WannaCry - Infoblox Threat Center | DDI (DNS, DHCP, and IPAM) | Infoblox
Select Page

KNOW THE FACTS ABOUT WANNACRY. PROTECT YOUR ORGANIZATION.

WannaCry ransomware, launched on May 12, 2017, infected hundreds of thousands of computers in more than 150 countries.

KNOW THE FACTS ABOUT WANNACRY. PROTECT YOUR ORGANIZATION.

WannaCry ransomware, launched on May 12, 2017, infected hundreds of thousands of computers in more than 150 countries.

A Worm at Work

A self-propagating worm, WannaCry encrypts files, with the goal of holding data for ransom. Prior to encryption, it checks whether an external domain (killswitch domain) is available. If that domain can be contacted, the encryption doesn’t happen. If not, WannaCry moves on to encrypt the data.

WannaCry leveraged a patched vulnerability in Microsoft Server Message Block (SMB). While Microsoft had released a patch for the vulnerability in March of this year, it was not universally implemented, and the attackers used this situation to their advantage. WannaCry also leveraged the exploit called ETERNALBLUE and established a backdoor, DOUBLEPULSAR, that allowed future access to the infected systems.

Not the Only Attack in May

WannaCry was in the news throughout the world. But in the shadows was another ransomware, Jaff, launched by one of the largest botnets in the world, Necurs.
Read more about this ransomware that used spam emails with PDF attachments to infect devices.

A Worm at Work

A self-propagating worm, WannaCry encrypts files, with the goal of holding data for ransom. Prior to encryption, it checks whether an external domain (killswitch domain) is available. If that domain can be contacted, the encryption doesn’t happen. If not, WannaCry moves on to encrypt the data.

WannaCry leveraged a patched vulnerability in Microsoft Server Message Block (SMB). While Microsoft had released a patch for the vulnerability in March of this year, it was not universally implemented, and the attackers used this situation to their advantage. WannaCry also leveraged the exploit called ETERNALBLUE and established a backdoor, DOUBLEPULSAR, that allowed future access to the infected systems.

Not the Only Attack in May

WannaCry was in the news throughout the world. But in the shadows was another ransomware, Jaff, launched by one of the largest botnets in the world, Necurs.
Read more about this ransomware that used spam emails with PDF attachments to infect devices.

THE RISE OF AN OLD THREAT

2016 Ransomware remerges as a leading threat
$1B  Payout to ransomware criminals in 2016
6,000%  Increase in ransomware-infected emails in 2017 vs. 2016
#1 Delivery vehicle for ransomware: phishing email attachments

HOW INFOBLOX CAN HELP DEFEAT RANSOMWARE

Visibility into DNS activity to help detect malicious communications to killswitch domainsVisibility into DNS activity to help detect malicious communications to killswitch domains.
Download ActiveTrust Eval Now »

DNS Response Policy Zone (RPZ) to block communications to C&C servers.DNS Response Policy Zone (RPZ) to block communications to C&C servers.
Download ActiveTrust Cloud Eval Now »

Curated and updated threat intelligence to stay on top of new and evolving threatsCurated and updated threat intelligence to stay on top of new and evolving threats.
Read Solution Note »

DHCP and IPAM for discovering what’s on your networkDHCP and IPAM for discovering what’s on your network.
Download DDI Eval »

Sharing information with your existing security tools to rapidly contain threatsSharing information with your existing security tools to rapidly contain threats.
Learn More on Security Ecosystem »

Actionable Network Intelligence including contextual information on malicious activityActionable Network Intelligence including contextual information on malicious activity.
Learn More on Actionable Network Intelligence »

TIMELINE OF WANNACRY

  • Jan 16, 2017

    US-CERT publishes advisory on SMB vulnerability

  • Mar 14, 2017

    Microsoft releases patch for SMB vulnerability

  • Apr 14, 2017

    Shadow Brokers release exploit code for SMB vulnerability

  • May 5, 2017

    CERTSI publishes advisory on SMB vulnerability

  • May 11, 2017

    0800 UTC – Jaff campaign begins

  • May 12, 2017

    1000 – Reports of WannaCry victims in APAC and LATAM
    1100 UTC – Reports of the WannaCry impacting Spanish companies like Telefonica, Vodafone, and others.
    1500 UTC – UK NHS announces WannaCry infection
    1500 UTC – Killswitch domain registered, sinkholing begins

  • May 13, 2017

    Modified version of WannaCry identified
    Microsoft releases patch for Windows XP and other operating systems no longer supported
    Kaspersky Internet facing sensors records 45,000 attacks of the WannaCry ransomware in 74 countries

  • May 14, 2017

    2nd killswitch domain sinkholed

  • May 15, 2017

    Over 10k orgs and 200k entities impacted across 150 countries

Find Out if Malware Is Lurking in Your Network.

[contact-form-7 id="10507" title="Contact form 1"]