WanaCry because your organization is slow to patch? Stop the tears with TearSt0pper!

WanaCrypt0r 2.0 has been spreading like wildfire and causing severe impact to individuals and businesses alike.  Wcry not only is a crypto-ransomware variant, but packages a leaked NSA exploit with it (MS17-010), creating a self-propagating ransomware worm.

To protect our clients and now the general public, Rendition Infosec has released TearSt0pper.  Simply put, TearSt0pper creates a mutex (mutual exclusion object) that will prevent WanaCrypt0r 2.0/Wcry from infecting a system.

Slow patching cycles by organizations for MS17-010 coupled with Wcry modifications leaves many still vulnerable to infection and spread. TearSt0pper by Rendition Infosec stops the tears and can be run from any user privilege as tested. This means administrators can deploy TearSt0pper throughout the enterprise as a group policy object, etc. without requiring the binary to be run as Administrator.

Protect systems from future infection by WanaCry with TearSt0pper and CONTINUE TO PATCH MS17-010.

Important notes:

  • Systems will have to be running TearSt0pper to prevent active exploitation. TearSt0pper will have to be re-run each time the machine is rebooted.  This can be done by using an autorun key
  • TearSt0pper is not actually preventing exploitation.  By the time TearSt0pper springs into action, the host has already been exploited. TearSt0pper just prevents the ransomware from encrypting files.
  • Future versions of ransomware and/or malware deployed via MS17-010 may use different mutexes.  Rendition will stay abreast of the latest mutexes and release new versions.  If you sign up for email notification when you download, you will be notified when new version are available.
  • TearSt0pper cannot be used to decrypt files from a system where files have already been encrypted. TearSt0pper does not disinfect a system, it merely uses the malware’s logic against it.

Download TearSt0pper (and register for update notifications) here.  As Rendition is reasonably certain that WCry will mutate to include additional payloads, we highly recommend that you register for update notification so we can let you know when new versions of TearSt0pper are available. Your information will never be shared with a third party (because we hate that too).