Wanna Decrypter 2.0 ransomware attack – what you need to know

Updates as of 2017-05-15T17:15:00Z:

  • Multiple news reports have focused on how this attack was launched using NSA code leaked by a group of hackers known as the Shadow Brokers. That’s certainly what seems to have happened based on SophosLabs’ own investigation. A more detailed report on that is planned for early next week.
  • Sophos will continue to update its Knowledge Base Article (KBA) for customers as events unfold. Several updates were added today, and are summarized below in the “More guidance from Sophos” section.
  • Microsoft took the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone. The software giant said in a statement: “We know some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here.”
  • With the code behind Friday’s attack in the wild, we should expect copycats to cook up their own campaigns in the coming days to capitalize on the money-making opportunity in front of them, said Dave Kennedy, CEO and founder of information security consultancy TrustedSec.
  • The attack could have been worse, if not for an accidental discovery from a researcher using the Twitter handle @MalwareTechBlog, who found a kill switch of sorts hidden in the code. The researcher posted a detailed account of his findings here. In the post, he wrote: “One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible.”


It was a difficult Friday for many organizations, thanks to the fast-spreading Wanna Decrypter 2.0 ransomware that started its assault against hospitals across the UK before spilling across the globe.

The attack appears to have exploited a Windows vulnerability Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

SophosLabs said the ransomware – also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r – encrypted victims’ files and changed the extensions to .wnry, .wcry, .wncry and .wncrypt.

Sophos is protecting customers from the threat, which it now detects as Troj/Ransom-EMG, Mal/Wanna-A, Troj/Wanna-C, and Troj/Wanna-D. Sophos Customers using Intercept X will see this ransomware blocked by CryptoGuard. It has also published a Knowledge Base Article (KBA) for customers.

NHS confirms attack

National Health Service hospitals (NHS) in the UK suffered the brunt of the attack early on, with its phone lines and IT systems being held hostage. NHS Digital posted a statement on its website:

The UK’s National Cyber Security Centre, the Department of Health and NHS England worked Friday to support the affected hospitals, and additional IT systems were taken offline to keep the ransomware from spreading further.

Victims of the attack received the following message:

More guidance from Sophos

Here is an update of the specific ransomware strains in this attack that Sophos has now provided protection against:

Threat name Sophos IDE Protection available since
Troj/Ransom-EMG cerb-ama.ide May 12, 2017 17:25 UTC
Mal/Wanna-A wanna-d.ide May 12, 2017 19:13 UTC
Troj/Wanna-C wanna-d.ide May 12, 2017 19:13 UTC
Troj/Wanna-D wanna-d.ide May 12, 2017 19:13 UTC
HPMal/Wanna-A pdfu-bfo.ide May 13, 2017 02:18 UTC
Troj/Wanna-E rans-emh.ide May 13, 2017 07:04 UTC
Troj/Wanna-G rans-emh.ide May 13, 2017 07:04 UTC
Troj/Dloadr-EDC chisb-qv.ide May 13, 2017 23:16 UTC
Troj/Agent-AWDS chisb-qv.ide May 13, 2017 23:16 UTC
Troj/Wanna-H wanna-h.ide May 14, 2017 02:53 UTC
Troj/Wanna-I wanna-i.ide May 14, 2017 06:38 UTC
Troj/Ransom-EMJ wanna-i.ide May 14, 2017 06:38 UTC
Troj/Wanna-J emote-cb.ide May 14, 2017 22:03 UTC
Troj/Wanna-K emote-cb.ide May 14, 2017 22:03 UTC

As noted above, Sophos has issued protection for customers. Users of Intercept X and EXP don’t have to do anything. Users of Sophos Endpoint Protection and Sophos Home should update their versions immediately.

Product Actions
Sophos Intercept X none required
Sophos EXP none required
Sophos Endpoint Protection update immediately
Sophos Home update immediately

Defensive measures

We urge those who haven’t yet done so to:

  • Patch your systems, even if you’re using an unsupported version of XP, Windows 8 or Windows Server 2003 and read Microsoft’s customer guidance for WannaCrypt attacks.
  • Review the Sophos Knowledge Base Article on Wana Decrypt0r 2.0 Ransomware.
  • Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
  • Use Sophos Intercept X and, for home (non-business) users, register for Sophos Home Premium Beta, which stops ransomware in its tracks by blocking the unauthorized encryption of files.


Other links we think you’ll find useful:

Techknow podcast — Dealing with Ransomware:


(Audio player above not working? Listen on Soundcloud or access via iTunes.)