Falcon Intelligence Report: Wanna Ransomware Spreads Rapidly; CrowdStrike Falcon Prevents the Attack
Wanna (also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r) ransomware exploded onto the ransomware scene on May 12, 2017, with a mass campaign impacting organizations in many countries. This second variant of the ransomware has been leveraging the EternalBlue (MS-17010) vulnerability, released by the Shadow Brokers actors, in order to spread over victim networks via the Windows file sharing protocol, Server Message Block (SMB), following an initial infection.
CrowdStrike Falcon Prevent offers protection for this variant through two types of coverage. Falcon Prevent has a Machine Learning layer (at the “Moderate Level”) and a Behavioral IOA layer (“Suspicious Process”). To ensure this ransomware is prevented, the Prevention Policies must be enabled. For additional details on how to configure CrowdStrike Falcon Prevent to stop Wanna ransomware and its variants, please visit the blog, “CrowdStrike Falcon Prevents WannaCry Ransomware.”
Wanna ransomware targets 177 file types for encryption. Victim files are appended with .wncry.
Unlike other ransomware families, Wanna continues to encrypt victim files following any name changes, and any new files created following infection. A ransom note is displayed on the victim machine, which is completed using text from a library of Rich Text Format (RTF) files, in multiple languages and chosen based on machine location. A similar text based ransom note named @Please_Read_Me@.txt is added to each folder containing encrypted victim files.