Ransomware attacks continue to spread around the world this weekend, after the initial damage inflicted on healthcare organizations in Europe on Friday.
The criminals responsible for exploiting the Eternal Blue flaw haven’t yet been identified, but up to 100 countries have hit with WannaCry ransomware, with Russia, Ukraine and Taiwan among the top targets.
The ransomware first appeared in March, and is using the NSA 0-day Eternal Blue and Double Pulsar exploits first made available earlier this year by a group called the Shadow Brokers. The initial spread of the malware was through email, including fake invoices, job offers and other lures with a .zip file that initiates the WannaCry infection. The worm-like Eternal Blue can exploit a flaw in the Server Message Block (SMB) in Microsoft Windows, which can allow remote code execution. This flaw was patched in Microsoft’s March 2017 update cycle, but many organizations had not run the patch or were using unsupported legacy technology like XP.
Today, Microsoft has released emergency security patches to defend against the malware for unsupported versions of Windows, including XP and Server 2003.
Overnight and today, it has become clear that a kill switch was included in the code. When it detects a specific web domain exists—created earlier today—it halts the spread of malware. You can learn more at The Register.
As a Webroot customer, are you protected? YES.
Webroot SecureAnywhere does currently protect you from WannaCry ransomware.
In simple terms, although this ransomware is currently causing havoc across the globe, the ransomware itself is similar to what we have seen before. It’s the advanced delivery mechanism that has unfortunately caught many organizations off guard.
In addition to deploying Webroot SecureAnywhere as part of a strong endpoint protection strategy, it is essential you continue to keep your systems up-to-date on the latest software versions, and invest in user education on the dangers of phishing, ransomware, social engineering and other common attack vectors.
If you have any questions about your Webroot deployment, reach out to our Support Team now.
And, if you are not a Webroot customer, we encourage you to trial Webroot SecureAnywhere now.
At what point in time yesterday or today did Webroot detect this new version of WannaCry?
Our threat intelligence platform encountered it at 8:30 a.m. UTC on Friday. Shortly thereafter, we blocked it for customers. Thanks, LV.
Once again Webroot SecureAnywhere stops a brand new malware attack in its tracks, so showing that software relying on signature detection is out of date.
You muddy the message though when you say that in addition to Webroot endpoint protection, “it is essential you continue to keep your systems up to date”.
Which is it? Does Webroot on its own stop this attack, or is it also essential to have installed the Microsoft patch for this vulnerability?
And as for educating end users, the major selling point I have been telling my clients us that there will always be at least one user who clicks on a phishing email, so you need Webroot to catch the malware when they do. So are you saying here that some attacks may not be caught by Webroot?
Hi, Paul. Thanks for the kinds words. In terms of the messages, both are true. Security is a layered approach–having your OS up-to-date is as important as having an antivirus protection software on your endpoint. Thanks, LV.
Do you have evidence that the initial infection vector was email? Can you share the original email?
While our threat teams are still actively researching the threat, we know it is propagating by probing and exploiting vulnerable systems. Thanks, LV.
This article does not provide much reassurance. Technically, how does Webroot detect and prevent infection by Wannacry or other Trojans?
Paul, please view this post on our Webroot Community for additional information.
Social Media Coordinator
Does this mean that no customer running Webroot has been, or indeed will be, affacted by WannaCry?
It takes time to learn about every threat and learn how to protect against it. This being said, our call volume has not been impacted at all by this threat. However, if someone has an unpatched system, there is potential for infection due to the vulnerability within the OS mentioned, read this article for details. We also have other tools to assist in auto-remediating malware. Thanks LV.
I’m a big Webroot fan and I have Secure Anywhere installed on my own, and my closest family’s computers. Just want to say thanks to Webroot for keeping us protected!!
I have been a Webroot customer for many years. Webroot’s website is my first port of call when I hear about cyber attacks.
Why did I have to dig deep to find this article that is affecting millions of computers around the world?
Nothing on http://www.webroot.com Home Page. I had to go out of Webrooot’s site and get here through some tricky Google query.
Hi Andres – there is a link on the Home Page of Webroot.com (bottom center). Be sure to check our social media channels when you want information, also. We were sharing this blog post and more as information surfaced over the weekend.
It is so nice, and reassuring, knowing you are watching out for your customers. THANKS!
Am I protected if I’m using Webroot but my computer is still using Vista (and was unable to run security updates)?
Shevawn, please use these direct links to ensure your Operating System is up-to-date.
Windows Vista x86
Windows Vista x64
Social Media Coordinator
I still run Microsoft Windows 7 and use Webroot. Do I need to update to a newer version of Windows or install a specific patch to protect against the ransomware. I am a little confused reading the responses.
You can ensure you have the latest patch for your Operating System by viewing this post on our Webroot Community.
Please feel free to reach out to me directly if you have any additional questions.
Digital Care Coordinator