What Happened

On Friday, May 12, 2017, a series of broad attacks began that spread the latest version of the WanaCrypt0r ransomware. These attacks, also referred to as WannaCrypt or WannaCry, reportedly impacted systems of public and private organisations worldwide. Our Next-Generation Security Platform automatically created, delivered and enforced protections from this attack.

How the Attack Works

While the initial infection vector for WanaCrypt0r is unclear, it is certain that once inside the network, it attempts to spread to other hosts using the SMB protocol by exploiting the EternalBlue vulnerability (CVE-2017-0144) on Microsoft Windows systems. This vulnerability was publicly disclosed by the Shadow Brokers group in April 2017, and was addressed by Microsoft in March 2017 with MS17-010.

Microsoft published a post on protections from the WanaCrypt0r attacks here, and has taken the step of providing patches for versions of Windows software that are no longer supported, including Windows XP. Organisations that have applied the MS17-010 update are not at risk for the spread of WanaCrypt0r across the network, but given it addresses a remotely exploitable vulnerability in a networking component that is now under active attack, we strongly urge making deployment of this security update a priority.


Palo Alto Networks customers are protected through our Next-Generation Security Platform, which employs a prevention-based approach that automatically stops threats across the attack lifecycle. Palo Alto Networks customers are protected from WanaCrypt0r ransomware through multiple complementary prevention controls across our Next-Generation Security Platform, including:

  • WildFire classifies all known samples as malware, automatically blocking malicious content from being delivered to users.
  • Threat Prevention enforces IPS signatures for the vulnerability exploit (CVE-2017-0144 – MS17-010) used in this attack: SMB vulnerability – ETERNALBLUE.
  • URL Filtering monitors malicious URLs used and will enforce protections if needed.
  • DNS Sinkholing can be used to identify infected hosts on the network. For more, please reference our product documentation for best practices.
  • Traps prevents the execution of the WanaCrypt0r malware on endpoints.
  • AutoFocus tracks the attack for threat analytics and hunting via the WanaCrypt0r tag.
  • GlobalProtect extends WildFire and Threat Prevention protections to remote users and ensures consistent coverage across all locations.

For best practices on preventing ransomware with the Palo Alto Networks Next-Generation Security Platform, please refer to their Knowledge Base article. We strongly recommend that all Windows users ensure they have the latest patches made available by Microsoft installed, including versions of software that have reached end-of-life support.

This article was originally published by Palo Alto Networks.View the original article.

Change Log:

On May 13, 2017, this post was updated to include:

  • Link to Microsoft blog on protections against WanaCrypt0r attacks
  • Details on additional protections via DNS sinkholing
  • Updated URL Filtering section to reflect new analysis

On May 15, 2017, this post was updated to clarify the WanaCrypt0r attack delivery method based on additional information.

May 17, 2017:

  • Added Threat Prevention signature information for anti-malware and command-and-control activity.
  • Added link to Traps blog.
  • Predictive, Pre-Deployment, Post Installation and Health Check Wireless Surveys carried out by certified wireless engineers.

    We look at Wi-Fi fundamentals, explore the benefits of and technology behind Wi-Fi 6, Wi-Fi 6E and what the future holds for Wi-Fi 7

    Net-Ctrl provide network and structured cabling solutions as either a stand-alone installation, or to compliment products and solutions that we offer.

    Connect-the-Classroom scheme  is allowing schools to upgrade their infrastructure to a solution that should last 10 years

    Net-Ctrl provides two excellent support packages in addition to any equipment purchased. Find out about our Silver or Gold support package

    IP-CCTV site survey to assess camera locations and requirement and existing Mobotix solution health checks.

    Net-Ctrl offers our Cloud WLAN. Delivering market-leading patented technology managed by the Net-Ctrl engineering team.

    We provide an automated Cybersecurity awareness training solution covering both simulated phishing and training courses.

    Net-Ctrl offers a range of wireless network solutions. We explore some common questions related to these solutions.

    Offering end-to-end, affordable and competitive financing solutions to help you achieve your business goals.