Blog

Wanna Cry

How to Protect from Wanna cry Effects, Remediation, Patch Wanna Cry

It has been estimated that over 150 countries have been impacted in some ways by the Wanna Cry worm. We want to share our perspective and ways you can protect yourself. For more information, check out this blog post from Bob Rudis, our Chief Data Scientist and our Rapid7 resources page on the subject.

Tas Giakouminakas, our Co-Founder and CTO, along with Bob, has also produced this webcast you can listen to on-demand at your leisure by registering here.

What’s happening? What is Wanna Cry ?

  • WannaCry has impacted more than 200,000 victims in 150+ countries (numbers from Europol, via BBC website: http://www.bbc.co.uk/news/technology-39913630). High profile victims include the U.K. National Health Service, Telefonica, Renault, FedEx, and the Russian Government.
  • Infection comprises of a worm, which can traverse the network to infect more machines, a ransomware infection, and there have been reports of a backdoor which communicates with a command and control server. Ransom requests are in the region of $300-$600 per asset.
  • A malware blogger inadvertently halted the spread of the attacks by registering a domain which acted as a kill switch. This was widely reported in the press, and it is expected that a 2.0 variant will not include the kill switch behavior.
  • Malicious email attachments and URLs are believed to be the initial infection vector, additionally an infected but non-encrypted asset can spread the infection to a network over guest WiFi.
  • A security patch from Microsoft has been available for supported OSs since March. Windows 10 is not impacted. Additionally, a patch was issued this weekend for Windows XP/8/2003.

How to Protect from Wanna cry ?

  • Ensure all systems have been patched against MS17-010 vulnerabilities.
  • Identify internet-facing systems that have not been patched and remediate as soon as possible.
  • Employ network and host-based firewalls to block TCP/445 traffic from untrusted systems. If possible, block 445 inbound to all internet-facing Windows systems.
  • Ensure critical systems and files have up-to-date backups. Backups are the only full mitigation against data loss due to ransomware.