A Note on Ransomware

WannaCry - The Outbreak That Should Have Never Been...

In May 2017, the WannaCry Ransomware outbreak caused widespread disruption all over the world. This virulent malware first infected un-patched computers and then spread using the SMB protocol.

None of our customers got hit because their patching was up to date but in an unpredictable world where the next zero day vulnerability and virus may be just around the corner, a defence in depth approach at the endpoint should embody Anti-Malware, Patching and Archiving.

The following excerpt from our AV Vendor of choice demonstrates how our Business Grade Anti-Malware solution protected our users throughout the outbreak.

“When the virulent WannaCry ransomware hit the UK two weeks and took down personal PCs, businesses and organisations like the NHS, AVG Business by Avast is proud to say that we protected our users from the attack.


We had been tracking a version of WannaCry since February this year and first detected this strain on Friday, May 12, at 7am BST, tracking 10,000 detections per hour as it spread across the world. Several of our technologies recognised and blocked its components, even on vulnerable machines, providing what we call zero-day protection. The ‘Behavior Shield’ feature in our Avast Antivirus products, known as ‘Identity Protection’ in our AVG AntiVirus products, detected WannaCry by observing unusual behaviour on a machine, and then blocking the malware from acting before it could cause harm.


Since the initial spread, we have seen more than 350 variants of WannaCry, and altogether have blocked it 250,000 times in nearly 120 countries, using manually-generated string detections, automatically generated detections, and generic detections for behaviour to ensure complete protection for our partners and customers.


In the first six days of the attack, we saw that around 15% of our users’ Windows computers had the MS17-010 vulnerability that this ransomware was exploiting in order to spread, meaning these users hadn’t updated their Windows system to apply the patch Microsoft had made available. This Windows vulnerability is what made this attack unique as it did not require any user action at all in order to spread, something we haven’t seen since around 2005. Users did not need to receive an email, click on a link to a website or in fact do anything in order to be infected – all that was required was to have an unpatched Windows system and be connected to the internet or an infected network.


AVG Business by Avast’s Threat Intelligence teams were instrumental in detecting and blocking the malware, and shared updates for our users on the Avast blog in a number of articles. You may have seen or heard on the radio some of the great press coverage that came from our advisories, including our CEO being interviewed on CNN.


Sometimes the work we do may seem routine, but this episode clearly shows the global impact of what we do every day. Even though this attack generated massive publicity, the number of actual attacks was quite small in the overall scheme of things, with us stopping around 100,000 attacks in a day at its peak. Compare this to a normal day in which we stop well over 100 million attacks of all kinds, and you can see how we continually keep you safe on an hourly, daily and ongoing basis.”