Wannacry Ransomware & Mitigation Steps

A major cyberattack took place this past week. The attack impacted organizations in over 100 counties including the British National Health Service, FedEx, Spanish telecom company, Telefónica, and multiple universities in Asia.

The culprit is the Wannacry ransomware worm. The worm is most commonly introduced through infected email. When the user clicks on the infected attachment, the malware starts running and propagates across the system.

The malware leverages a leaked exploit developed by the NSA, which takes advantage of a vulnerability in Microsoft Windows environments called Eternalblue, which is a remote code execution vulnerability that takes place over SMB.

Microsoft patched the vulnerability over a month ago; however, organizations behind on patch management will continue to be exposed to the risk of this malware and others leveraging the Eternalblue vulnerability.

Potential Mitigation Steps:

  • Patch Management: Implement an emergency patch program and ensure that all Windows systems are receiving security patches from Microsoft and other vendors on a frequent basis. The patch relevant to fixing the Eternalblue vulnerability is MS17-010
  • Host Based Firewalls: Consider applying firewall rules at the host level (i.e. Windows firewall) which prevent unnecessary system to system communication (making it more difficult for Worms to propagate).
  • Network Segmentation: Properly segment networks and apply routing and firewall rules which create security zones within your network, limiting the attack surface of malware to only the network segment in which the malware was introduced.
  • Use Supported Operating Systems: Ensure all operating systems currently being ran by the organization are receiving ongoing security patches from the vendor (e.g. Windows XP and Server 2003 are no longer supported or receiving security updates.)
  • Properly Manage Backups: Verify that backups are not stored within network attached directories that might be susceptible to being infected by a Worm (and end up being encrypted as part of the ransomware attack).

Please read more about the attack and resolution plans here:

You can track the spread of this attack here:

Leave a Reply