protections for WannaCry:
General Protections
The Check Point Incident Response Team is monitoring the situation closely and is available to assist customers.
The following sections provide detail that Check Point customers can use to understand how the company’s solutions can be leveraged to analyze, report and prevent the elements of the attack. And to learn more about ransomware in general, click here.
SandBlast Threat Emulation Reports
Check Point SandBlast Forensics Agent
Link to online report: http://freports.us.checkpoint.com/wannacryptor2_1/index.html.
Attack Tree
Check Point’s SandBlast Anti-Ransomware Agent
The video shows Check Point blocking and restoring a system infected with the ransomware