What we do know is that WannaCry appears to be a worm, meaning that it spreads quickly and indiscriminately through open network ports after finding its way onto a computer.
Nobody has been able to confirm with certainty where WannaCry originated, or if its initial distribution was via email. MailGuard is still investigating, along with security researchers around the world.
Following some online speculation on Saturday morning (AEST), MailGuard identified and provided screenshots of a batch of recent ransomware emails (which our filters blocked on Thursday night and Friday morning). These carried all the hallmarks of WannaCry.
We’ve since discovered that this was in fact the malware variant Jaff, which has many of the same characteristics of the WannaCry malware. We apologise for the initial confusion.
Jaff is also a rapidly-spreading form of malware – some reports indicate it was spreading at a rate of 5 million emails per hour at its peak.
Information from the MailGuard tech team on the current status of WannaCry in Australia
"MailGuard has not seen or had reported a single infection via emails delivered via our network. We have confidence we will not see this malware variant affect customers via emails protected by MailGuard.
“In accordance with security best practice, please ensure your antivirus protection (endpoint) and your organisation’s operating systems, in particular Windows, are updated to the latest available security patches to ensure that you do not get infected via other mediums."
Advice from the Australian Cyber Security Centre on WannaCry and other ransomware
- The campaign has various names including “WanaCryt0r”, "WannaCrypt", “WanaCry”, “WanaDecryptor”, or “Wana”
- The ransomware leverages publically-known vulnerabilities in Microsoft Windows, patched by Microsoft in March this year (Microsoft Security Bulletin MS17-010)
- Microsoft has released updates for Windows XP, Windows 8 and Windows Server 2003. Downloads are linked from Microsoft's article: Customer Guidance for WannaCrypt attacks.
- Australian organisations are strongly recommended to apply these patches as soon as possible to prevent infection by this ransomware campaign. Users should also ensure that they have backed up their important data to an offline location.
- Organisations that apply the ASD Essential Eight mitigation strategies are not affected by this Ransomware campaign.
- If Australian organisations are infected, they should seek assistance in the first instance from the Australian Cyber Security Centre via the number 1300 CYBER1.
Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update, or follow us on Twitter @MailGuard.