Making sense of the WannaCry Ransomware attack

Matthew Flanagan and Leon Slattery makes sense of the WannaCry Ransomware attack – asking what it means for you

In mid-May 2017 we saw a global instance of a Cryptolocker-style ransomware attack, known generally as WannaCry.

The CSA Security team has been assessing what it means for us, and to our clients’ systems. There has been a lot of communications and general commentary being published over the past few days, so we want to clarify a lot of inaccuracies and anomalies being propagated, to provide clarity as to the problem, risks and what actions you need to take (or not take):


Identification: How WannaCry works

  • It exploits a vulnerability in the SMB service on systems, both client AND server, to self-propagate and spread remotely via the network
  • Once it is in your network It does not require any interaction from at a user – e.g. to open email an email or click on a link – it will happen in the background. The first thing a user will know is when they get the ransomware message pop up on their screen

Mitigations: How to stop it

  • The primary mitigation is to ensure Windows Updates and antivirus updates are current, as WannaCry exploits a vulnerability in Windows SMB service
  • Perimeter firewalls need to block SMB protocol in-bound from Internet and untrusted Third Parties connections (e.g. WAN and/or Site to Site VPNs) sources. This is best practice regardless
  • Perimeter firewalls should block the TOR application outbound as this is used by infected systems to talk back to the ransomware’s command and control servers

Remediation: How to fix it

  • If you suspect that you have an infected system, disconnected it immediately from the network, both wired and WiFi
  • The recommended remediation for an infected system is to re-image the system and restore data from the last known good backup

Recommendations: Where to from here?

  • This type of attack is why we developed our Security-as-a-Service offering, to ensure the systems of our clients are being actively managed to reduce their risk and meet compliance requirements. This includes the list of mitigations listed above, amongst many other things
  • Partner with a leading Security provider who can take the end-to-end management of your Security off your hands – you save time and ensure that you have current and industry-leading experts taking care of your network security.
  • Take advantage of our current free Readiness Assessment for mandatory data breach notification laws – it will provide you with a current view of your security posture to act on

Further reading: You’ve got less than 12 months to prepare for mandatory data breach notifications

About the Authors

Leon Slattery is Portfolio Manager Network and Security at CSA. Leon’s security domain knowledge has been acquired over 12 years of experience in the IT services industry focusing on development and delivery of innovative network and security solutions for customers. Leon has applied his skills for clients within Utilities, Finance, Health and Higher Education industries giving him insight into the unique challenges faced in securing information in these environments.

Leon Slattery

Portfolio Manager - Network & Security

Matthew Flanagan is Platform Lead – Network and Security at CSA. Matt has over 20 years industry experience in a wide range of technologies focused around Internet and enterprise infrastructures. He specialises in Internet infrastructures, UNIX, security, network architecture and design. Matthew is a Member of the GIAC Advisory Board and holds the GIAC GXPN Certification for Exploit Research and Advanced Penetration Testing.

Matthew Flanagan

Platform Lead - Network and Security