WatchGuard Support Center

Knowledge Base - Article

Security Issue

 WCry 2.0 (WannaCry, WanaCrypt0r) Ransomware

Tracking ID: N/A
Status: Resolved
Article Number: 000010320
CVE ID: None
Severity: High
On 12 May 2017, an extremely virulent ransomware variant named WCry 2.0 (also called WannaCry, WanaCrypt0r, and WannaCrypt) began to infect many victims across the world. Within several hours, over 75,000 victims were reported in 90+ countries, including hospitals in the UK and other countries.
Initial analysis of the ransomware appears to show it spreading via MS17-010, a series of critical SMB vulnerabilities in the Microsoft Windows operating system that were recently disclosed as a part of the Shadow Brokers dump of NSA hacking tools.

For WatchGuard customers, both Gateway AntiVirus (signature: Ransom_r.CFY) and APT Blocker detect and block the ransomware payload. Malware authors are known to repack their variants regularly however, which could evade signature-based detection like Gateway AntiVirus. APT Blocker’s sandbox-based detection will continue to detect and block future variants. Additionally, IPS can detect and block exploitation of the MS17-010 vulnerabilities (signatures: 1133635, 1133636, 1133637, 1133638).

IT administrators should install the latest Windows security updates to resolve the MS127-010 vulnerability. Additionally, WatchGuard customers should enable Gateway AntiVirus, APT Blocker, and IPS to stop the ransomware at their network perimeter. 

For more information, see:
On 19 May 2017, a malware variant named EternalRocks began to infect vulnerable systems using similar SMB vulnerabilities as WCry 2.0. For WatchGuard customers, the same IPS signatures that block the MS17-010 vulnerabilities also block this new malware variant. Additionally, both Gateway AntiVirus and APT Blocker detect and block the ransomware payload.
No workaround needed for:
  • WatchGuard Firebox or XTM appliances
  • WatchGuard AP
  • WatchGuard Dimension
  • WatchGuard XCS
  • WatchGuard SSL appliances