Is WSA updated to detect the current Wannacry ransomeware

Where can I go to verify whether or not Webroot detects the current Wannacry malware? 
I've tried checking the kb and blog but no info.  You'd think with this being a global news story, Webroot would have published something specifically on this by now?

Best answer by freydrew 13 May 2017, 17:33

View original

This topic has been closed for comments

9 replies

Userlevel 7
Badge +48

Hi @, here are a few thoughts on the recent WannaCry ransomware attacks. 
Can you please provide more information on how we are protected?  I get that we need to ensure patching is up to date and our team has identified where servers/workstations need patching but I'm curious to know if there are ways to verify if wannacry is detected and quarantined. 
Userlevel 7
Badge +48
Today, Microsoft has released emergency security patches to defend against the malware for unsupported versions of Windows, including XP and Server 2003. Overnight and today, it has become clear that a  kill switch was included in the code.  When it detects a specific web domain exists—created earlier today—it halts the spread of malware. 
More information on WannaCry from a Webroot perspective can be found here
Userlevel 7
Badge +48
We can't disclose our detections rules as it would compromise the security they provide if they were made public. However, I can share that these are the top 25 variants of Wannacry that we've seen blocked. Some of these individual MD5s have been seen on hundreds of PCs - mostly in Russia. 

4BB0DB7B5DEA5A5F7215CABE8F7155AF (W32.Ransom.Wannacry)
F94429CC043169462D34EDD14117DDD2 (W32.Ransom.Wannacry)
F107A717F76F4F910AE9CB4DC5290594 (W32.Ransom.Wanacryptor)
54A116FF80DF6E6031059FC3036464DF (W32.Ransom.Wannacry)
3C6375F586A49FC12A4DE9328174F0C1 (W32.Ransom.Wannacry)
246C2781B88F58BC6B0DA24EC71DD028 (W32.Ransom.Wannacry)
5BEF35496FCBDBE841C82F4D1AB8B7C2 (W32.Ransom.Wannacry)
D937086367935BB125F1AD49B2CAE2C4 (W32.Ransom.Wannacry)
9A29404FACEC04347E7A74691B61039B (W32.Ransom.Wannacry)
27CB59DB5793FEBD7D20748FD2F589B2 (W32.Ransom.Wannacry)
AA776B1233C2D33DED9DFA0FE17FC48F (W32.Ransom.Wannacry)
80A2AF99FD990567869E9CF4039EDF73 (W32.Ransom.Wannacry)
05A00C320754934782EC5DEC1D5C0476 (W32.Ransom.Wannacry)
638F9235D038A0A001D5EA7F5C5DC4AE (W32.Ransom.Wannacry)
C39ED6F52AAA31AE0301C591802DA24B (W32.Ransom.Wannacry)
7F2BC30723E437C150C00538671B3580 (W32.Ransom.Wannacry)
31DAB68B11824153B4C975399DF0354F (W32.Ransom.Wannacry)
FF81D72A277FF5A3D2E5A4777EB28B7B (W32.Ransom.Wannacry)
8621727CDE2817D62209726034ABD9D3 (W32.Ransom.Wannacry)
DB349B97C37D22F5EA1D1841E3C89EB4 (W32.Ransom.Wanacryptor)
46D140A0EB13582852B5F778BB20CF0E (W32.Ransom.Wannacry)
5D0B6584A6D508DF278315C0CAC2F5C7 (W32.Ransom.Wannacry)
97C5205C3CBD1840B26A97D8935E6FC1 (W32.Ransom.Wannacry)
BEC0B7AFF4B107EDD5B9276721137651 (W32.Ransom.Wannacry)
EB87BBB7E22FF067D303B745599FB4B7 (W32.Ransom.Wannacry)
Userlevel 7
Badge +48
Just a friendly reminder to be sure to keep your OS up to date. 
In case you're looking for them, here's a list  of direct links to download the MS patch for the most common OS's:
Windows XP SP3
Windows Vista x86
Windows Vista x64
Windows 7 x64
Windows 7 x86
Windows 8
Windows 8.1
Windows 10
Windows 2012
Windows 2012R2
Windows 2016
Userlevel 7
Badge +48
As the second wave of WannaCry spreads across the globe, the latest estimate from the leading European police agency Europol suggests the malware has hit over 200,000 victims over 150 countries. You can catch up on some of the latest news here.  
Although a second kill switch has been identified and registered today, there is no certainty that this second kill switch will address all malware variants. Europol continues to recommend that one of the best defenses is to take advantage of the patches released by Microsoft.
Webroot currently has strong protection in place for WannaCry, and has already reviewed and fortified its protection and detection routines to protect its users against future variants that may appear. As Webroot sees every new executable file introduced on systems where Webroot SecureAnywhere is installed, we get rapid insight into all types of new malware.  
This allows us to quickly create and/or improve upon our best-in-class detection mechanisms for zero day threats.
More information on our blog here.
Userlevel 1
That's great - but wish you would fix this problem with the same speed -
Becuase of this we still cannot run Webroot on terminal servers with full protection enabled - a critical end point in most businesses.
Userlevel 7
Badge +31
Re: 4005 , i've posted a reply over in that thread - it's positive news.
Userlevel 7
Badge +48
Over the past couple of days I've seen a few questions coming in from the community about WannaCry and wanted to share with the rest of you: 
  1. How does Webroot detect and prevent infection by Wannacry or other Trojans?
We have proprietary detection systems in place. In the case of WannaCry, our Webroot SecureAnywhere (WSA) detected and blocked it just like any other malware that we see. What was unique about this malware was its distribution method. You can find additional information about how WSA works on our data sheet here.
  1. Does this mean that no customer running Webroot has been, or indeed will be, affected by WannaCry?
It takes time to learn about every threat and learn how to protect against it. This being said, our call volume has not been impacted at all by this threat. However, if someone has an unpatched system, there is potential for infection due to the vulnerability within the OS mentioned, read this article for details. We also have other tools to assist in auto-remediating malware.
As a reminder, to prevent this threat from propagating within your environment, in any way, please review our Ransomware Prevention Guide and implement the suggestions listed
  1. Do you have evidence that the initial infection vector was email?
While our threat teams are still actively researching the threat, we know it is propagating by probing and exploiting vulnerable systems.
  4. At what point in time did Webroot detect this new version of WannaCry?
Our threat intelligence platform encountered it at 8:30 a.m. UTC. Shortly thereafter, we blocked it for customers.