Clavister blocks Wannacry

Clavister blocks world’s most aggressive piece of ransomware

Clavister protects against WannaCry, the world’s most aggressive ransomware

Users under threat from an ongoing global ransomware outbreak that targets Windows computers in approximately one hundred (100) countries can keep their systems safe with Clavister Endpoint Security Client and should make sure to get the latest patches from Microsoft. The WannaCry ransomware encrypts files in the PCs it infects. Attackers demand a ransom be paid in exchange for decryption.

The outbreak was temporarily curbed through a "kill switch" triggered by accident as a 22-years-old British security researcher registered a domain used by the malware. The malware have now evolved and variations such as Uiwix does not contain this flaw and is actively infecting new computers. Customers are adviced to stay vigilant and keep high attention on this event, patch all their vulnerable systems and deploy effective security products in their network.

About Wannacry

"This particular ransomware is correctly identified and blocked by 30% of the AV vendors using current virus definitions,” said Ivanti’s Phil Richards, cited by The Mirror. The expert mentioned Clavister's product (through Bitdefender) as one of the solutions effective against WannaCry.

To stay safe, you should also keep your Windows system updated with the latest security patches from Microsoft via your Windows system’s auto-update feature.

Files that already has been encrypted by the malware is not likely going to be possible to decrypt unless the encryption keys can be recovered from the malware command and control servers.

The attacks have caused major disruption to hospitals, telelcom companies as well as gas and utilities plants. Among the organisations that took the worst hits is the National Health Service (NHS) in the UK.

More about Wannacry on DeCrypted News

How is this ransomware attack different?

Unlike other ransomware families, the WannaCrytor strain does not only spread via infected e-mails or infected links. Instead, it takes advantage of a security hole in most Windows versions to automatically execute itself on the victim PC. According to various reports, this attack avenue has been developed by the National Security Agancy (NSA) in the US as a cyber-weapon and it was leaked to the public earlier in April along with other classified data allegedly stolen from the agency by the group shadow brokers.

Analyzing the infection mechanism we can say that WannaCry is one of the biggest threats that both end users and companies have to face recently.  Because the list of vulnerable Windows PCs can be found through a simple internet scan and the code be executed remotely, no interaction from the user is needed. Once the PC is infected, it acts like a worm, it replicates itself in order to spread to other computers. In addition to spreading by using the named vulnerability it also scans all open RDP sessions and infects the connected systems as the user logged into the RDP session.

Analysis reveals that the wormable component is based on the EternalBlue exploit that had been leaked out in a data dump allegedly coming from the NSA. This strain of malware is one of the few that combine the aggressive spreading mechanism of a cyber-weapon with the irreversible distructive potential of ransomware. Up until now, more than 120,000 computers worldwide have been infected. As a result of this behavior the malware has been encrypted the data also on computers that traditionally are not infected by ransomwares, e.g. ATM machines, computers controlling advertising displays, etc.

Clavister's partner Bitdefender has developed strong anti-ransomware capabilities available in the Clavister Endpoint Security Client that helps users stay safe from such sophisticated attacks, which have been on the increase in recent years.

Read Clavister's DeCrypted News about Shadow Brokers

Find out if you are vulnerable

The vulnerability affects almost all versions of the Windows operating system, including those who are not actively supported anymore, such as Windows XP, Windows Vista and Windows Server 2003. Because of the extremely high impact, Microsoft has decided to issue patches for ALL operating system, including the unsupported ones. If your operating system does not have the specific hotfix installed, then you are vulnerable and need to update immediately.

Microsoft Security Bulletin for MS17-010

How to protect yourself

  1. Disconnect infected computers
    Disconnect infected computers to avoid furhter damage to your network and data.

  2. Patch and upgrade
    See Microsoft patch reference above.

  3. Disable the Server Message Block (SMB) service
    If your computers does not have an available patch, disable the SMB Service to avoid spreading the malware any further.

  4. Back up your data on offline hard drives.
    The malware encrypts files on external drives such as a USB drives, as well as any network or cloud file stores.

  5. Do not block URL KILLSWITCH (
  1. Endpoint Security
    Ensure your are using proper Endpoint Security products.
    We recommend using the  Clavister Endpoint Security Client (ESC).
    Only 30% of most reputable AV products protected against this malware during the initial stage of the outbreak.
    Read more here:

  2. Network Security
    1. Network Based Antivirus
      Enable the Antivirus feature on your Clavister Next Generation Firewall and ensure that you are using an updated signature database.
      Clavister's Antivirus signatures blocks the Wannacry malware.

    2. Intrustion Detection and Prevention
      Enable the Intrusion Detection and Prevention feature on your Clavister Next Generation Firewall and ensure that you are using an updated IDP signature database.
      Clavister's IDP signatures blocks the Wannacry malware.

    3. Network Segmentation / Firewall Policies
      Ensure that you have proper firewalling policies on your Clavister Next Generation Firewall to minimize the lateral movement / spreading between network segments.