WanaCry Ransomware: A Survival Guide

George Seerden
Jun 7, 2017 10:07:45 AM


What is WannaCry Ransomware?

WanaCrypt0r, WanaDecryt0r, and WannaCry are different names for essentially the same thing. Technically WanaCrypt0r is name of the executable, WanaDecrypt0r is the name of the decrypting utility, and WannaCry is what it makes people want to do. But, for most people they are the same.

By now, most know that it is ransomware. A particularly nasty brand of malware that holds your files ransom by encrypting (locking) them up and making you pay for the key. 

First, Some Terms

To understand what makes this so devious, you must understand two terms.

Attack Vector: The method by which the malware gets onto the victim’s machine. The most common examples being phishing emails and malicious web sites.

Payload: The thing the malware actually does. It could record keystrokes, steal information, send spam, or encrypt files.

Moving on!

How Is It Special?

We have all heard of ransomware in the news, particularly when they hit critical targets like hospitals or transportation systems. WanaCrypt0r is no different from its cousins in what it does to your files once infected. What makes this little beauty special is the attack vector.

A little while back a group called The Shadow Brokers released a set of tools they claimed to be stolen from the National Security Agency over in the good ol’ U.S. of A. These tools were exploits, commonly referred to as Zero-Days, that the intelligence agency wields in shadowy fashion to keep America great. There is an entire philosophical debate that has been raging for years about whether intelligence agencies, yes… your country’s intelligence agencies do this too…should tell the Microsofts or Googles of the world if their software is vulnerable. Or, if they should just use these scalpel like tools to protect their own borders. We aren’t here to argue the finer points of international espionage, we are here to clean up the fall out.

So, what does the NSA, allegedly, have to do with WanaCrypt0r? One of the stolen exploits is being used to give WannaCry self-propagating behavior. It turns what would be an ordinary piece of ransomware into the world’s first ransomware worm. This baby not only wreaks havoc on your computer, but it looks for more computers to spread itself to. Meaning, if one computer in your corporate network gets infected your chances of it infecting more go way up.

The bug this exploit targets is in Server Message Block (SMB). For the most part SMB lives in a computer’s kernel space. Kernel space is a very dangerous place to be mucking about. Think human subconscious level of power. We trust our subconscious innately. Any mistake made there will instantly send your computer to the infamous, “blue screen of death.” But, any instructions emerging from kernel space are trusted by the computer implicitly and operate with impunity.

This malware essentially “patches” SMB with hostility in mind. And, it can run this “patch” from the network. Throwing this exploit into the highest and most sought after category: Remote Code Execution. It creates a new instruction for SMB to follow that lives in memory and can be accessed from the network. For emphasis, I will say this again: all of this is from the network. You do not need to click a phishing email, or browse to a malicious web site. This new SMB instruction is this malware’s attack vector.

Are You Vulnerable?

Probably… yes. The critical thing to check is if your systems have been patched with MS17-10. Nearly every single Windows distribution is vulnerable, going all the way back to Windows XP. This attack vector is so bad that Microsoft pushed a patch to Windows XP and 2003-operating systems they haven’t supported for years.

What if it is too late? What if your organization has been open to this attack all along? Well, remember that new SMB instruction I told you about earlier? It is a backdoor, and can be detected very easily. Nmap, a network assessment tool, has a plugin just for that purpose. Here is the rub though, the backdoor Nmap is trying to detect lives in memory. So, if you became infected and then rebooted your machine the backdoor is already gone. Negative results do not equal a clean bill of health. Just that the backdoor is missing, you may already have the payload.

More than likely if you are infected, you know you’re infected.

But I Heard There is a Kill-Switch!

There is a kill-switch… in this version of the malware. All anyone needs to do is turn off the kill-switch and release it again. DO NOT think you are safe simply because of this kill-switch. There are already reports of a version of WanaCrypt0r with that kill-switch removed. You must take active precaution.


The good news here is this is easy to prevent. There are essentially two methods to prevention: host and network. You need to do both.

Host level: Install MS17-10, now. If you cannot for some reason read this article. It takes advantage of a fail-safe that is built into the malware to trick it into thinking it shouldn’t execute.

Network level: Why on earth would you have SMB open to the internet?! If you do have it open to the internet you will soon be answering to your boss as to why. Windows file sharing is not required to be exposed to the internet to make your business run. If your network guy told you that you need it exposed, hire a new network guy, because this one hasn’t heard of a virtual private network or secure file-sharing via the cloud. Also, there is no valid reason to ever have one host on your network use SMB to connect to another host. The only valid internal network structure for SMB allows hosts to connect to an internal file-server. Key word there: server. Also, use access control lists to block all other forms of SMB communication at the network level. And, your network should be broken up into segments either physically or using VLANs. This will prevent an infection from spreading further.

Bonus! Those network level security recommendations apply to ALL MALWARE. No malware on the planet can bypass properly configured networks.

Oops! You already have it

OK, your box is one of the potentially millions that got hit before the news broke. What do you do? In all cases the first thing you should do is isolate the infected host by removing it from your network. Or, at the very least, block all forms of SMB communication at level 2. WanaCrypt0r continually checks your network for available SMB connections so it can spread. Once isolated, return the host to a known good state using a backup. If you don’t have a good backup, update your anti-virus and tell it to run. If you don’t have anti-virus, get anti-virus. The malicious files and their persistence mechanisms can also be removed manually. I won’t spell out that process here because it is lengthy.

If your files are already encrypted, there is very little that can be done to recover them. I’ve heard rather conflicting reports about recovering files after paying the ransom. But, one thing is for certain, if you don’t pay there is currently no other way to get your files back.

The best advice is to not get infected, but sometimes that is easier said than done. If you are trying to figure out how you can mitigate your risk of an infection and aren't sure where to start, a great place might be the Center for Internet Security Top 20 Critical Security Controls. These are 20 essential controls, in order of importance, that you can implement now to drastically reduce your risk related to all facets of information security. Click on the image below to download a copy of our Critical Security Controls eBook to learn more about these controls and how they can help your organization!

New Call-to-action

You May Also Like

These Stories on Information Security

Subscribe by Email

No Comments Yet

Let us know what you think