To cut to the chase: Yes, CylancePROTECT® fully prevents all in-the-wild examples of the malware related to these specific attacks.
To explain, this attack exploits a flaw in the Server Message Block (SMB) in Microsoft Windows, which can allow for remote code execution upon proper and successful exploitation. This flaw was patched in Microsoft’s March 2017 update cycle (MS17-10).
However, many environments are still behind on patches for various reasons and may also be running legacy operating systems (ex: XP) which are no longer updated/supported with security updates, which leaves those systems exposed.
Leveraging this exploit, the attackers can fully execute arbitrary code.
In the case of the WanaCrypt issue, we are dealing with a ransomware executable that includes additional worm functionality. It has the ability to scan and locate other machines and propagate itself to other adjacent and exposed hosts via the EternalBlue vulnerability.
Due to the nature of the flaw, machines that are propagated to via the worm functionality do not require interaction from the user on the victimized host.
The worm/ransomware binary handles the remote execution. In most confirmable cases today, stage one is a malicious phishing email. This includes an attachment that “patient zero” executes, which infects them, while simultaneously kickstarting “Stage 2” – the worm-type functionality and internal propagation/pivoting.
In addition to employing strong and effective endpoint controls, users are also encouraged to:
• Keep software up-to-date, including operating systems
• Avoid dangerous web locations
• Educate users to detect potential cyberattacks delivered via phishing emails, infected banners, spam emails, social engineering attempts, etc.
Our threat researchers are continuing to investigate new samples as they arrive, to ensure that CylancePROTECT can fully block all new variants. Get started with CylancePROTECT now to make sure you’re safe against threats like this one – reach us at firstname.lastname@example.org.