Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

WannaCry/Wcry Ransomware: What Your IT/Sysadmins Need to Do

Trend Micro | May 17, 2017
Here's how to check if your systems and networks were affected by the ransomware attacks during the weekend.

WannaCry's Ransom Note

WannaCry/Wcry ransomware's impact may be pervasive, but there is a silver lining: a "kill switch" in the ransomware that, when triggered, prevents it from executing in the affected system. 

If your system was in sleep mode during WannaCry's attacks last weekend, there's a good chance that your machine escaped WannaCry's slew of attacks last weekend. But what happens when you wake the system up? The short answer: the kill switch will still prevent the ransomware's encryption routine. This is a window of opportunity IT/system administrators and information security (InfoSec) professionals can take advantage of to patch or update vulnerable systems, preventing threats like WannaCry from affecting them in the future. 

Here are actionable things you can do to check if your systems and networks were affected by the ransomware's attacks during the weekend.  

 

Machines in sleep mode will not be infected, so patch them immediately.

 

WannaCry Computers in Sleep Mode

 

Based on Trend Micro's analysis and simulations of WannaCry, the ransomware attack will not be successful if the machines are in sleep mode-even with Transmission Control Protocol (TCP) port 445 open and unpatched. 

Part of WannaCry ransomware's attack chain involves connecting to and infecting more systems. If it tries to connect to a machine in sleep mode, it will receive a "socket error" and fail to access it. Consequently, the malware will move to the next IP and attempt to access machines connected to it. 

This presents a window of opportunity for the IT/system administrators to mitigate, if not prevent a WannaCry infection by immediately patching the vulnerability that the ransomware leverages to infect systems. 

 

What happens when you "wake up" the machine?

 

Waking up a computer potentially affected by WannaCry

 

WannaCry scans the system's Local Area Network (LAN) upon initial infection and enumerate all IPs in the LAN.  If the infected machine's LAN was already enumerated during the weekend (during the height of the malware's outbreak) and a vulnerable machine in the network happened to be in sleep mode, WannaCry will skip it. Accordingly, when the user wakes up a non-infected machine within an infected network, it will not be infected. This is an opportunity for IT/system administrators to apply the necessary patches and updates to the system. 

Restarting the initially infected machine, however, will prompt the LAN scanning routine again. Fortunately, WannaCry has a "kill switch". Part of WannaCry's infection routine involves sending a request that checks for a live URL/domain. If its request returns showing that the URL is alive or online, it will activate the kill switch, prompting WannaCry to exit in the system and no longer proceed with its propagation and encryption routines. Thus, even if the infected machine restarts, the kill switch will prevent WannaCry from performing its routines on it. 

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.