This post was authored by Martin Lee, Warren Mercer, Paul Rascagneres, and Craig Williams.

Executive Summary

A major ransomware attack has affected many organizations across across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as ‘WannaCry’.

The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin.

Organizations should ensure that devices running Windows are fully patched and deployed in accordance with best practices. Additionally, organizations should have SMB ports (139, 445) blocked from all externally accessible hosts.

Please note this threat is still under active investigation, the situation may change as we learn more or as our adversary responds to our actions. Talos will continue to actively monitor and analyze this situation for new developments and respond accordingly. As a result, new coverage may be developed or existing coverage adapted and/or modified at a later date.  For comments and questions, please follow the link below to the Talos Intelligence blog, comments here have been closed to keep conversation in one forum. For current information, please refer to your Firepower Management Center or Snort.org.

Read more »


Talos Group

Talos Security Intelligence & Research Group