Global Outbreak of WannaCry

May 12, 2017

[Updated May 17, 2017]

On May 12, 2017 the Check Point Incident Response Team started tracking a wide spread outbreak of the WannaCryp ransomware. We have reports that multiple global organizations are experiencing a large scale ransomware attack which is utilizing SMB to propagate within their networks.  To complicate matters there are a number of different campaigns ongoing so identifying specific infection vectors has been a challenge.

For WannaCry the infection vector appears to be direct infection utilizing SMB as delivery method. Samples have been identified by Check Point Research Teams that contain variant “killswitch” domains and bitcoin addresses. All tested samples have been detected and blocked by SandBlast Anti-Ransomware and/or Threat Emulation.


Check Point offers the following protections for WannaCry:

  • Network Protections (SandBlast)
    • Threat Extraction and Threat Emulation
    • Anti-Bot/Anti Virus
  • Endpoint Protections (SandBlast Agent)
    • Anti-Ransomware
    • Threat Extraction and Threat Emulation
    • Anti-Bot/Anti Virus
    • Anti-Malware

General Protections

  • Windows machines should be patched for vulnerabilities discussed in Microsoft Security Bulletin MS17-010 – Critical Security Update for Microsoft Windows SMB Server (4013389)
  • Ensure a backup is available that is not shared on the network
  • Block encrypted password protected attachments from email gateways


The Check Point Incident Response Team is monitoring the situation closely and is available to assist customers.

The following sections provide detail that Check Point customers can use to understand how the company’s solutions can be leveraged to analyze, report and prevent the elements of the attack. And to learn more about ransomware in general, click here.


SandBlast Threat Emulation Reports


Check Point SandBlast Forensics Agent

Link to online report:


Attack Tree


Check Point’s SandBlast Anti-Ransomware Agent

The video shows Check Point blocking and restoring a system infected with the ransomware



  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks