Posted on May 26th, 2021 by Reuven Harrison

The WannaCry ransomware attack has been celebrating its fourth anniversary of wreaking global havoc by trending once again. Researchers at Check Point Software have noted a 53% increase in the number of organizations affected by the ransomware.

What gives?

While it is no longer spreading at the volume it was when it was first discovered, the malware has not been eradicated. In fact, researchers at PurpleSec rank WannaCry as the second most common type of ransomware. Combine that with the fact that, according to research from Group-IB, ransomware attacks grew by more than 150% in 2020, it’s no wonder we continue to see WannaCry lurking about.

What is the WannaCry Ransomware Attack?

The WannaCry ransomware attack was a global cyberattack that began in May 2017. It spread through computers operating Microsoft Windows. It is estimated to have affected more than 200,000 computers across 150 countries.

WannaCry: a brief history

The vulnerability the attackers are exploiting is in the SMB component in Windows. Server Message Block (SMB) is a network protocol that provides file and printer sharing services in Windows systems. SMB may be used inside the corporate network for sharing files and printers; however, it should never be allowed beyond the corporate network.

This is so strongly recommended, in fact, that an advisory posted in January 2017 by the United States Computer Emergency Readiness Team (US-CERT) recommends blocking “all versions of Server Message Block (SMB) at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.” SMB may be used inside the corporate network for sharing files and printers; however, it should never be allowed beyond the corporate network. Blocking SMB prevents the WannaCry attack and should be implemented on business and home firewalls.

Protect against the Wannacry ransomware attack with Tufin

Many of these malware attacks include a backdoor contacting a command-and-control server (C2). Organizations should monitor and restrict outbound (egress) traffic. Since it is practically impossible to do this at the traditional perimeter, organizations should do it (monitor and restrict egress traffic) closer to the server/app/workload where legitimate outbound traffic is well-known and limited. Here are a few tips from CISA:

  • Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.

In addition, we created a short demo of how to protect against WannaCry vunerabilities:

Lastly, more attacks are now leveraging DNS as a protocol to contact C2 servers. To mitigate this, DNS queries should be monitored and restricted to the well-known domains that are needed by each of the server/app/workload.

For more details, check out our blog post about the debut of the WannaCry ransomware.