Avast News

Avast blocked WannaCry ransomware more than 1 million times in 150 countries worldwide

Jas Dhaliwal, 2 June 2017

Avast’s zero-day protection defended more than a million potential WannaCry victims. But on any given day, we block 100 times that many attacks, of all kinds.

While the WannaCry ransomware outbreak wreaked havoc on computers around the globe, Avast’s Threat Intelligence team worked around the clock to protect our users. In fact, our team had been tracking an early version of WannaCry since February, well before the first widely detected strain that debuted on Friday, May 12, at which point we detected more than 10,000 infections per hour as it began to spread worldwide.

We know our users depend on us to protect them from all sorts of online threats, though many may not know exactly how we do what we do, how the "magic" happens. In fact it’s not magic. The "how" is with a set of unique technologies, always evolving, which in this case recognized and blocked WannaCry’s components. They did this even on vulnerable computers that hadn’t been infected yet, providing what we call "zero-day" protection, meaning the Behavior Shield and Identity Protection features in our Avast Antivirus products detected WannaCry by observing malware behaviors, then blocking them before they could harm users’ systems.

Since WannaCry’s initial spread, we’ve seen more than 350 variants of the ransomware, and altogether our technologies have blocked it more than a million times, in 150 countries. In the first 6 days of the attack, we saw that about 15% of our users' Windows computers had the MS17-010 vulnerability being exploited by WannaCry, meaning these users hadn’t applied the Windows patch Microsoft had made available, requiring only that they update their system. This vulnerability in Windows is what made WannaCry uniquely insidious. For the first time since about 2005, an attack requiring no user action at all was spreading. Windows users didn’t need to receive an email, click a website link, or download a file. All WannaCry needed was an unpatched Windows system connected to the internet or to an infected network.

Avast’s Threat Intelligence team was instrumental in detecting and blocking the malware for our users; informing them of the WannaCry attack immediately, on our blog; and then surveying the ransomware’s damage in a follow-up post.  

We all come to work every day at Avast for our users, for the 1 million+ people we protected from WannaCry – and even for the people who may not use Avast products, but who we were able to warn and to encourage to get the patch. We show up to ensure our technology is ready for the next attack, even before it appears.

To me, though, the most astonishing thing about these last couple weeks is that while WannaCry received a lot of attention in the media and in social media, at its peak we were stopping about 100,000 attacks a day. On an average day at Avast, however, we stop more than 100 million attacks, of all kinds. So, job well done, Threat Intelligence team. Job well done, everyone at Avast. Our work at a time like this makes me especially proud to be part of this team.