Wanna Ransomware Attack – Advice and Assistance From Sophos

We know that a number of National Health Service (NHS) organisations have been affected by a virulent new ransomware variant, Wanna (also known as WannaCry, WCry, WanaCrypt, WanaCrypt0r and Wana DeCrypt0r). Although some Sophos customers have already contacted Sophos technical support, we are also reaching out proactively with this message to all our NHS customers to offer our advice and support during this challenging period. Our technical support team are available 24/7 and although response and call wait times are higher than average right now, we are endeavouring to answer every call as quickly as possible.

We strongly recommend that you ensure your computers are patched against the vulnerability Microsoft Security Bulletin MS17-010 that allows the ransomware to spread between machines so quickly. A patch is also available right now for Windows XP, 2003, and 8. Please monitor the article at Wana Decrypt0r 2.0 Ransomware to stay up to date with the latest information.

The day of the attack and immediately after, we made several updates to our protection rules, meaning Sophos Endpoint products now block all known variants of Wanna from executing. Customers using Intercept X or Exploit Prevention were protected proactively against the ransomware behaviour from the first instance.

All Sophos customers are now protected from Wanna, but it is highly likely that new attacks might appear based on the leaked exploits. We want all NHS trusts to have the best possible protection during this high risk period while vulnerable machines are upgraded and/or patched. To ensure that all NHS customers are able to benefit from proactive protection against any new attacks, we would like to offer all NHS customers, free of charge for a limited period, our new next-gen endpoint products (Intercept X and Exploit Prevention), which provide behavioural and exploit-based protection against ransomware attacks, and which have been effective so far against all new Wanna variants.

For customers using Sophos Enterprise Console (SEC), we are making our Exploit Prevention agent available for 30 days. This agent proactively protects against ransomware behaviour. Customers will need to upgrade to SEC version 5.5. At that point you should be able to see a new subscription, and an additional option (Exploit Prevention) under ”Protect Computers.”

For customers using Sophos Central, we are making available 30 days' access to Intercept X, which includes anti-ransomware protection as well. You can activate this under “Explore Products” at the bottom left of the Sophos Central console.

Please contact your Sophos partner or account manager if you would like to extend access further.

Finally, for customers still using Windows XP, we have ensured that the latest identities and rules to protect against Wanna have been added to our update repositories for all customers, even those without an extended support license for Windows XP. If you require extended support for Sophos Endpoint on Windows XP, please contact your Sophos partner or Sophos account representative.

Thank you,
Steve Morgan
Public Sector Divisional Manager, Sophos

Further Information

Sophos KB: Wana Decrypt0r 2.0 Ransomware

NakedSecurity: Wanna Decrypter 2.0 ransomware attack: what you need to know

Microsoft TechNet: Customer Guidance for WannaCrypt attacks

Nine best security practices to apply now: