WannaCry Ransomware Attack - an action plan for prevention and recovery

May 21, 2017

Nick Gravel

The WannaCry ransomware attack is an ongoing worldwide cyberattack by the WannaCry (a.k.a. WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor, Wcry) ransomware cryptoworm, which targets computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.

The ransom is $300 worth of Bitcoin and you have 3 days to pay before it then doubles to $600. If you fail to pay within a week then the ransomware threatens to permanently delete all your files.

WannaCry has affected many organizations across the world including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US.

Early samples have revealed that the ransomware is spread over local networks and the internet by abusing Server Message Block (SMB) protocol weaknesses. Although no WannaCry 'smoking gun' infection emails have yet been found, it is highly likely that future variants will use email.

This short guide is designed to help all organizations complete a review of network security, backup and business continuity systems and processes.


Every organization must ensure its IT systems are regularly updated. Microsoft security updates are released on the second Tuesday of each month (Patch Tuesday).

Microsoft released a security update back in March which addresses the vulnerability that Wcry is exploiting. For those organizations who have not yet applied the security update, you should immediately deploy Microsoft Security Bulletin MS17-010.

If you are using a legacy, now unsupported version of Windows, you should consider upgrading immediately. However, if this is impossible in the short term, Microsoft has taken the unusual measure of releasing a security patch that can buy you time to upgrade.

Microsoft has provided its own detailed guidance to defend against Wcry here.

Network hardening

Good security practice dictates removing or disabling unnecessary services to reduce the potential attack surface.

WannaCry has spread quickly by abusing vulnerabilities in Server Message Block network protocol.

Unless you have a very good reason not to, disable the SMBv1 protocol on your network, while also ensuring SMB cannot be directly accessed from the internet.

Disable or block other legacy protocols on your network that you are not using.

Email security: Mimecast’s Ransomware Defense

For customers of Mimecast Targeted Threat Protection, we advise a number of activities:

URL Protect - configure a policy in line with the best practice guide in Mimecaster Central. Ensure a policy is applied to all users. Rewriting all URLs to scan for unsafe content at time-of-click is the best approach to preventing inbound URL-based phishing.

Attachment Protect – configure the "Safe Files" option for all users to ensure inbound Microsoft Office files are converted to a safe and benign format. For users who require editable documents, ensure Attachment Protect's sandboxing is configured. Refer to the best practice guide in Mimecaster Central for details.

Internal Email Protect – this service provides protection for URLs and attachments in both outbound email and also mails sent internally. Ensure policies are applied to all users and ensure remediation capabilities are enabled. Refer to our best practice guide for configuration recommendations.

Mimecast customers using Mimecast’s secure email gateway, we advise using the most up to date attachment management definition as there are reports of executable files masquerading as Excel files with an administrator hold on dangerous files types. This in conjunction with the Suspected Malware policy with the ability to hold Office files containing macros provides another layer of detection, but does not provide the analysis provided by Attachment Protect.

Since a very high percentage of ransomware is spread by email attachments, we urge organizations to consider using sandboxing and/or safe file conversion services.

DNS authentication capabilities such as DKIM and SPF can help stop attackers from spoofing or hijacking the email domains of trusted senders, thus effectively taking away one method attackers use to fool their intended victims. DMARC, the combination of these two services adds an extra layer of defense.

Read more about Mimecast Schedule a Mimecast demo

Data backups and business continuity

Preventive measures alone can’t keep up with the fast-evolving nature of ransomware attacks and as this attack highlights, there are many ways for an infection to enter an organization.

It’s vital you regularly backup critical data and ensure that ransomware cannot spread to backup files. Ransomware can take time to encrypt large volumes of files, particularly across a network share. It is imperative to ensure your back-up window is long enough to go back before any infection begins.

Backup & recovery measures only work after an attack, and cost organizations in downtime and IT resources dealing with the attack and aftermath.

Organizations must be able to continue to operate during the infection period and recover quickly once the infection has been removed.

Should firms ever pay a ransom?

Short answer: No.

Long answer: The majority of U.S. government agencies and cybersecurity researchers agree that victims should not pay the ransomware, but left it up to people to evaluate their own situations: Would losing the files leave them in financial ruin? If WannaCry infected computers in a hospital, is it a life-or-death situation?

› The FBI recommends that victims should not pay the ransom, because payment does not guarantee the victim will regain access to the locked-down data. Paying the ransom also encourages future attacks from hackers.1

› The Department of Justice also does not encourage paying ransomware. It pointed out cases in which victims were targeted again by hackers because of their willingness to pay.2

’ The US Computer Emergency Readiness Team guidelines recommend against paying ransomware.3

What now?

If you are the victim of a ransomware attack such as WannaCry, the bigger lessons out of this are the ones that reinforce what the technology security community has been telling people for a long time, specifically the following (source):

  • Keep your operating systems current: e.g. upgrade to latest stable version and don't turn off Windows Updates!
  • Take patches early
  • Have a robust backup strategy
  • Lock down machines
  • Don't open suspicious email or attachments
  • Restrict access to network resources: ransomware can only encrypt what it can access or what machines it can propagate to can access
  • Block unnecessary ports: e.g. organisations hit by WannaCry may have had SMB externally accessible
  • Traditional anti-virus is bad at identifying this stuff

The above lessons are much more important than WannaCry itself and until we've gotten them right, the inevitable future ransomeware variants will hit those who are unprepared. Get in touch with us if you need help with your security defense strategy.