{"id":511,"date":"2026-01-20T17:41:41","date_gmt":"2026-01-20T17:41:41","guid":{"rendered":"https:\/\/malaysian-business.com\/wptest\/2026\/01\/20\/sophos-labs-latest-fast-spreading-ransomware-attack\/"},"modified":"2026-01-23T18:18:24","modified_gmt":"2026-01-23T18:18:24","slug":"sophos-labs-latest-fast-spreading-ransomware-attack","status":"publish","type":"post","link":"https:\/\/malaysian-business.com\/portal\/2026\/01\/20\/sophos-labs-latest-fast-spreading-ransomware-attack\/","title":{"rendered":"Sophos Labs &#8211; Latest Fast Spreading Ransomware Attack"},"content":{"rendered":"<p>It was a difficult Friday last week for many organisations, thanks to the fast-spreading Wanna Decrypter 2.0 ransomware that started its assault against hospitals across the UK before spilling across the globe.<\/p>\n<p>The attack appears to have exploited a Windows vulnerability Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.<\/p>\n<p>SophosLabs said the ransomware \u2013 also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r \u2013 encrypted victims\u2019 files and changed the extensions to .wnry, .wcry, .wncry and .wncrypt.<\/p>\n<p>Sophos is protecting customers from the threat, which it now detects as Troj\/Ransom-EMG, Mal\/Wanna-A, Troj\/Wanna-C, and Troj\/Wanna-D. Sophos Customers using Intercept X will see this ransomware blocked by CryptoGuard. It has also published a Knowledge Base Article (KBA) for customers.<\/p>\n<p><strong>What you need to know<\/strong><\/p>\n<p>\u2022 Multiple news reports have focused on how this attack was launched using NSA code leaked by a group of hackers known as the Shadow Brokers. That\u2019s certainly what seems to have happened based on SophosLabs\u2019 own investigation. A more detailed report on that is planned for early next week.<\/p>\n<p>\u2022 Sophos will continue to update its Knowledge Base Article (KBA) for customers as events unfold. Several updates were added today, and are summarized below in the \u201cMore guidance from Sophos\u201d section.<\/p>\n<p>\u2022 Microsoft took the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone. The software giant said in a statement: \u201cWe know some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here.\u201d<\/p>\n<p>\u2022 With the code behind Friday\u2019s attack in the wild, we should expect copycats to cook up their own campaigns in the coming days to capitalize on the money-making opportunity in front of them, said Dave Kennedy, CEO and founder of information security consultancy TrustedSec.<\/p>\n<p>\u2022 The attack could have been worse, if not for an accidental discovery from a researcher using the Twitter handle @MalwareTechBlog, who found a kill switch of sorts hidden in the code. The researcher posted a detailed account of his findings here. In the post, he wrote: \u201cOne thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it\u2019s incredibly important that any unpatched systems are patched as quickly as possible.\u201d<\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It was a difficult Friday last week for many organisations, thanks to the fast-spreading Wanna Decrypter 2.0 ransomware that started its assault against hospitals across the UK before spilling across the globe. The attack appears to have exploited a Windows vulnerability Microsoft released a patch for in March. That flaw was in the Windows Server [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[37],"tags":[],"class_list":["post-511","post","type-post","status-publish","format-standard","hentry","category-features"],"_links":{"self":[{"href":"https:\/\/malaysian-business.com\/portal\/wp-json\/wp\/v2\/posts\/511","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malaysian-business.com\/portal\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malaysian-business.com\/portal\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malaysian-business.com\/portal\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malaysian-business.com\/portal\/wp-json\/wp\/v2\/comments?post=511"}],"version-history":[{"count":1,"href":"https:\/\/malaysian-business.com\/portal\/wp-json\/wp\/v2\/posts\/511\/revisions"}],"predecessor-version":[{"id":5966,"href":"https:\/\/malaysian-business.com\/portal\/wp-json\/wp\/v2\/posts\/511\/revisions\/5966"}],"wp:attachment":[{"href":"https:\/\/malaysian-business.com\/portal\/wp-json\/wp\/v2\/media?parent=511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malaysian-business.com\/portal\/wp-json\/wp\/v2\/categories?post=511"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malaysian-business.com\/portal\/wp-json\/wp\/v2\/tags?post=511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}