Reports of a massive, worldwide ransomware attack are dominating the news. As workers in Europe headed home for the weekend, ransomware started shutting down their systems. It soon spread to many other countries across the globe. Here’s what we know so far.

Big targets

National Health Service (NHS) England, and Telefonica, one of the largest telecom providers in the world, have each given out statements indicating that their systems have been brought to a grinding halt by a ransomware called WanaCrytp0r, which Malwarebytes detects as Ransom.WanaCrypt0r. The ransomware has also been observed hitting companies in Spain, Russia, Ukraine, and Taiwan.


The ransomware is spread using a known, and patched, vulnerability (MS17-010) that came from a leaked NSA set of exploits that we reported on our blog in April. Our research shows the encryption is done with RSA-2048 encryption. That means that decryption will be next to impossible, unless the coders have made a mistake that we haven’t found yet.


The demanded ransom of $300 per device and the potential risks to the public that come with the targets being big utility and healthcare companies seem to be in shrill contrast. We can only hope that the companies that were hit will be able to get their backups deployed quickly and can start the recovery from this cyberattack. 

Other Infection Vectors

While WanaCrypt0r has been observed spreading across local networks by utilizing the above exploit, its initial infection into a network is still being discovered completely. However, we tested one of the infection vectors, described earlier by Fox-IT, against our Anti-Exploit technology.   In doing so, we discovered another part of the attack chain we were able to stop.



This attack method relies upon a malicious phishing email, that includes a link to (or attached) PDF document, which when opened will download an ‘.HTA’ file that leads to eventual infection of the system that opened the e-mail.  We suspect there are possibly even more infection vectors spreading this malware and as we discover and analyze them, we will update this post.


Consumers and businesses alike should be sure their systems and software are updated with all current patches in order to stop the spread of infection. Both our consumer product, Malwarebytes, and our business product, Malwarebytes Endpoint Security, protect against this threat, since we detect this ransomware. And our anti-ransomware technology will stop any future unknown variants.


Here are a few screenshots of our products stopping this threat: