May 12, 2017

[Updated May 17, 2017]

On May 12, 2017 the Check Point Incident Response Team started tracking a wide spread outbreak of the WannaCryp ransomware. We have reports that multiple global organizations are experiencing a large scale ransomware attack which is utilizing SMB to propagate within their networks.  To complicate matters there are a number of different campaigns ongoing so identifying specific infection vectors has been a challenge.

For WannaCry the infection vector appears to be direct infection utilizing SMB as delivery method. Samples have been identified by Check Point Research Teams that contain variant “killswitch” domains and bitcoin addresses. All tested samples have been detected and blocked by SandBlast Anti-Ransomware and/or Threat Emulation.

 

Check Point offers the following protections for WannaCry:

General Protections

 

The Check Point Incident Response Team is monitoring the situation closely and is available to assist customers.

The following sections provide detail that Check Point customers can use to understand how the company’s solutions can be leveraged to analyze, report and prevent the elements of the attack. And to learn more about ransomware in general, click here.

 

SandBlast Threat Emulation Reports

 

Check Point SandBlast Forensics Agent

Link to online report: http://freports.us.checkpoint.com/wannacryptor2_1/index.html.

 

Attack Tree

 

Check Point’s SandBlast Anti-Ransomware Agent

The video shows Check Point blocking and restoring a system infected with the ransomware

源链接

Hacking more

...