Showcase: WannaCryptor ransomware blocked by ESET’s Network Attack Protection module

Next story
Ondrej Kubovič


ESET protected its business clients from one of the largest malware outbreaks in recent years – the WannaCryptor ransomware epidemic of May 2017. The ransomware hit thousands of organizations worldwide and caused damages estimated from hundreds of millions to billions of dollars. Thanks to our Network Attack Protection technology, ESET-protected endpoints were unaffected.

May 12th, 2017 marks one of the most disruptive cyberattacks in the history of cybersecurity. Within minutes, thousands of organizations in more than 150 countries saw over 200,000 endpoints encrypted and rendered inaccessible by ransomware known as WannaCryptor, also known as WannaCry and WCrypt. Business processes were stalled in many sectors, causing damages estimated to range from hundreds of millions to billions of dollars.

The attackers behind the incident leveraged a sophisticated exploit named EternalBlue, which was allegedly stolen and leaked from the US National Security Agency (NSA) and posted online by a black-hat group known as Shadow Brokers.

This exploit misused a specific vulnerability (CVE-2017-0144) in Microsoft’s implementation of the Server Message Block (SMB) protocol, via port 445. Scanning the internet for SMB ports allowed the ransomware worm to execute its code on exposed, vulnerable systems, and hence spread further, both within the victim’s LAN and across the internet.

Most of the affected systems were running an unpatched version of Windows 7. However, even systems that did not have the critical patches implemented – released by Microsoft on March 14th, two months prior to the attack – could have been protected by a quality multi-layered security solution.

Based on a network detection added April 25th, 2017, ESET’s Network Attack Protection layer was able to block attacks utilizing EternalBlue exploits to push malicious payloads into the targeted systems. This included the WannaCryptor ransomware family as well as any other malicious payload that might attempt to use the same distribution mechanism.

ESET’s Network Attack Protection technology allowed our clients to continue with business as usual, without any disruption. In contrast, affected organizations around the globe continued to report major issues in their internal systems even several days after the initial outbreak.

The substantial number of infiltrated devices in the WannaCryptor case demonstrates the crucial role of patching policy within organizational security. However, this can be a time-consuming, laborious and expensive process. By installing ESET’s multi-layered security solutions, organizations improve their protection until crucial updates can be properly tested and subsequently deployed. Protective technology can also help safeguard endpoints that cannot be patched, simply replaced as well as those occasional systems in huge networks that are inevitably missed once patches are tested and rolled-out enterprise-wide.