Tuesday 23 May 2017

So you have WannaCry 2.0, what next?


So you machine is infected, what can you do?

Immediate Action


  1. Find all the machines vulnerable to MS17-010.  This can be done using scanning tools or wholesale apply the patch to all machines.
  2. On the infected machines, don't pay the ransom - Research suggests that payment will get your files back two thirds of the time.
  3. Try the WannaCry decryption tool and skip to step 5 on.
  4. If the decryption tool fails, re-install your operating system - remembering to patch it.
  5. Install a good malware protection solution, switch on real-time updates and update it.
  6. Scan your machine with your newly installed and updated malware protection software.
  7. Re-install essential applications, remembering to check for patches, and switch on auto updates.
  8. Copy back data from backups, remembering to scan it as you do.  One of your backup files could be infected.

Next Steps


  1. Create a standard user account for general use, and keep the administrator account for configuration changes only.  Although WannaCry did not need administrator credentials, other ransomware does.
  2. Consider Application Whitelisting to ensure only known applications are able to execute on your machine.
  3. If you existing firewall allows it, switch on web filtering to prevent traffic to known malicious sites.
  4. Consider using an IPS (Intrusion Prevention System) to protect your network. 
  5. A Web Security Gateway to monitor and prevent traffic to malicious websites, and sandboxing to scan unknown packages.
  6. An Email Security Gateway can monitor and scan emails, working in combination of a sandbox to scan unknown attachments, and a Web Security Gateway to validate URLs within emails.  Although email was not the delivery mechanism for WannaCry, it is for pretty much 90+% of ransomware.
  7. Check existing backups and/or start doing backups.

Planning for the future


  1. User training is important, but it must be remembered that WannaCry 2.0 wasn't propagated by email and didn't require user interaction to install or spread.
  2. Ensure an open policy for users to report to IT Teams or Information Security Teams with any suspicious behaviour on their machines.
  3. Test the environment with simulated attacks to ensure the People, Process and Technology work hand in hand together.

No comments:

Post a Comment