The following IPS signatures from Check Point were made available in March and April of 2017 and will protect your environment from WannaCryptor:

Microsoft Windows EternalBlue SMB Remote Code Execution https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0332.html
(MS17-010: CVE-2017-0143) https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0177.html
(MS17-010: CVE-2017-0144) https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0198.html
(MS17-010: CVE-2017-0145) https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0200.html
(MS17-010: CVE-2017-0146) https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0203.html
(MS17-010: CVE-2017-0147) https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0205.html

* The above links provided by an awesome SE at Check Point

AV and AntiBot on the gateway will also help defeat this.

NextGen Endpoint agents like SentinelOne will defeat this on the host if it happens to get through your perimeter.

Probably the best way to avoid this is to patch your systems.

Good Article

WannaCryptor WannaCrypt Wcry and Check Point

2 thoughts on “WannaCryptor WannaCrypt Wcry and Check Point

  • May 13, 2017 at 12:10 am
    Permalink

    Looks like FedEx was hit with this. Wonder if they will be a featured speaker again at the next CPX. Doh.

  • May 15, 2017 at 10:25 am
    Permalink

    Yeah that was a good presentation. Too bad they got hit.

Leave a Reply

Your email address will not be published. Required fields are marked *