Skip to main content

WannaCry Ransomware Recommendations from the Trenches

May 18, 2017

Approximately one year ago, I wrote a blog post containing actionable recommendations to protect your environment from ransomware threats. In the wake of the recent WannaCry attack, I thought it would be prudent to update that blog and talk about what concepts have both changed and remained the same in the world of ransomware during the previous year. Obviously, the big threat on everyone’s mind right now is WannaCry, so let’s start there.

Wanna Cry Trenches

Backups – It is critical for organizations to have a consistent, tested disaster recovery plan that includes solid backups. This remains true concerning WannaCry. Optiv does not recommend paying the ransom; therefore, from a recovery perspective, companies must have tested, functional backups.

  • Provides easy recovery from ransomware attacks – wipe the infected system and restore from backup.
  • Test backups at regular intervals to make sure data is valid and useful.

Patch – Instead of restricting this recommendation to strictly Flash and Java, we’ll just leave it at patch. WannaCry harnessing the ETERNALBLUE exploit for propagation reinforces the fact that malware developers are actively seeking new methods of infecting systems and not just sticking to tried-and-true methods.

  • There are myriad attack surfaces in an environment.
  • Be sure systems are always up-to-date and patched to the latest version of the operating system and software.
  • If possible, remove commonly vulnerable programs like Flash and Java from the environment.

Endpoint Monitoring – Tools that give a team visibility into the behavior occurring on the endpoint is tremendously useful in combating ransomware. This is even more critical with threats like WannaCry. Visibility into activity on an endpoint can help incident responders and threat hunters stop attacks before they become incidents.

  • Due to the rapidly changing nature of ransomware infections, organizations must have multi-faceted endpoint protection.
  • Endpoint monitoring solutions allow visibility into processes and network traffic running on endpoints.
  • Endpoint monitoring solutions can block rogue processes pending further verification. 

AppLocker and Software Restriction GPOs – A low-cost and effective way to restrict malware (not just ransomware) from running on systems is AppLocker and associated software restriction GPOs. 

  • Full documentation is available from Microsoft and is completely free.
  • Features are similar to the software restriction policies of previous Windows versions. 
  • AppLocker is a more robust tool that provides more granular control over program execution. 

Email Filtering – Filtering extensions in email will stop a lot of malware attacks in its tracks. WannaCry is an exception to many ransomware campaigns in that it uses an external exploit tool to propagate through networks and infect systems. Future versions of WannaCry, however, may use email delivery as an infection vector. Current ransomware campaigns like Locky are actively using email as an infection vector, so it never hurts to be prepared.

  • Optiv recommends blocking executable and zip file attachments, and filtering all other attachments for manual review. 
  • Safer to block attachments and use a secure transfer option than to allow attachments that may harbor malicious software. 

Cloud Access Security Broker (CASB) – CASBs are a helpful way to block traffic calling home to ransomware command and control servers. This applies to WannaCry as well, as sink holing the command and control domain will prevent encryption.

  • Protects against more than just ransomware including traditional malware, botnets, etc.

Security Awareness Training – In the long run, it doesn’t matter what tools are implemented if a user is actively clicking on malicious attachments or taking actions that violate the acceptable use policy for a network. While WannaCry did not harness traditional methods of exploiting the human factor to propagate, future versions may do so.

  • Security awareness training is an effective method of reducing the susceptibility of humans to ransomware campaigns. 
  • Companies should include how to spot phishing attempts, user created vulnerabilities, and how to spot malicious downloads as part of their training courses.

WannaCry is an outlier compared to traditional ransomware. Its propagation methods are a sign of things to come, though, so companies must understand their environments and the capabilities of their staff. The items covered in this post are very high-level recommendations but should provide a starting point for protecting against ransomware. However, the best defense is planning, preparation and effective controls—having a solid cyber security program in place and actively monitoring and adapting as threats evolve.

    Nick Hyatt

By: Nick Hyatt

Senior Consultant

See More

Related Blogs

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

June 28, 2017

Petya / Petna / NotPetya Ransomware Recommendations from the Trenches

Here we go again. Not long ago I updated a blog post containing actionable recommendations to protect your environment from ransomware threats, includ...

See Details

October 31, 2013

CryptoLocker - The Latest in a Long Line of Ransomware

Since early September 2013, a new version of ransomware has been spreading around the globe using email attachments, embedded internet links and/or bo...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

April 23, 2013

Top Threats: The Insider Threat Is Proficient

When a business begins to think about security, they typically want to know what threats they are facing and how to protect against them. They will hi...

See Details

June 28, 2017

Petya / Petna / NotPetya Ransomware Recommendations from the Trenches

Here we go again. Not long ago I updated a blog post containing actionable recommendations to protect your environment from ransomware threats, includ...

See Details

March 29, 2017

Attack and Penetration Services

Learn how our experts work to expose weakness to validate your security program.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.